From 66d1a5efde1e5b5946132bc9ae56af2528d14aec Mon Sep 17 00:00:00 2001 From: Tibi <110664232+TiberiuGC@users.noreply.github.com> Date: Thu, 4 Apr 2024 20:20:55 +0300 Subject: [PATCH] Enforce `authenticationMode:CONFIG_MAP` on Outposts (#7699) Make authenticationMode:CONFIG_MAP default on Outposts --- pkg/apis/eksctl.io/v1alpha5/defaults.go | 11 ++++++-- pkg/apis/eksctl.io/v1alpha5/defaults_test.go | 25 +++++++++++++++++++ .../v1alpha5/outposts_validation_test.go | 22 ++++++++++++++++ pkg/apis/eksctl.io/v1alpha5/validation.go | 6 +++++ 4 files changed, 62 insertions(+), 2 deletions(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults.go b/pkg/apis/eksctl.io/v1alpha5/defaults.go index 417ea56a5a..6b4e93e2ba 100644 --- a/pkg/apis/eksctl.io/v1alpha5/defaults.go +++ b/pkg/apis/eksctl.io/v1alpha5/defaults.go @@ -56,10 +56,10 @@ func SetClusterConfigDefaults(cfg *ClusterConfig) { if cfg.AccessConfig == nil { cfg.AccessConfig = &AccessConfig{ - AuthenticationMode: ekstypes.AuthenticationModeApiAndConfigMap, + AuthenticationMode: getDefaultAuthenticationMode(cfg.IsControlPlaneOnOutposts()), } } else if cfg.AccessConfig.AuthenticationMode == "" { - cfg.AccessConfig.AuthenticationMode = ekstypes.AuthenticationModeApiAndConfigMap + cfg.AccessConfig.AuthenticationMode = getDefaultAuthenticationMode(cfg.IsControlPlaneOnOutposts()) } if cfg.PrivateCluster == nil { @@ -244,6 +244,13 @@ func getDefaultVolumeType(nodeGroupOnOutposts bool) string { return DefaultNodeVolumeType } +func getDefaultAuthenticationMode(nodeGroupOnOutposts bool) ekstypes.AuthenticationMode { + if nodeGroupOnOutposts { + return ekstypes.AuthenticationModeConfigMap + } + return ekstypes.AuthenticationModeApiAndConfigMap +} + func setContainerRuntimeDefault(ng *NodeGroup, clusterVersion string) { if ng.ContainerRuntime != nil { return diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults_test.go b/pkg/apis/eksctl.io/v1alpha5/defaults_test.go index 6d100f9e3d..ced2332e8b 100644 --- a/pkg/apis/eksctl.io/v1alpha5/defaults_test.go +++ b/pkg/apis/eksctl.io/v1alpha5/defaults_test.go @@ -4,6 +4,8 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + + ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types" ) var _ = Describe("ClusterConfig validation", func() { @@ -338,6 +340,29 @@ var _ = Describe("ClusterConfig validation", func() { }) + Context("Authentication Mode", func() { + var ( + cfg *ClusterConfig + ) + + BeforeEach(func() { + cfg = NewClusterConfig() + }) + + It("should be set to API_AND_CONFIG_MAP by default", func() { + SetClusterConfigDefaults(cfg) + Expect(cfg.AccessConfig.AuthenticationMode).To(Equal(ekstypes.AuthenticationModeApiAndConfigMap)) + }) + + It("should be set to CONFIG_MAP when control plane is on outposts", func() { + cfg.Outpost = &Outpost{ + ControlPlaneOutpostARN: "arn:aws:outposts:us-west-2:1234:outpost/op-1234", + } + SetClusterConfigDefaults(cfg) + Expect(cfg.AccessConfig.AuthenticationMode).To(Equal(ekstypes.AuthenticationModeConfigMap)) + }) + }) + Describe("ClusterConfig", func() { var cfg *ClusterConfig diff --git a/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go b/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go index 225103adba..efcda3ab86 100644 --- a/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go +++ b/pkg/apis/eksctl.io/v1alpha5/outposts_validation_test.go @@ -6,6 +6,9 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + "github.com/aws/aws-sdk-go-v2/aws" + ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types" + api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5" ) @@ -22,10 +25,29 @@ var _ = Describe("Outposts validation", func() { clusterConfig.Outpost = &api.Outpost{ ControlPlaneOutpostARN: "arn:aws:outposts:us-west-2:1234:outpost/op-1234", } + api.SetClusterConfigDefaults(clusterConfig) oe.updateDefaultConfig(clusterConfig) err := api.ValidateClusterConfig(clusterConfig) Expect(err).To(MatchError(ContainSubstring(oe.expectedErr))) }, + Entry("Authentication Mode - API", outpostsEntry{ + updateDefaultConfig: func(c *api.ClusterConfig) { + c.AccessConfig.AuthenticationMode = ekstypes.AuthenticationModeApi + }, + expectedErr: fmt.Sprintf("accessConfig.AuthenticationMode must be set to %s on Outposts", ekstypes.AuthenticationModeConfigMap), + }), + Entry("Authentication mode - API_AND_CONFIG_MAP", outpostsEntry{ + updateDefaultConfig: func(c *api.ClusterConfig) { + c.AccessConfig.AuthenticationMode = ekstypes.AuthenticationModeApiAndConfigMap + }, + expectedErr: fmt.Sprintf("accessConfig.AuthenticationMode must be set to %s on Outposts", ekstypes.AuthenticationModeConfigMap), + }), + Entry("BootstrapClusterCreatorAdminPermissions - false", outpostsEntry{ + updateDefaultConfig: func(c *api.ClusterConfig) { + c.AccessConfig.BootstrapClusterCreatorAdminPermissions = aws.Bool(false) + }, + expectedErr: "accessConfig.BootstrapClusterCreatorAdminPermissions can't be set to false on Outposts", + }), Entry("Addons", outpostsEntry{ updateDefaultConfig: func(c *api.ClusterConfig) { c.Addons = []*api.Addon{ diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index 0b3b0000f3..c8c089e826 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -162,6 +162,12 @@ func ValidateClusterConfig(cfg *ClusterConfig) error { return err } + if cfg.AccessConfig.AuthenticationMode != ekstypes.AuthenticationModeConfigMap { + return fmt.Errorf("accessConfig.AuthenticationMode must be set to %s on Outposts", ekstypes.AuthenticationModeConfigMap) + } + if IsDisabled(cfg.AccessConfig.BootstrapClusterCreatorAdminPermissions) { + return fmt.Errorf("accessConfig.BootstrapClusterCreatorAdminPermissions can't be set to false on Outposts") + } if cfg.IPv6Enabled() { return errors.New("IPv6 is not supported on Outposts") }