mirror of
https://github.com/gravitational/teleport
synced 2024-10-18 16:24:03 +00:00
06c735490b
* Bootstrap kubernetes RBACs when running EKS auto discovery This PR extends the ability of `discovery_service` to self-bootstrap the required permissions for the `kubernetes_service` to dial and forward requests to the Kubernetes API on behalf of the users. When EKS auto-discovery was initially developed, it wasn't possible to bootstrap the required permissions without having prior access to the cluster itself. Recently, AWS releases a new API to configure access to IAM identities. By default, there are just a few predifined permissions that either don't have the required permissions for `kubernetes_service` to be operational or are the equivalent of `cluster-admin` RBAC role. To bypass it, `discovery_service` temporarily escalates itself to `cluster-admin` by creating an EKS `AccessEntry` and associates the policy `arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy`. Once access is granted, it creates a Kubernetes RBAC `ClusterRole` and `ClusterRoleBinding` with the minimal required permissions for `kubernetes_service` to be operational. These permissions are binded to `teleport:kube-service:eks`. Finally, it deletes the previously created `AccessEntry` and creates another for the target ARN that Kubernetes Service uses. Fixes #39021 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * handle review comments * do not exit on failed GetCallerIdentity call --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> |
||
|---|---|---|
| .. | ||
| eks_token_signed.go | ||
| utils.go | ||
| utils_test.go | ||