Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(eks): add kubernetesGroups to AccessEntries #32074

35 changes: 24 additions & 11 deletions packages/aws-cdk-lib/aws-eks/lib/access-entry.ts
Original file line number Diff line number Diff line change
Expand Up @@ -281,11 +281,16 @@ export interface AccessEntryProps {
/**
* The access policies that define the permissions and scope for the access entry.
*/
readonly accessPolicies: IAccessPolicy[];
readonly accessPolicies?: IAccessPolicy[];
/**
* The Amazon Resource Name (ARN) of the principal (user or role) to associate the access entry with.
*/
readonly principal: string;
/**
* The kubernetes groups you want to associate with this access policy.
* Those groups can be used as subjects in (Cluster)RoleBindings.
*/
readonly kubernetesGroups?: string[];
}

/**
Expand Down Expand Up @@ -323,28 +328,36 @@ export class AccessEntry extends Resource implements IAccessEntry {
private cluster: ICluster;
private principal: string;
private accessPolicies: IAccessPolicy[];
private kubernetesGroups?: string[];

constructor(scope: Construct, id: string, props: AccessEntryProps ) {
super(scope, id);

this.cluster = props.cluster;
this.principal = props.principal;
this.accessPolicies = props.accessPolicies;

const resource = new CfnAccessEntry(this, 'Resource', {
clusterName: this.cluster.clusterName,
principalArn: this.principal,
type: props.accessEntryType,
accessPolicies: Lazy.any({
produce: () => this.accessPolicies.map(p => ({
this.accessPolicies = props.accessPolicies ?? [];
this.kubernetesGroups = props.kubernetesGroups;
const accessPolicies = Lazy.any({
produce: () => {
if (this.accessPolicies.length === 0) {
return undefined;
}
return this.accessPolicies!.map(p => ({
accessScope: {
type: p.accessScope.type,
namespaces: p.accessScope.namespaces,
},
policyArn: p.policy,
})),
}),
}));
},
});

const resource = new CfnAccessEntry(this, 'Resource', {
clusterName: this.cluster.clusterName,
principalArn: this.principal,
type: props.accessEntryType,
accessPolicies,
kubernetesGroups: this.kubernetesGroups,
});
this.accessEntryName = this.getResourceNameAttribute(resource.ref);
this.accessEntryArn = this.getResourceArnAttribute(resource.attrAccessEntryArn, {
Expand Down
44 changes: 43 additions & 1 deletion packages/aws-cdk-lib/aws-eks/test/access-entry.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ describe('AccessEntry', () => {
};
});

test('creates a new AccessEntry', () => {
test('creates a new AccessEntry with accessPolicies', () => {
// WHEN
new AccessEntry(stack, 'AccessEntry', {
cluster,
Expand All @@ -61,6 +61,48 @@ describe('AccessEntry', () => {
});
});

test('creates a new AccessEntry with kubernetesGroups', () => {
// WHEN
new AccessEntry(stack, 'AccessEntry', {
cluster,
kubernetesGroups: ['my-kubernetes-group'],
accessPolicies: mockAccessPolicies,
principal: 'mock-principal-arn',
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::EKS::AccessEntry', {
ClusterName: { Ref: 'Cluster9EE0221C' },
PrincipalArn: 'mock-principal-arn',
AccessPolicies: [
{
AccessScope: {
Namespaces: ['default'],
Type: 'namespace',
},
PolicyArn: 'mock-policy-arn',
},
],
KubernetesGroups: ['my-kubernetes-group'],
});
});

test('creates a new AccessEntry with accessPolicies and kubernetesGroups', () => {
// WHEN
new AccessEntry(stack, 'AccessEntry', {
cluster,
kubernetesGroups: ['my-kubernetes-group'],
principal: 'mock-principal-arn',
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::EKS::AccessEntry', {
ClusterName: { Ref: 'Cluster9EE0221C' },
PrincipalArn: 'mock-principal-arn',
KubernetesGroups: ['my-kubernetes-group'],
});
});

test.each(Object.values(AccessEntryType))(
'creates a new AccessEntry for AccessEntryType %s',
(accessEntryType) => {
Expand Down
Loading