feat(eks): support AccessConfig for the Cluster construct

aws-quickstart / cdk-eks-blueprints

AWS Quick Start Team

Apache License 2.0

446 stars 198 forks source link

feat(eks): support AccessConfig for the Cluster construct #1027

Open vumdao opened 2 months ago

vumdao commented 2 months ago

Describe the feature

Provide option for Amazon EKS access management controls.

The AuthenticationMode supports CONFIG_MAP, which is the default, API_AND_CONFIG_MAP and CONFIG_MAP. It allows users to switch the mode on cluster creation or update. When the mode has API support, users have to define the AccessEntry to map the access policies and the IAM principals

Furthermore, provide option to support create AccessEntry either

Ref: https://github.com/aws/aws-cdk/pull/30016

Use Case

Provide option for selecting AuthenticationMode and create AccessEntry

Proposed Solution

No response

Other Information

No response

Acknowledgements

[X] I may be able to implement this feature request

CDK version used

2.147.0

EKS Blueprints Version

1.14.1

Node.js Version

v22.1.0

Environment details (OS name and version, etc.)

macOS Sonoma 14.5

cristianmagana commented 1 month ago

+1 also interested in migrating to access entries.

neoakris commented 1 month ago

Note: Half of the work to do this seems to have been done already :)

The "AuthenticationMode" half looks done: (as of EKS Blueprints version 1.15.1)

import * as blueprints from '@aws-quickstart/eks-blueprints'; 
// blueprints as in blueprint_of_eks_declarative_cf_stack
import { AuthenticationMode } from 'aws-cdk-lib/aws-eks';

const baselineClusterProvider = new blueprints.GenericClusterProvider({
  tags: baselineEKSTags,
  outputConfigCommand: true,
  authenticationMode: AuthenticationMode.API_AND_CONFIG_MAP,
...

The "AccessConfig" 2nd half, looks to be WIP: My understanding is that it currently AccessConfig doesn't exist as a well integrated turn key solution in eks-blueprints, (based on https://aws-quickstart.github.io/cdk-eks-blueprints/api/interfaces/clusters.GenericClusterProviderProps.html)

That said, it looks like a workaround method should exist here:
https://github.com/aws/aws-cdk/pull/30016 (I haven't figured out how to make it work yet / it might not be available on a released / stable branch of the project)

neoakris commented 1 month ago

Actually, this whole feature seems to be available in eks-cdk-blueprints v1.15.1, :) just not yet documented. (wait technically it doesn't exist in Cluster construct, but it seems to be available via a different construct/methodology.)

I checked the Github release notes from aws-cdk, release 2.146.0 says it supports access config cdk-eks-blueprints is based on aws-cdk v2.147.3
Here's the closest thing we have to example docs (they're pretty decent)
- https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.AccessEntry.html
- https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.AccessPolicy.html
It was a little confusing because the feature is called "AccessConfig" in some places, but the implementation details of how to implement AccessConfig don't use that name, but instead use AccessEntry & AccessPolicy.

RichardoC commented 1 month ago

I'm also interested in this existing