Merge pull request #317 from otterley/update-configmap-doc

Update examples/README
kubernetes-sigs · May 18, 2020 · 2a7c4a5 · 2a7c4a5
2 parents 6e9918f + 265fbfa
commit 2a7c4a5
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -397,7 +397,10 @@ server:
   # each mapRoles entry maps an IAM role to a username and set of groups
   # Each username and group can optionally contain template parameters:
   #  1) "{{AccountID}}" is the 12 digit AWS ID.
-  #  2) "{{SessionName}}" is the role session name.
+  #  2) "{{SessionName}}" is the role session name, with `@` characters
+  #     transliterated to `-` characters.
+  #  3) "{{SessionNameRaw}}" is the role session name, without character
+  #     transliteration (available in version >= 0.5).
   mapRoles:
   # statically map arn:aws:iam::000000000000:role/KubernetesAdmin to cluster admin
   - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
@@ -437,6 +440,17 @@ server:
     groups:
     - system:masters
 
+  # map federated users in my "KubernetesOtherAdmin" role to users like
+  # "alice-example.com". The SessionName is an arbitrary role name
+  # like an e-mail address passed by the identity provider. Note that if this
+  # role is assumed directly by an IAM User (not via federation), the user
+  # can control the SessionName.  Note that the "{{SessionName}}" macro is
+  # quoted to ensure it is properly parsed as a string.
+  - roleARN: arn:aws:iam::000000000000:role/KubernetesOtherAdmin
+    username: "{{SessionName}}"
+    groups:
+    - system:masters
+
   # each mapUsers entry maps an IAM role to a static username and set of groups
   mapUsers:
   # map user IAM user Alice in 000000000000 to user "alice" in group "system:masters"

diff --git a/deploy/example.yaml b/deploy/example.yaml
@@ -86,7 +86,10 @@ data:
       # each mapRoles entry maps an IAM role to a username and set of groups
       # Each username and group can optionally contain template parameters:
       #  1) "{{AccountID}}" is the 12 digit AWS ID.
-      #  2) "{{SessionName}}" is the role session name.
+      #  2) "{{SessionName}}" is the role session name, with `@` characters
+      #     transliterated to `-` characters.
+      #  3) "{{SessionNameRaw}}" is the role session name, without character
+      #     transliteration (available in version >= 0.5).
       mapRoles:
       # statically map arn:aws:iam::000000000000:role/KubernetesAdmin to a cluster admin
       - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
@@ -112,6 +115,16 @@ data:
         username: admin:{{SessionName}}
         groups:
         - system:masters
+      # map federated users in my "KubernetesOtherAdmin" role to users like
+      # "alice-example.com". The SessionName is an arbitrary role name
+      # like an e-mail address passed by the identity provider. Note that if this
+      # role is assumed directly by an IAM User (not via federation), the user
+      # can control the SessionName.  Note that the "{{SessionName}}" macro is
+      # quoted to ensure it is properly parsed as a string.
+      - roleARN: arn:aws:iam::000000000000:role/KubernetesOtherAdmin
+        username: "{{SessionName}}"
+        groups:
+        - system:masters
       # map federated users in my "KubernetesUsers" role to users like
       # "[email protected]". SessionNameRaw is sourced from the same place as
       # SessionName with the distinction that no transformation is performed
@@ -210,4 +223,3 @@ spec:
       - name: state
         hostPath:
           path: /var/aws-iam-authenticator/
-