Adds support for reconciling EKS AccessEntries

joshfrench · joshfrench · commit cda17872f5cc · 2025-09-02T15:59:56.000-04:00
diff --git a/pkg/cloud/services/eks/accessentry.go b/pkg/cloud/services/eks/accessentry.go
@@ -0,0 +1,271 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package eks
+
+import (
+	"context"
+	"slices"
+
+	"github.com/aws/aws-sdk-go-v2/service/eks"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
+	"github.com/pkg/errors"
+
+	ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/record"
+)
+
+func (s *Service) reconcileAccessEntries(ctx context.Context) error {
+	if s.scope.ControlPlane.Spec.AccessConfig == nil || len(s.scope.ControlPlane.Spec.AccessConfig.AccessEntries) == 0 {
+		s.scope.Info("no access entries defined, skipping reconcile")
+		return nil
+	}
+
+	existingAccessEntries, err := s.getExistingAccessEntries(ctx)
+	if err != nil {
+		return errors.Wrap(err, "failed to list existing access entries")
+	}
+
+	for _, accessEntry := range s.scope.ControlPlane.Spec.AccessConfig.AccessEntries {
+		if _, exists := existingAccessEntries[accessEntry.PrincipalARN]; exists {
+			if err := s.updateAccessEntry(ctx, accessEntry); err != nil {
+				return errors.Wrapf(err, "failed to update access entry for principal %s", accessEntry.PrincipalARN)
+			}
+			delete(existingAccessEntries, accessEntry.PrincipalARN)
+		} else {
+			if err := s.createAccessEntry(ctx, accessEntry); err != nil {
+				return errors.Wrapf(err, "failed to create access entry for principal %s", accessEntry.PrincipalARN)
+			}
+		}
+	}
+
+	for principalArn := range existingAccessEntries {
+		if err := s.deleteAccessEntry(ctx, principalArn); err != nil {
+			return errors.Wrapf(err, "failed to delete access entry for principal %s", principalArn)
+		}
+	}
+
+	record.Event(s.scope.ControlPlane, "SuccessfulReconcileAccessEntries", "Reconciled access entries")
+	return nil
+}
+
+func (s *Service) getExistingAccessEntries(ctx context.Context) (map[string]bool, error) {
+	existingAccessEntries := make(map[string]bool)
+	var nextToken *string
+
+	clusterName := s.scope.KubernetesClusterName()
+	for {
+		input := &eks.ListAccessEntriesInput{
+			ClusterName: &clusterName,
+			NextToken:   nextToken,
+		}
+
+		output, err := s.EKSClient.ListAccessEntries(ctx, input)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to list access entries")
+		}
+
+		for _, principalArn := range output.AccessEntries {
+			existingAccessEntries[principalArn] = true
+		}
+
+		if output.NextToken == nil {
+			break
+		}
+
+		nextToken = output.NextToken
+	}
+
+	return existingAccessEntries, nil
+}
+
+func (s *Service) createAccessEntry(ctx context.Context, accessEntry ekscontrolplanev1.AccessEntry) error {
+	clusterName := s.scope.KubernetesClusterName()
+	createInput := &eks.CreateAccessEntryInput{
+		ClusterName:  &clusterName,
+		PrincipalArn: &accessEntry.PrincipalARN,
+	}
+
+	if len(accessEntry.KubernetesGroups) > 0 {
+		createInput.KubernetesGroups = accessEntry.KubernetesGroups
+	}
+
+	if accessEntry.Type != "" {
+		createInput.Type = &accessEntry.Type
+	}
+
+	if accessEntry.Username != "" {
+		createInput.Username = &accessEntry.Username
+	}
+
+	if _, err := s.EKSClient.CreateAccessEntry(ctx, createInput); err != nil {
+		return errors.Wrapf(err, "failed to create access entry for principal %s", accessEntry.PrincipalARN)
+	}
+
+	if err := s.reconcileAccessPolicies(ctx, accessEntry); err != nil {
+		return errors.Wrapf(err, "failed to reconcile access policies for principal %s", accessEntry.PrincipalARN)
+	}
+
+	return nil
+}
+
+func (s *Service) updateAccessEntry(ctx context.Context, accessEntry ekscontrolplanev1.AccessEntry) error {
+	clusterName := s.scope.KubernetesClusterName()
+	describeInput := &eks.DescribeAccessEntryInput{
+		ClusterName:  &clusterName,
+		PrincipalArn: &accessEntry.PrincipalARN,
+	}
+
+	describeOutput, err := s.EKSClient.DescribeAccessEntry(ctx, describeInput)
+	if err != nil {
+		return errors.Wrapf(err, "failed to describe access entry for principal %s", accessEntry.PrincipalARN)
+	}
+
+	// EKS requires recreate when changing type
+	if accessEntry.Type != *describeOutput.AccessEntry.Type {
+		if err = s.deleteAccessEntry(ctx, accessEntry.PrincipalARN); err != nil {
+			return errors.Wrapf(err, "failed to delete access entry for principal %s during recreation", accessEntry.PrincipalARN)
+		}
+
