Open joebowbeer opened 7 months ago
rodrigobersa
commented
7 months ago Hi @joebowbeer!
We are working on updating the Control Plane and Detective sections with content regarding Cluster Access Manager.
For the IAM section, since the aws-auth is not discontinued yet, we need to keep the documentation for it. As soon as it is not supported anymore, we can remove it. Same for the official Docs.
joebowbeer
commented
7 months ago @rodrigobersa good to hear.
Here are some basic corrections to IAM docs in their current form
rodrigobersa
commented
7 months ago That's nice! Thanks for bringing those up @joebowbeer!
joebowbeer
commented
1 month ago @rodrigobersa I think some of the above has been addressed. (Cool!)
Remaining content to update:
These pages only mention aws-auth, e.g.,
The detective page mentions logging changes to aws-auth and does not include instructions for logging changes to access entries, which I assume would be advisable.
New: I recommend mentioning mkat as a way to verify that IMDSv2 is not accessible from pods.
Describe the problem The aws-auth configmap documentation needs an update, now that the Cluster Access Manager API has been added and is the preferred way to manage access of AWS IAM principals to Amazon EKS clusters.
Content to update:
The new Cluster Access Manager is mentioned in
iam.mdbut there is a lot of old and possibly obsolete information preceding it. Suggestion: Move theaws-authparagraph to the bottom and add a disclaimer.The User Guide can also use an update. A lot of docs point to the following, which is now essentially obselete:
https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html#aws-auth-configmap
Users should be directed to the following instead?
https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
References