{"id":13647400,"url":"https://github.com/jicowan/group-operator","last_synced_at":"2026-01-28T18:27:27.247Z","repository":{"id":48993577,"uuid":"209454861","full_name":"jicowan/group-operator","owner":"jicowan","description":"An operator that modifies the aws-auth ConfigMap with the members of an IAM group","archived":false,"fork":false,"pushed_at":"2021-07-01T17:24:43.000Z","size":13056,"stargazers_count":9,"open_issues_count":2,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-18T17:56:24.516Z","etag":null,"topics":["aws","eks","iam","kubernetes-operator","rbac-roles"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jicowan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-19T03:29:54.000Z","updated_at":"2021-07-01T19:06:06.000Z","dependencies_parsed_at":"2022-09-07T03:53:09.318Z","dependency_job_id":null,"html_url":"https://github.com/jicowan/group-operator","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jicowan%2Fgroup-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jicowan%2Fgroup-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jicowan%2Fgroup-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jicowan%2Fgroup-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jicowan","download_url":"https://codeload.github.com/jicowan/group-operator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250163683,"owners_count":21385286,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","eks","iam","kubernetes-operator","rbac-roles"],"created_at":"2024-08-02T01:03:32.411Z","updated_at":"2026-01-28T18:27:27.198Z","avatar_url":"https://github.com/jicowan.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# group-operator\nThe group-operator is a Kubernetes operator that enumerates the members of an IAM group and adds them to the mapUsers \nlist in the aws-auth ConfigMap. It utilizes Zalando's kopf, a framework for writing Kubernetes operators in Python.  \nThe operator watches for the creation, modification, or deletion of a iamgroup object.  The iamgroup object is \nimplemented as a Custom Resource Definition (CRD) that specifies the IAM group you want to add to the aws-auth ConfigMap \nand the RBAC role/group to associate with the users of that group.  \n\n## Installing the operator\n\n### Creating a IAM role and service account\nSince the operator needs to get the members of an IAM group, it needs a Kubernetes service account that allows it to\nassume an IAM role that grants it permission to call get_group API.  This is accomplished using the new IAM \nRoles for Service Accounts (IRSA) feature for EKS which requires Kubernetes v1.13 or higher.  \n\n`eksctl` is far and away the easiest way to create the IAM role and corresponding Kubernetes service account.  Start by\nrunning the following command: \n\n```bash\neksctl utils associate-iam-oidc-provider --name=\u003ccluster\u003e --approve\neksctl create iamserviceaccount --cluster=\u003cclusterName\u003e --name=iamreader --namespace=default --attach-policy-arn=\u003cpolicyARN\u003e\n```\n\nUse the ARN of the `IAMReadOnlyAccess` AWS managed policy, e.g. `arn:aws:iam::aws:policy/IAMReadOnlyAccess` when \ncreating the service account or scope the policy to only allow the service account to list the members of an IAM group. \n\n### Creating the RBAC roles\nIn addition to calling IAM API, the operator calls several Kubernetes APIs.  For example, the operator reads iamgroup \nobjects and updates the aws-auth ConfigMap.  There are also a set of permissions required for the kopf framework.  All \nof these permissions are packaged in the rbac.yaml manifest.  You can apply these permissions to the cluster by running:\n\n```bash\nkubectl apply -f rbac.yaml\n```\n\n### Creating the iamgroups CRD\nthe group-operator relies on a CRD that specifies the IAM group to add to the aws-auth ConfigMap and the Kubernetes RBAC \nrole, e.g. `system:masters` that should be assigned to the members of that group.  Create the CRD by running:\n\n```bash\nkubectl apply -f crd.yaml \n```\n\nAfter the CRD has been created you can create iamgroup objects.  Below is an example of a iamgroup that adds the members\nof newgroup to the aws-auth ConfigMap and assigns them the `system:masters` role.  \n\n```yaml\napiVersion: jicomusic.com/v1\nkind: IAMGroup\nmetadata:\n  name: newgroup\nspec:\n  groupName: newgroup\n  rbacRole: system:masters\n```\n\u003e Note: the metadata name only accepts lowercase characters. \n\n### Deploying the operator\nThe `deployment.yaml` manifest in this repository references a `serviceAccountName` that has to be set to the service \naccount created in the [Creating an IAM role and service account](https://github.com/jicowan/group-operator/blob/master/README.md#creating-a-iam-role-and-service-account) step above.  \nOnce that's done, the operator can be deployed by running: \n\n```bash\nkubectl apply -f deployment.yaml \n```\n\n## Create a iamgroup object\nWith the operator running, create a new iamgroup manifest and apply it to the cluster.  For an example, see the \n`obj.yaml` in this repository. \n\nAfter the object has been applied to the cluster, get the aws-auth ConfigMap by running: \n\n```bash\nkubectl get configmap aws-auth -n kube-system -o yaml\n```\n\nIf the operator is working properly, you should see output resembling this: \n\n```yaml\napiVersion: v1\ndata:\n  mapRoles: |\n    - rolearn: arn:aws:iam::123456789012:role/grateful-banana-nodegroup-ng-bc4be-NodeInstanceRole-10RG7REOWCU6G\n      username: system:node:{{EC2PrivateDNSName}}\n      groups:\n        - system:bootstrappers\n        - system:nodes\n  mapUsers: |\n    - groups:\n      - system:masters\n      userarn: arn:aws:iam::123456789012:user/rex-ray\n      username: rex-ray\n    - groups:\n      - system:masters\n      userarn: arn:aws:iam::123456789012:user/kube-logger\n      username: kube-logger\n    - groups:\n      - view\n      userarn: arn:aws:iam::123456789012:user/heptio-ark\n      username: heptio-ark\n    - groups:\n      - view\n      userarn: arn:aws:iam::123456789012:user/eks-user\n      username: eks-user\nkind: ConfigMap\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjicowan%2Fgroup-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjicowan%2Fgroup-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjicowan%2Fgroup-operator/lists"}