diff --git a/lib/integrations/awsoidc/eks_enroll_clusters.go b/lib/integrations/awsoidc/eks_enroll_clusters.go index f5d5afacf71e6..e23a3c3ee7799 100644 --- a/lib/integrations/awsoidc/eks_enroll_clusters.go +++ b/lib/integrations/awsoidc/eks_enroll_clusters.go @@ -25,6 +25,7 @@ import ( "log/slog" "net/http" "net/url" + "slices" "strings" "sync" "time" @@ -334,6 +335,16 @@ func enrollEKSCluster(ctx context.Context, log *slog.Logger, clock clockwork.Clo return "", trace.AccessDenied(`can't enroll %q because it is not accessible from Teleport Cloud, please enable endpoint public access in your EKS cluster and try again.`, clusterName) } + // When clusters are using CONFIG_MAP, API is not acessible and thus Teleport can't install the Teleport's Helm chart. + // You can read more about the Authentication Modes here: https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/ + allowedAuthModes := []eksTypes.AuthenticationMode{ + eksTypes.AuthenticationModeApi, + eksTypes.AuthenticationModeApiAndConfigMap, + } + if !slices.Contains(allowedAuthModes, eksCluster.AccessConfig.AuthenticationMode) { + return "", trace.BadParameter("can't enroll %q because its access config's authentication mode is %q, only %v are supported", clusterName, eksCluster.AccessConfig.AuthenticationMode, allowedAuthModes) + } + principalArn, err := getAccessEntryPrincipalArn(ctx, clt.GetCallerIdentity) if err != nil { return "", trace.Wrap(err) diff --git a/lib/integrations/awsoidc/eks_enroll_clusters_test.go b/lib/integrations/awsoidc/eks_enroll_clusters_test.go index f6f92e76d914d..6c1cb6996239a 100644 --- a/lib/integrations/awsoidc/eks_enroll_clusters_test.go +++ b/lib/integrations/awsoidc/eks_enroll_clusters_test.go @@ -99,6 +99,9 @@ func TestEnrollEKSClusters(t *testing.T) { Tags: map[string]string{"label1": "value1"}, CertificateAuthority: &eksTypes.Certificate{Data: aws.String(testCAData)}, Status: eksTypes.ClusterStatusActive, + AccessConfig: &eksTypes.AccessConfigResponse{ + AuthenticationMode: eksTypes.AuthenticationModeApiAndConfigMap, + }, }, { Name: aws.String("EKS2"), @@ -109,6 +112,9 @@ func TestEnrollEKSClusters(t *testing.T) { Tags: map[string]string{"label2": "value2"}, CertificateAuthority: &eksTypes.Certificate{Data: aws.String(testCAData)}, Status: eksTypes.ClusterStatusActive, + AccessConfig: &eksTypes.AccessConfigResponse{ + AuthenticationMode: eksTypes.AuthenticationModeApiAndConfigMap, + }, }, } @@ -238,6 +244,29 @@ func TestEnrollEKSClusters(t *testing.T) { `can't enroll EKS cluster "EKS1" - expected "ACTIVE" state, got "PENDING".`) }, }, + { + name: "cluster with CONFIG_MAP authentication mode is not enrolled", + enrollClient: baseClient, + eksClusters: []eksTypes.Cluster{ + { + Name: aws.String("EKS1"), + Arn: aws.String(clustersBaseArn + "1"), + Tags: map[string]string{"label1": "value1"}, + CertificateAuthority: &eksTypes.Certificate{Data: aws.String(testCAData)}, + Status: eksTypes.ClusterStatusActive, + AccessConfig: &eksTypes.AccessConfigResponse{ + AuthenticationMode: eksTypes.AuthenticationModeConfigMap, + }, + }, + }, + request: baseRequest, + requestClusterNames: []string{"EKS1"}, + responseCheck: func(t *testing.T, response *EnrollEKSClusterResponse) { + require.Len(t, response.Results, 1) + require.ErrorContains(t, response.Results[0].Error, + `can't enroll "EKS1" because its access config's authentication mode is "CONFIG_MAP", only [API API_AND_CONFIG_MAP] are supported`) + }, + }, { name: "private cluster in cloud is not enrolled", enrollClient: baseClient, @@ -251,6 +280,9 @@ func TestEnrollEKSClusters(t *testing.T) { Tags: map[string]string{"label3": "value3"}, CertificateAuthority: &eksTypes.Certificate{Data: aws.String(testCAData)}, Status: eksTypes.ClusterStatusActive, + AccessConfig: &eksTypes.AccessConfigResponse{ + AuthenticationMode: eksTypes.AuthenticationModeApiAndConfigMap, + }, }, }, request: EnrollEKSClustersRequest{ @@ -280,6 +312,9 @@ func TestEnrollEKSClusters(t *testing.T) { Tags: map[string]string{"label3": "value3"}, CertificateAuthority: &eksTypes.Certificate{Data: aws.String(testCAData)}, Status: eksTypes.ClusterStatusActive, + AccessConfig: &eksTypes.AccessConfigResponse{ + AuthenticationMode: eksTypes.AuthenticationModeApiAndConfigMap, + }, }, }, request: EnrollEKSClustersRequest{