+		if err = s.createAccessEntry(ctx, accessEntry); err != nil {
+			return errors.Wrapf(err, "failed to recreate access entry for principal %s", accessEntry.PrincipalARN)
+		}
+		return nil
+	}
+
+	slices.Sort(accessEntry.KubernetesGroups)
+	slices.Sort(describeOutput.AccessEntry.KubernetesGroups)
+
+	updateInput := &eks.UpdateAccessEntryInput{
+		ClusterName:  &clusterName,
+		PrincipalArn: &accessEntry.PrincipalARN,
+	}
+
+	needsUpdate := false
+
+	if accessEntry.Username != *describeOutput.AccessEntry.Username {
+		updateInput.Username = &accessEntry.Username
+		needsUpdate = true
+	}
+
+	if !slices.Equal(accessEntry.KubernetesGroups, describeOutput.AccessEntry.KubernetesGroups) {
+		updateInput.KubernetesGroups = accessEntry.KubernetesGroups
+		needsUpdate = true
+	}
+
+	if needsUpdate {
+		if _, err := s.EKSClient.UpdateAccessEntry(ctx, updateInput); err != nil {
+			return errors.Wrapf(err, "failed to update access entry for principal %s", accessEntry.PrincipalARN)
+		}
+	}
+
+	if err := s.reconcileAccessPolicies(ctx, accessEntry); err != nil {
+		return errors.Wrapf(err, "failed to reconcile access policies for principal %s", accessEntry.PrincipalARN)
+	}
+
+	return nil
+}
+
+func (s *Service) deleteAccessEntry(ctx context.Context, principalArn string) error {
+	clusterName := s.scope.KubernetesClusterName()
+
+	if _, err := s.EKSClient.DeleteAccessEntry(ctx, &eks.DeleteAccessEntryInput{
+		ClusterName:  &clusterName,
+		PrincipalArn: &principalArn,
+	}); err != nil {
+		return errors.Wrapf(err, "failed to delete access entry for principal %s", principalArn)
+	}
+
+	return nil
+}
+
+func (s *Service) reconcileAccessPolicies(ctx context.Context, accessEntry ekscontrolplanev1.AccessEntry) error {
+	if accessEntry.Type == "EC2_LINUX" || accessEntry.Type == "EC2_WINDOWS" {
+		s.scope.Info("Skipping access policy reconciliation for EC2 access type", "principalARN", accessEntry.PrincipalARN)
+		return nil
+	}
+
+	existingPolicies, err := s.getExistingAccessPolicies(ctx, accessEntry.PrincipalARN)
+	if err != nil {
+		return errors.Wrapf(err, "failed to get existing access policies for principal %s", accessEntry.PrincipalARN)
+	}
+
+	clusterName := s.scope.KubernetesClusterName()
+
+	for _, policy := range accessEntry.AccessPolicies {
+		input := &eks.AssociateAccessPolicyInput{
+			ClusterName:  &clusterName,
+			PrincipalArn: &accessEntry.PrincipalARN,
+			PolicyArn:    &policy.PolicyARN,
+			AccessScope: &ekstypes.AccessScope{
+				Type: ekstypes.AccessScopeType(policy.AccessScope.Type),
+			},
+		}
+
+		if policy.AccessScope.Type == "namespace" && len(policy.AccessScope.Namespaces) > 0 {
+			input.AccessScope.Namespaces = policy.AccessScope.Namespaces
+		}
+
+		if _, err := s.EKSClient.AssociateAccessPolicy(ctx, input); err != nil {
+			return errors.Wrapf(err, "failed to associate access policy %s", policy.PolicyARN)
+		}
+
+		delete(existingPolicies, policy.PolicyARN)
+	}
+
+	for policyARN := range existingPolicies {
+		if _, err := s.EKSClient.DisassociateAccessPolicy(ctx, &eks.DisassociateAccessPolicyInput{
+			ClusterName:  &clusterName,
+			PrincipalArn: &accessEntry.PrincipalARN,
+			PolicyArn:    &policyARN,
+		}); err != nil {
+			return errors.Wrapf(err, "failed to disassociate access policy %s", policyARN)
+		}
+	}
+
+	return nil
+}
+
+func (s *Service) getExistingAccessPolicies(ctx context.Context, principalARN string) (map[string]ekstypes.AssociatedAccessPolicy, error) {
+	existingPolicies := map[string]ekstypes.AssociatedAccessPolicy{}
+	var nextToken *string
+	clusterName := s.scope.KubernetesClusterName()
+
+	for {
+		input := &eks.ListAssociatedAccessPoliciesInput{
+			ClusterName:  &clusterName,
+			PrincipalArn: &principalARN,
+			NextToken:    nextToken,
+		}
+
+		output, err := s.EKSClient.ListAssociatedAccessPolicies(ctx, input)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to list associated access policies for principal %s", principalARN)
+		}
+
+		for _, policy := range output.AssociatedAccessPolicies {
+			existingPolicies[*policy.PolicyArn] = policy
+		}
+
+		if output.NextToken == nil {
+			break
+		}
+
+		nextToken = output.NextToken
+	}
+
+	return existingPolicies, nil
+}
diff --git a/pkg/cloud/services/eks/cluster.go b/pkg/cloud/services/eks/cluster.go
@@ -606,6 +606,13 @@ func (s *Service) reconcileAccessConfig(ctx context.Context, accessConfig *eksty
 		}
 	}
 
