diff --git a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template index 8b1bf8a301306..fd5f735a7b7b4 100644 --- a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template +++ b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template @@ -1,3 +1,78 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: iamidentitymappings.iamauthenticator.k8s.aws +spec: + group: iamauthenticator.k8s.aws + version: v1alpha1 + scope: Cluster + names: + plural: iamidentitymappings + singular: iamidentitymapping + kind: IAMIdentityMapping + categories: + - all + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + required: + - arn + - username + properties: + arn: + type: string + username: + type: string + groups: + type: array + items: + type: string + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: aws-iam-authenticator +rules: +- apiGroups: + - iamauthenticator.k8s.aws + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-iam-authenticator + namespace: kube-system + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: aws-iam-authenticator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-iam-authenticator +subjects: +- kind: ServiceAccount + name: aws-iam-authenticator + namespace: kube-system + --- apiVersion: apps/v1 kind: DaemonSet @@ -19,6 +94,9 @@ spec: labels: k8s-app: aws-iam-authenticator spec: + # use service account with access to + serviceAccountName: aws-iam-authenticator + # run on the host network (don't depend on CNI) hostNetwork: true @@ -37,7 +115,7 @@ spec: # - output (output kubeconfig to plug into your apiserver configuration, mounted from the host) containers: - name: aws-iam-authenticator - image: {{ or .Authentication.Aws.Image "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.4.0" }} + image: {{ or .Authentication.Aws.Image "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.0-scratch" }} args: - server - --config=/etc/aws-iam-authenticator/config.yaml diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index b0c11069cc7f2..27d67c946242c 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -977,15 +977,17 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { } if b.cluster.Spec.Authentication.Aws != nil { key := "authentication.aws" - version := "0.4.0-kops.1" - + versions := map[string]string{ + "k8s-1.10": "0.4.0-kops.1", + "k8s-1.12": "0.5.0-kops.1", + } { location := key + "/k8s-1.10.yaml" id := "k8s-1.10" addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ Name: fi.String(key), - Version: fi.String(version), + Version: fi.String(versions[id]), Selector: authenticationSelector, Manifest: fi.String(location), KubernetesVersion: ">=1.10.0 <1.12.0", @@ -999,7 +1001,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ Name: fi.String(key), - Version: fi.String(version), + Version: fi.String(versions[id]), Selector: authenticationSelector, Manifest: fi.String(location), KubernetesVersion: ">=1.12.0",