Announcing a new open source tool: eks-auth-sync
At Polar Squad, we’ve been using Amazon EKS in our client projects since early 2019. We’ve found it to provide a great way to jump into Kubernetes on AWS while being able to offload a lot of the maintenance tasks to AWS. While we’ve seen the platform grow a lot, there’s still plenty of things that could be made easier to manage.
One of the tricky aspects of EKS is cluster authentication management. Authentication in EKS is configured using a single ConfigMap in the Kubernetes cluster (aws-auth) that maps AWS IAM users and roles to users in Kubernetes. If you only have a fixed number of users and roles assigned to a cluster, it's easy enough to just create the ConfigMap once and forget about it. However, if the number of users and roles varies frequently (i.e. people join and leave the cluster), managing the ConfigMap can become a chore.
To assist with managing the EKS cluster authentication, we’ve created a new open source tool: eks-auth-sync. You can use it to automate the synchronization of authentication configuration from various sources to EKS.
How does it work?
Here’s roughly what the eks-auth-sync tool does when you run it:
Read a given configuration file for a list of data sources (called “scanners”).
Read the data sources for all the available auth mappings, and join the results.
Update the auth mappings in your EKS cluster.
We’ve intentionally kept the scope of the tool small and the design simple so that anyone with a bit of knowledge in Go, AWS, and Kubernetes can pick up and maintain it if they wish to.
Where can I get it?
You can download the release binaries and Docker images from Gitlab releases page and container registry. The source code is also hosted in Gitlab.
How do I use it?
Check out the documentation section in the project README to learn how to configure eks-auth-sync to scan configurations from various sources such as IAM and SSM parameters as well as how to deploy it as a Kubernetes CronJob.
Made with ❤️ by Polar Squad