+	if expectedAuthenticationMode == string(ekscontrolplanev1.EKSAuthenticationModeAPI) ||
+		expectedAuthenticationMode == string(ekscontrolplanev1.EKSAuthenticationModeAPIAndConfigMap) {
+		if err := s.reconcileAccessEntries(ctx); err != nil {
+			return errors.Wrap(err, "failed to reconcile access entries")
+		}
+	}
+
 	return nil
 }
 
diff --git a/pkg/cloud/services/eks/service.go b/pkg/cloud/services/eks/service.go
@@ -62,6 +62,14 @@ type EKSAPI interface {
 	TagResource(ctx context.Context, params *eks.TagResourceInput, optFns ...func(*eks.Options)) (*eks.TagResourceOutput, error)
 	UntagResource(ctx context.Context, params *eks.UntagResourceInput, optFns ...func(*eks.Options)) (*eks.UntagResourceOutput, error)
 	DisassociateIdentityProviderConfig(ctx context.Context, params *eks.DisassociateIdentityProviderConfigInput, optFns ...func(*eks.Options)) (*eks.DisassociateIdentityProviderConfigOutput, error)
+	ListAccessEntries(ctx context.Context, params *eks.ListAccessEntriesInput, optFns ...func(*eks.Options)) (*eks.ListAccessEntriesOutput, error)
+	DescribeAccessEntry(ctx context.Context, params *eks.DescribeAccessEntryInput, optFns ...func(*eks.Options)) (*eks.DescribeAccessEntryOutput, error)
+	CreateAccessEntry(ctx context.Context, params *eks.CreateAccessEntryInput, optFns ...func(*eks.Options)) (*eks.CreateAccessEntryOutput, error)
+	UpdateAccessEntry(ctx context.Context, params *eks.UpdateAccessEntryInput, optFns ...func(*eks.Options)) (*eks.UpdateAccessEntryOutput, error)
+	DeleteAccessEntry(ctx context.Context, params *eks.DeleteAccessEntryInput, optFns ...func(*eks.Options)) (*eks.DeleteAccessEntryOutput, error)
+	ListAssociatedAccessPolicies(ctx context.Context, params *eks.ListAssociatedAccessPoliciesInput, optFns ...func(*eks.Options)) (*eks.ListAssociatedAccessPoliciesOutput, error)
+	AssociateAccessPolicy(ctx context.Context, params *eks.AssociateAccessPolicyInput, optFns ...func(*eks.Options)) (*eks.AssociateAccessPolicyOutput, error)
+	DisassociateAccessPolicy(ctx context.Context, params *eks.DisassociateAccessPolicyInput, optFns ...func(*eks.Options)) (*eks.DisassociateAccessPolicyOutput, error)
 
 	// Waiters for EKS Cluster
 	WaitUntilClusterActive(ctx context.Context, params *eks.DescribeClusterInput, maxWait time.Duration) error

Original file line number	Diff line number	Diff line change
`@@ -606,6 +606,13 @@ func (s Service) reconcileAccessConfig(ctx context.Context, accessConfig eksty`
`606`	`606`	`}`
`607`	`607`	`}`
`608`	`608`
	`609`	`+ if expectedAuthenticationMode == string(ekscontrolplanev1.EKSAuthenticationModeAPI) \|\|`
	`610`	`+ expectedAuthenticationMode == string(ekscontrolplanev1.EKSAuthenticationModeAPIAndConfigMap) {`
	`611`	`+ if err := s.reconcileAccessEntries(ctx); err != nil {`
	`612`	`+ return errors.Wrap(err, "failed to reconcile access entries")`
	`613`	`+ }`
	`614`	`+ }`
	`615`	`+`
`609`	`616`	`return nil`
`610`	`617`	`}`
`611`	`618`