-
Notifications
You must be signed in to change notification settings - Fork 415
/
types.go
173 lines (141 loc) · 7.07 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/*
Copyright 2017 by the contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package config
type IdentityMapping struct {
IdentityARN string
// Username is the username pattern that this instances assuming this
// role will have in Kubernetes.
Username string
// Groups is a list of Kubernetes groups this role will authenticate
// as (e.g., `system:masters`). Each group name can include placeholders.
Groups []string
}
// RoleMapping is a mapping of an AWS Role ARN to a Kubernetes username and a
// list of Kubernetes groups. The username and groups are specified as templates
// that may optionally contain two template parameters:
//
// 1. "{{AccountID}}" is the 12 digit AWS ID.
// 2. "{{SessionName}}" is the role session name.
//
// The meaning of SessionName depends on the type of entity assuming the role.
// In the case of an EC2 instance role this will be the EC2 instance ID. In the
// case of a federated role it will be the federated identity (controlled by the
// federated identity provider). In the case of a role assumed directly with
// sts:AssumeRole it will be user controlled.
//
// You can use plain values without parameters to have a more static mapping.
type RoleMapping struct {
// RoleARN is the AWS Resource Name of the role. (e.g., "arn:aws:iam::000000000000:role/Foo").
RoleARN string `json:"rolearn,omitempty" yaml:"rolearn,omitempty"`
// SSO contains fields used to match Role ARNs that
// are generated for AWS SSO sessions.
SSO *SSOARNMatcher `json:"sso,omitempty" yaml:"sso,omitempty"`
// Username is the username pattern that this instances assuming this
// role will have in Kubernetes.
Username string `json:"username" yaml:"username"`
// Groups is a list of Kubernetes groups this role will authenticate
// as (e.g., `system:masters`). Each group name can include placeholders.
Groups []string `json:"groups" yaml:"groups"`
}
// UserMapping is a static mapping of a single AWS User ARN to a
// Kubernetes username and a list of Kubernetes groups
type UserMapping struct {
// UserARN is the AWS Resource Name of the user. (e.g., "arn:aws:iam::000000000000:user/Test").
UserARN string `json:"userarn" yaml:"userarn"`
// Username is the Kubernetes username this role will authenticate as (e.g., `mycorp:foo`)
Username string `json:"username" yaml:"username"`
// Groups is a list of Kubernetes groups this role will authenticate as (e.g., `system:masters`)
Groups []string `json:"groups" yaml:"groups"`
}
// SSOARNMatcher contains fields used to match Role ARNs that
// are generated for AWS SSO sessions. These SSO Role ARNs
// follow this pattern:
//
// arn:aws:iam::<ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/<SSO_REGION>/AWSReservedSSO_<SSO_PermissionSetName>_<RANDOM_STRING>
//
// These ARNs are canonicalized to look like:
//
// arn:aws:iam::<ACCOUNT_ID>:role/AWSReservedSSO_<SSO_PermissionSetName>_<RANDOM_STRING>
//
// This struct enables aws-iam-authenticator to match SSO generated Role ARNs with
// handling for their random string suffixes.
type SSOARNMatcher struct {
// PermissionSetName is the name of the SSO Permission Set that will be found
// after the "AWSReservedSSO_" string in the Role ARN.
// See: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsets.html
PermissionSetName string `json:"permissionSetName" yaml:"permissionSetName"`
// AccountID is the AWS Account ID to match in the Role ARN
AccountID string `json:"accountID" yaml:"accountID"`
// Partition is the AWS partition to match in the Role ARN. Defaults to "aws"
Partition string `json:"partition,omitempty" yaml:"partition,omitempty"`
}
// Config specifies the configuration for a aws-iam-authenticator server
type Config struct {
// PartitionID is the AWS partition tokens are valid in. See
// github.com/aws/aws-sdk-go/aws/endpoints
// endpoints.DefaultPartitions()
PartitionID string
// ClusterID is a unique-per-cluster identifier for your
// aws-iam-authenticator installation.
ClusterID string
// KubeconfigPregenerated is set to `true` when a webhook kubeconfig is
// pre-generated by running the `init` command, and therefore the
// `server` shouldn't unnecessarily re-generate a new one.
KubeconfigPregenerated bool
// HostPort is the TCP Port on which to listen for authentication checks.
HostPort int
// Hostname is the address clients should use for this server.
Hostname string
// GenerateKubeconfigPath is the output path where a generated webhook
// kubeconfig (for `--authentication-token-webhook-config-file`) will be
// stored.
GenerateKubeconfigPath string
// StateDir is the directory where generated certificates and private keys
// will be stored. You want these persisted between runs so that your API
// server webhook configuration doesn't change on restart.
StateDir string
// RoleMappings is a list of mappings from AWS IAM Role to
// Kubernetes username + groups.
RoleMappings []RoleMapping
// UserMappings is a list of mappings from AWS IAM User to
// Kubernetes username + groups.
UserMappings []UserMapping
// AutoMappedAWSAccounts is a list of AWS accounts that are allowed without an explicit user/role mapping.
// IAM ARN from these accounts automatically maps to the Kubernetes username.
AutoMappedAWSAccounts []string
// ScrubbedAWSAccounts is a list of AWS accounts that the role ARNs and uids
// are scrubbed from server log statements
ScrubbedAWSAccounts []string
// ServerEC2DescribeInstancesRoleARN is an optional AWS Resource Name for an IAM Role to be assumed
// before calling ec2:DescribeInstances to determine the private DNS of the calling kubelet (EC2 Instance).
// If nil, defaults to using the IAM Role attached to the instance where aws-iam-authenticator is
// running.
ServerEC2DescribeInstancesRoleARN string
// Address defines the hostname or IP Address to bind the HTTPS server to listen to. This is useful when creating
// a local server to handle the authentication request for development.
Address string
// Master is an optional param which configures api servers endpoint for listening for new CRDs
// +optional
Master string
// Kubeconfig is an optional param which configures the kubeconfig path for connecting to a specific
// API server this is useful for local development, allowing you to connect to a remote server.
// +optional
Kubeconfig string
// BackendMode is an ordered list of backends to get mappings from. Comma-delimited list of: MountedFile,EKSConfigMap,CRD
BackendMode []string
// Ec2 DescribeInstances rate limiting variables initially set to defaults until we completely
// understand we don't need to change
EC2DescribeInstancesQps int
EC2DescribeInstancesBurst int
LenientYamlEKS bool
}