Skip to content

✨ feat: Support Access Entries #5583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+2,181 −5
Open

✨ feat: Support Access Entries #5583

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6348491
Add Access Entry support
joshfrench Oct 6, 2025
ff3a54a
return early to avoid indentation
joshfrench Nov 15, 2025
590f3c7
add new permissions to cloudformation template
joshfrench Nov 15, 2025
6c1dc8a
lint fix
joshfrench Nov 16, 2025
b64cd54
update CFN test fixture with new EKS permissions
joshfrench Nov 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,14 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
"ec2:DeleteLaunchTemplateVersions",
"ec2:DescribeKeyPairs",
"ec2:ModifyInstanceMetadataOptions",
"eks:CreateAccessEntry",
"eks:DeleteAccessEntry",
"eks:DescribeAccessEntry",
"eks:UpdateAccessEntry",
"eks:ListAccessEntries",
"eks:AssociateAccessPolicy",
"eks:DisassociateAccessPolicy",
"eks:ListAssociatedAccessPolicies",
},
},
{
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,14 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- eks:CreateAccessEntry
- eks:DeleteAccessEntry
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
- eks:ListAssociatedAccessPolicies
Effect: Allow
Resource:
- '*'
Expand Down
79 changes: 79 additions & 0 deletions config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2303,6 +2303,85 @@ spec:
ignored when updating existing clusters. Defaults to true.
type: boolean
type: object
accessEntries:
description: |-
AccessEntries specifies the access entries for the cluster
Access entries require AuthenticationMode to be either "api" or "api_and_config_map"
items:
description: AccessEntry represents an AWS EKS access entry for
IAM principals
properties:
accessPolicies:
description: |-
AccessPolicies specifies the policies to associate with this access entry
Cannot be specified if Type is "ec2_linux" or "ec2_windows"
items:
description: AccessPolicyReference represents a reference
to an AWS EKS access policy
properties:
accessScope:
description: AccessScope specifies the scope for the policy
properties:
namespaces:
description: |-
Namespaces are the namespaces for the access scope
Only valid when Type is namespace
items:
type: string
minItems: 1
type: array
type:
default: cluster
description: Type is the type of access scope. Defaults
to "cluster".
enum:
- cluster
- namespace
type: string
required:
- type
type: object
policyARN:
description: PolicyARN is the Amazon Resource Name (ARN)
of the access policy
type: string
required:
- accessScope
- policyARN
type: object
maxItems: 20
type: array
kubernetesGroups:
description: |-
KubernetesGroups represents the Kubernetes groups for the access entry
Cannot be specified if Type is "ec2_linux" or "ec2_windows"
items:
type: string
type: array
principalARN:
description: PrincipalARN is the Amazon Resource Name (ARN)
of the IAM principal
type: string
type:
default: standard
description: Type is the type of access entry. Defaults to standard
if not specified.
enum:
- standard
- ec2_linux
- ec2_windows
- fargate_linux
- ec2
- hybrid_linux
- hyperpod_linux
type: string
username:
description: Username is the username for the access entry
type: string
required:
- principalARN
type: object
type: array
additionalTags:
additionalProperties:
type: string
Expand Down
81 changes: 81 additions & 0 deletions config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanetemplates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,87 @@ spec:
ignored when updating existing clusters. Defaults to true.
type: boolean
type: object
accessEntries:
description: |-
AccessEntries specifies the access entries for the cluster
Access entries require AuthenticationMode to be either "api" or "api_and_config_map"
items:
description: AccessEntry represents an AWS EKS access entry
for IAM principals
properties:
accessPolicies:
description: |-
AccessPolicies specifies the policies to associate with this access entry
Cannot be specified if Type is "ec2_linux" or "ec2_windows"
items:
description: AccessPolicyReference represents a reference
to an AWS EKS access policy
properties:
accessScope:
description: AccessScope specifies the scope for
the policy
properties:
namespaces:
description: |-
Namespaces are the namespaces for the access scope
Only valid when Type is namespace
items:
type: string
minItems: 1
type: array
type:
default: cluster
description: Type is the type of access scope.
Defaults to "cluster".
enum:
- cluster
- namespace
type: string
required:
- type
type: object
policyARN:
description: PolicyARN is the Amazon Resource
Name (ARN) of the access policy
type: string
required:
- accessScope
- policyARN
type: object
maxItems: 20
type: array
kubernetesGroups:
description: |-
KubernetesGroups represents the Kubernetes groups for the access entry
Cannot be specified if Type is "ec2_linux" or "ec2_windows"
items:
type: string
type: array
principalARN:
description: PrincipalARN is the Amazon Resource Name
(ARN) of the IAM principal
type: string
type:
default: standard
description: Type is the type of access entry. Defaults
to standard if not specified.
enum:
- standard
- ec2_linux
- ec2_windows
- fargate_linux
- ec2
- hybrid_linux
- hyperpod_linux
type: string
username:
description: Username is the username for the access
entry
type: string
required:
- principalARN
type: object
type: array
additionalTags:
additionalProperties:
type: string
Expand Down
Loading