Authentication

    If you want to experiment with kopeio authentication, you can use . However please be aware that kopeio authentication has not yet been formally released, and thus there is not a lot of upstream documentation.

    Alternatively, you can add this block to your cluster:

    For example:

    1. apiVersion: kops.k8s.io/v1alpha2
    2. kind: Cluster
    3. metadata:
    4.   name: cluster.example.com
    5. spec:
    6.   authentication:
    7.     kopeio: {}
    8.   authorization:

    AWS IAM Authenticator

    For example:

    1. apiVersion: kops.k8s.io/v1alpha2
    2. kind: Cluster
    3. metadata:
    5. spec:
    6.   authentication:
    7.     aws: {}
    8.   authorization:
    9.     rbac: {}

    If no backendMode is configured, by default the aws-iam-authenticator will require the creation of an AWS IAM authenticator config as a ConfigMap. For more details on AWS IAM authenticator please visit

    Example config using a ConfigMap:

    This requires an aws-iam-authenticator image >= 0.5.0 For more information see usergroup-mappings

    1. authentication:
    2.   aws:
    3.     backendMode: CRD,MountedFile

    When setting the backendMode configuration to CRD, it is possible to provide a list of inline AWS IAM identity mappings in the cluster template.

    • Create a cluster following the
    • When you reach the “Customize Cluster Configuration” section of the guide modify the cluster spec and add the Authentication and Authorization configs to the YAML config.
    • Optionally set the backendMode: CRD and configure the identityMappings inline.
    • Continue following the cluster creation guide to build the cluster.
      • :warning: When no backendMode is configured (or it is set to MountedFile) and the cluster first comes up the aws-iam-authenticator PODs will be in a bad state as it is trying to find the aws-iam-authenticator ConfigMap and we have not yet created it.

    If no backendMode is configured, or it is set to `MountedFile, the following additional steps are necessary:

    • Once the cluster is up, you’ll need to create an aws-iam-authenticator configMap on the cluster kubectl apply -f aws-iam-authenticator_example-config.yaml
      1. kubectl get pods -n kube-system | grep aws-iam-authenticator | awk '{print $1}' | xargs kubectl delete pod -n kube-system

    Turning on IAM Authenticator on an existing cluster.

    • Create an aws-iam-authenticator configMap on the cluster kubectl apply -f aws-iam-authenticator_example-config.yaml
    • Edit the clusters configuration kops edit cluster ${NAME} and add the Authentication and Authorization configs to the YAML config.
    • Update the clusters configuration kops update cluster ${CLUSTER_NAME} --yes
    • Temporarily disable aws-iam-authenticator DaemonSet kubectl patch daemonset -n kube-system aws-iam-authenticator -p '{"spec": {"template": {"spec": {"nodeSelector": {"disable-aws-iam-authenticator": "true"}}}}}'
    • Re-enable aws-iam-authenticator DaemonSet kubectl patch daemonset -n kube-system aws-iam-authenticator --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/disable-aws-iam-authenticator"}]'