Skip to content
This repository has been archived by the owner on Apr 30, 2021. It is now read-only.

Latest commit

 

History

History
30 lines (18 loc) · 1.14 KB

ADR023-cluster-authentication.md

File metadata and controls

30 lines (18 loc) · 1.14 KB

ADR023: Cluster Authentication

Status

Accepted

Context

We need to provide a secure way for users to authenticate to interact with cluster resources.

There are four different roles identified based on need:

Cluster Role Need
deployer ability to make changes to cluster and full access to AWS resources (for CI)
admin ability to make changes to cluster resources, and restricted access to AWS resources
sre read only access to all cluster resources
dev read only access to resources potentially scoped to a namespace

Decision

We will authenticate all users to IAM roles via the aws-iam-authenticator and map those IAM roles to ClusterRoles within the GSP cluster.

We will store the mapping of IAM user ARN to Cluster Role in Github so that it can be verified. gds-trusted-developers

Consequences

  • Requires all users to have an assumable IAM user
  • Requires all users to install the aws-iam-authenticator binary to use kubectl