early-musician-41645
01/31/2019, 11:50 PMaws-auth
configmap to a Kubernetes user that is limited to actions within a specific namespace.
Hence, the aws-auth configmap will be updated often and quickly move out of sync with the initial definition for it in when we new eks.Cluster
.
Can you recommend a Pulumi way to manage the namespaces, IAM roles, kubernetes roles, rolebindings & usernames?creamy-potato-29402
02/01/2019, 12:03 AMearly-musician-41645
02/01/2019, 4:32 AMaws-auth
config map that is already created in the eks-cluster stack (via new eks.Cluster
)breezy-hamburger-69619
02/01/2019, 6:58 AMaws-auth
changes often from the initial one created, this in turn will cause the cluster to be rebuilt on future updates, and you want to avoid this, right?
If so, then I don’t see anything wrong about your approach to map many IAM roles to roleMappings per namespace. The only thing to note is that because the aws-auth
is the only ConfigMap
that in EKS that maps IAM -> RBAC, access to it should only be limited to admins.
Your issue, as I understand it, would ultimately be due to Pulumi’s delete-before-replace semantics, which triggers a cascading delete on AWS resources for EKS. Issues [1] and [2] describes this issue in more detail. Thankfully, PR [3] to @pulumi/pulumi
resolves it, and @pulumi/eks
will be updating its dependency on @pulumi/pulumi
[4], so we should have a fix out for this soon.
[1] - https://github.com/pulumi/pulumi-eks/issues/46
[2] - https://github.com/pulumi/pulumi/issues/2167
[3] - https://github.com/pulumi/pulumi/pull/2369
[4] - https://github.com/pulumi/pulumi-eks/issues/46#issuecomment-459544080
Hope this helpsearly-musician-41645
02/01/2019, 6:56 PM