Class: AWSCDK::EKS::CfnAccessEntryProps
- Inherits:
-
Jsii::Struct
- Object
- Jsii::Struct
- AWSCDK::EKS::CfnAccessEntryProps
- Defined in:
- eks/cfn_access_entry_props.rb
Overview
Properties for defining a CfnAccessEntry.
Instance Attribute Summary collapse
-
#access_policies ⇒ AWSCDK::IResolvable, ...
readonly
The access policies to associate to the access entry.
-
#cluster_name ⇒ String
readonly
The name of your cluster.
-
#kubernetes_groups ⇒ Array<String>?
readonly
The value for
namethat you've specified forkind: Groupas asubjectin a KubernetesRoleBindingorClusterRoleBindingobject. -
#principal_arn ⇒ String
readonly
The ARN of the IAM principal for the
AccessEntry. -
#tags ⇒ Array<AWSCDK::CfnTag>?
readonly
Metadata that assists with categorization and organization.
-
#type ⇒ String?
readonly
The type of the new access entry.
-
#username ⇒ String?
readonly
The username to authenticate to Kubernetes with.
Class Method Summary collapse
Instance Method Summary collapse
-
#initialize(cluster_name:, principal_arn:, access_policies: nil, kubernetes_groups: nil, tags: nil, type: nil, username: nil) ⇒ CfnAccessEntryProps
constructor
A new instance of CfnAccessEntryProps.
- #to_jsii ⇒ Object
Constructor Details
#initialize(cluster_name:, principal_arn:, access_policies: nil, kubernetes_groups: nil, tags: nil, type: nil, username: nil) ⇒ CfnAccessEntryProps
Returns a new instance of CfnAccessEntryProps.
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# File 'eks/cfn_access_entry_props.rb', line 16 def initialize(cluster_name:, principal_arn:, access_policies: nil, kubernetes_groups: nil, tags: nil, type: nil, username: nil) @cluster_name = cluster_name Jsii::Type.check_type(@cluster_name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "clusterName") @principal_arn = principal_arn Jsii::Type.check_type(@principal_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "principalArn") @access_policies = access_policies Jsii::Type.check_type(@access_policies, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWtzLkNmbkFjY2Vzc0VudHJ5LkFjY2Vzc1BvbGljeVByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "accessPolicies") unless @access_policies.nil? @kubernetes_groups = kubernetes_groups Jsii::Type.check_type(@kubernetes_groups, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "kubernetesGroups") unless @kubernetes_groups.nil? @tags = .is_a?(Array) ? .map { |jsii_v0| jsii_v0.is_a?(Hash) ? ::AWSCDK::CfnTag.new(**jsii_v0.transform_keys(&:to_sym)) : jsii_v0 } : Jsii::Type.check_type(@tags, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7ImZxbiI6ImF3cy1jZGstbGliLkNmblRhZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "tags") unless @tags.nil? @type = type Jsii::Type.check_type(@type, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "type") unless @type.nil? @username = username Jsii::Type.check_type(@username, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "username") unless @username.nil? end |
Instance Attribute Details
#access_policies ⇒ AWSCDK::IResolvable, ... (readonly)
The access policies to associate to the access entry.
53 54 55 |
# File 'eks/cfn_access_entry_props.rb', line 53 def access_policies @access_policies end |
#cluster_name ⇒ String (readonly)
The name of your cluster.
37 38 39 |
# File 'eks/cfn_access_entry_props.rb', line 37 def cluster_name @cluster_name end |
#kubernetes_groups ⇒ Array<String>? (readonly)
The value for name that you've specified for kind: Group as a subject in a Kubernetes RoleBinding or ClusterRoleBinding object.
Amazon EKS doesn't confirm that the value for name exists in any bindings on your cluster. You can specify one or more names.
Kubernetes authorizes the principal_arn of the access entry to access any cluster objects that you've specified in a Kubernetes Role or ClusterRole object that is also specified in a binding's role_ref . For more information about creating Kubernetes RoleBinding , ClusterRoleBinding , Role , or ClusterRole objects, see Using RBAC Authorization in the Kubernetes documentation .
If you want Amazon EKS to authorize the principal_arn (instead of, or in addition to Kubernetes authorizing the principal_arn ), you can associate one or more access policies to the access entry using AssociateAccessPolicy . If you associate any access policies, the principal_arn has all permissions assigned in the associated access policies and all permissions in any Kubernetes Role or ClusterRole objects that the group names are bound to.
64 65 66 |
# File 'eks/cfn_access_entry_props.rb', line 64 def kubernetes_groups @kubernetes_groups end |
#principal_arn ⇒ String (readonly)
The ARN of the IAM principal for the AccessEntry .
You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.
The valid principals differ depending on the type of the access entry in the type field. For STANDARD access entries, you can use every IAM principal type. For nodes ( EC2 (for EKS Auto Mode), EC2_LINUX , EC2_WINDOWS , FARGATE_LINUX , and HYBRID_LINUX ), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.
IAM best practices recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
48 49 50 |
# File 'eks/cfn_access_entry_props.rb', line 48 def principal_arn @principal_arn end |
#tags ⇒ Array<AWSCDK::CfnTag>? (readonly)
Metadata that assists with categorization and organization.
Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or AWS resources.
71 72 73 |
# File 'eks/cfn_access_entry_props.rb', line 71 def @tags end |
#type ⇒ String? (readonly)
The type of the new access entry.
Valid values are STANDARD , FARGATE_LINUX , EC2_LINUX , EC2_WINDOWS , EC2 (for EKS Auto Mode), HYBRID_LINUX , and HYPERPOD_LINUX .
If the principal_arn is for an IAM role that's used for self-managed Amazon EC2 nodes, specify EC2_LINUX or EC2_WINDOWS . Amazon EKS grants the necessary permissions to the node for you. If the principal_arn is for any other purpose, specify STANDARD . If you don't specify a value, Amazon EKS sets the value to STANDARD . If you have the access mode of the cluster set to API_AND_CONFIG_MAP , it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the aws-auth ConfigMap for the roles. You can't change this value once you've created the access entry.
If you set the value to EC2_LINUX or EC2_WINDOWS , you can't specify values for kubernetes_groups , or associate an AccessPolicy to the access entry.
82 83 84 |
# File 'eks/cfn_access_entry_props.rb', line 82 def type @type end |
#username ⇒ String? (readonly)
The username to authenticate to Kubernetes with.
We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see Creating access entries in the Amazon EKS User Guide .
89 90 91 |
# File 'eks/cfn_access_entry_props.rb', line 89 def username @username end |
Class Method Details
.jsii_properties ⇒ Object
91 92 93 94 95 96 97 98 99 100 101 |
# File 'eks/cfn_access_entry_props.rb', line 91 def self.jsii_properties { :cluster_name => "clusterName", :principal_arn => "principalArn", :access_policies => "accessPolicies", :kubernetes_groups => "kubernetesGroups", :tags => "tags", :type => "type", :username => "username", } end |
Instance Method Details
#to_jsii ⇒ Object
103 104 105 106 107 108 109 110 111 112 113 114 115 |
# File 'eks/cfn_access_entry_props.rb', line 103 def to_jsii result = {} result.merge!({ "clusterName" => @cluster_name, "principalArn" => @principal_arn, "accessPolicies" => @access_policies, "kubernetesGroups" => @kubernetes_groups, "tags" => @tags, "type" => @type, "username" => @username, }) result.compact end |