1. Using kubernetes rbac.authorization.k8s.io with iam.aws.rustrial.org

    TypeScript

    In order to integrate Kubernetes RBAC with AWS IAM identities, you will need to do the following:

    1. Define RBAC Roles and RoleBindings in Kubernetes: You'll need to configure Kubernetes RBAC to specify permissions for Kubernetes resources. This will be done using Role and RoleBinding resources in your Kubernetes manifests.

    2. Map AWS IAM Identities to Kubernetes: To allow AWS IAM identities (like a user or role) to interact with your Kubernetes cluster, you need to create a ConfigMap called aws-auth in the kube-system namespace. This ConfigMap contains mappings from AWS IAM users and roles to Kubernetes users and groups.

    3. Use aws-iam-authenticator: The aws-iam-authenticator helps to enforce the use of AWS IAM credentials when executing kubectl commands.

    Assuming you have Pulumi installed and configured to manage your Kubernetes cluster resources, here is a Pulumi TypeScript program that demonstrates how to set up Kubernetes RBAC for an AWS IAM user using the aws-auth ConfigMap.

    First, make sure your Pulumi Kubernetes provider is correctly configured to manage resources in your cluster. Then create Kubernetes Role and RoleBinding resources with the following Pulumi program:

    import * as k8s from "@pulumi/kubernetes"; // For a specific namespace, create a Role that dictates what actions are allowed on which resources. const podReaderRole = new k8s.rbac.v1.Role("pod-reader", { metadata: { namespace: "default" // Specify the namespace where you want to apply the Role }, rules: [{ apiGroups: [""], // The "" indicates the core API group resources: ["pods"], verbs: ["get", "watch", "list"], }], }); // Bind the AWS IAM role to the Kubernetes Role we've created above. // This binding allows the subjects (AWS IAM role here) the permissions defined in the Role. const podReaderRoleBinding = new k8s.rbac.v1.RoleBinding("pod-reader-binding", { metadata: { namespace: "default" // Ensure this is the same namespace as the Role }, subjects: [{ kind: "User", name: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AWS_IAM_ROLE>", // Specify the AWS IAM role ARN apiGroup: "rbac.authorization.k8s.io", }], roleRef: { kind: "Role", name: podReaderRole.metadata.name, apiGroup: "rbac.authorization.k8s.io", }, }); // To grant access to the AWS IAM role, you must update the `aws-auth` ConfigMap // This is commonly done at cluster creation time. See (https://www.pulumi.com/docs/reference/pkg/aws/eks/cluster/)

    Replace <AWS_ACCOUNT_ID> and <AWS_IAM_ROLE> with your actual AWS account ID and IAM role name you want to allow access.

    Please Note:

    • AWS accounts typically use an aws-auth ConfigMap to manage access to EKS clusters. The above Pulumi code assumes that you have already set up an EKS cluster with the appropriate aws-auth ConfigMap that adds your IAM role to the mapRoles section. If you haven't done so, you will need to create or update the aws-auth ConfigMap accordingly.
    • This Pulumi program doesn't directly create or modify the AWS IAM role. You must define this role in AWS IAM and provide the necessary trust relationship to the EKS cluster.
    • The created Role and RoleBinding above are namespaced. For cluster-wide permissions, you would use ClusterRole and ClusterRoleBinding instead.
    • The actual ARN constructed in the subjects field must match an existing IAM Role ARN, and that IAM Role must have the trust relationship allowing it to assume roles for the EKS cluster.
    • Authenticating to the Kubernetes API using an AWS IAM role depends on the cluster configuration to support this, typically done by the aws-iam-authenticator.

    Remember to review the official Pulumi documentation for Kubernetes and the official Pulumi documentation for AWS EKS for a deeper understanding of integrating IAM with RBAC on a Kubernetes cluster.