This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

01/31/2019, 11:50 PM

This message was deleted.

early-musician-41645

01/31/2019, 11:51 PM

E.g. What could the stack/project structure look like?

creamy-potato-29402

02/01/2019, 12:03 AM

@early-musician-41645 IN FACT WE CAN!

creamy-potato-29402

02/01/2019, 12:03 AM

@early-musician-41645 https://github.com/pulumi/kubernetes-the-prod-way/tree/master/aws/identity

creamy-potato-29402

02/01/2019, 12:04 AM

it’s a WIP, we’re working on building up the stuff to the EKS layer.

creamy-potato-29402

02/01/2019, 12:04 AM

cc @breezy-hamburger-69619

early-musician-41645

02/01/2019, 4:32 AM

ah, thanks!

early-musician-41645

02/01/2019, 5:35 AM

Hmm, I think I'm looking for something slightly different. More of guidance on how to architect Pulumi stacks for managing a set of permissions across namespaces and mapping those to roles.

early-musician-41645

02/01/2019, 5:38 AM

Something along the lines of this, except scaled to dozens of namespaces, with many IAM roles to match. I'd like to separate the EKS cluster management from the IAM role & kube role management. I thought this could work as a separate stack for the namespace/env/role mappings, but it would modify the

aws-auth

config map that is already created in the eks-cluster stack (via

new eks.Cluster

)

early-musician-41645

02/01/2019, 5:39 AM

So there would be a problem if we ever want to update the eks-cluster stack after having made multiple changes to the aws-auth map...

breezy-hamburger-69619

02/01/2019, 6:58 AM

Thanks for the feedback! We’re building out some material that hopes to talks to various topics such as the one you’re discussing, and we’re always interested to hear about different use cases. IIUC your root issue is that because

aws-auth

changes often from the initial one created, this in turn will cause the cluster to be rebuilt on future updates, and you want to avoid this, right? If so, then I don’t see anything wrong about your approach to map many IAM roles to roleMappings per namespace. The only thing to note is that because the

aws-auth

is the only

ConfigMap

that in EKS that maps IAM -> RBAC, access to it should only be limited to admins. Your issue, as I understand it, would ultimately be due to Pulumi’s delete-before-replace semantics, which triggers a cascading delete on AWS resources for EKS. Issues [1] and [2] describes this issue in more detail. Thankfully, PR [3] to

@pulumi/pulumi

resolves it, and

@pulumi/eks

will be updating its dependency on

@pulumi/pulumi

[4], so we should have a fix out for this soon. [1] - https://github.com/pulumi/pulumi-eks/issues/46 [2] - https://github.com/pulumi/pulumi/issues/2167 [3] - https://github.com/pulumi/pulumi/pull/2369 [4] - https://github.com/pulumi/pulumi-eks/issues/46#issuecomment-459544080 Hope this helps

early-musician-41645

02/01/2019, 6:56 PM

👍

Open in Slack

Previous Next