configure all access entries explicitly to avoid duplicate entry when…

… creating pet clusters
zalando-incubator · Sep 20, 2024 · dee8d0b · dee8d0b
1 parent bde2ecf
commit dee8d0b
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
@@ -128,7 +128,7 @@ Resources:
         IpFamily: "{{.Cluster.ConfigItems.eks_ip_family}}"
       AccessConfig:
         AuthenticationMode: API
-        #BootstrapClusterCreatorAdminPermissions: false
+        BootstrapClusterCreatorAdminPermissions: false
       EncryptionConfig:
         - Provider:
             KeyArn: !GetAtt EtcdEncryptionKey.Arn # TODO: maybe use another key for EKS?
@@ -181,6 +181,17 @@ Resources:
       ClusterName: !Ref EKSCluster
       PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/{{.Cluster.LocalID}}-worker"
       Type: "EC2_LINUX"
+  EKSAccessEntryClusterLifecycleManagerAuth:
+    Type: "AWS::EKS::AccessEntry"
+    Properties:
+      AccessPolicies:
+      - AccessScope:
+          Type: "cluster"
+        PolicyArn: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+      ClusterName: !Ref EKSCluster
+      PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
+      Username: !Sub "arn:aws:sts::${AWS::AccountId}:assumed-role/cluster-lifecycle-manager-entrypoint/{{`{{SessionName}}`}}"
+      Type: "STANDARD"
   EKSAccessEntryZalandoIAMAuth:
     Type: "AWS::EKS::AccessEntry"
     Properties: