[Feature] Add feature to migrate IAM identities from aws-auth configmap to API access entries #7700
Description
What feature/behavior/change do you want?
I'd like to have a feature to migrate existing IAM identities configured in aws-auth configmap to EKS access entries by doing something like below.
eksctl utils migrate-to-access-entry --cluster <cluster-name> --target-authentication-mode <API or API_AND_CONFIGMAP>
When API_AND_CONFIGMAP mode is specified with --target-authentication-mode flag, eksctl will update the cluster auth config to API_AND_CONFIGMAP mode, read from aws-auth configmap and add them to the EKS access entries.
When API mode is specified with --target-authentication-mode flag, eksctl will update the cluster auth config to API mode, read from aws-auth configmap and add them to the EKS access entries, and delete the aws-auth configmap from the cluster (as it is no longer used in API mode).
While migrating the IAM identities,
- If the IAM identity is a node IAM role, eksctl will add it to access entries with type as
EC2_LINUX,EC2_WINDOWS, orFARGATE_LINUXbased on rbac groups configured in aws-auth. - If the IAM identity is a non-node IAM role, eksctl will add it to access entries with type as
STANDARD, and use the same rbac groups configured in aws-auth into access entries. For non-node IAM roles withsystem:mastersgroup, eksctl will addAmazonEKSClusterAdminPolicyto the access entry.
Why do you want this feature?
Existing EKS clusters using CONFIGMAP mode would have multiple IAM mappings, and if cluster admins decide to switch to API mode, they'd have to manually add each entry from aws-auth into access entries, or build some scripts to automate it.
Having this functionality within eksctl would help EKS users to perform this seemlessly with just one command execution.