Description
Describe the feature
AccessEntry is the new mechanism to specify EKS API access, avoiding the previous cyclic nature of having to edit the aws-auth configmap.
There are two ways to grant permissions via AccessEntry.
- AccessPolicies, pre-defined roles that need not exist inside the cluster
- Specifying group names that can then be used in regular RoleBindings and ClusterRoleBindings.
The L2 AccessEntry construct added in #30016 only supports the first versions.
While the AccessPolicies are an easy way to add permissions without having to be able to access the cluster API to do so, it is not possible to define custom ones for a more fine-grained permission control. For that, we need to be able to set the group names and use those in the regular Kubernetes role system.
Use Case
To grant custom roles in kubernetes to a User or Role from IAM.
Proposed Solution
Add a "kubernetesGroups" parameter to the AccessEntry construct. Also, the "accessPolicies" parameter should be optional to allow specifying an AccessEntry that only uses the group mapping.
A variant of the "grantAccess" method on the cluster that accepts group names would also be useful.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CDK version used
2.146.0
Environment details (OS name and version, etc.)
all