fix(eks): fargate profile role not added to aws-auth by the cdk (#8447)

When a Fargate Profile is added to the cluster, we need to make sure the aws-auth config map is updated from within the CDK app. EKS will do that behind the scenes if it's not done manually, but this means that it would be an out-of-band update of the config map and will be overridden by the CDK if the config map is updated manually.

Fixes #7981



----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-eks/lib/fargate-profile.ts

@@ -132,6 +132,12 @@ export class FargateProfile extends Construct implements ITaggable {
   constructor(scope: Construct, id: string, props: FargateProfileProps) {
     super(scope, id);
 
+    // currently the custom resource requires a role to assume when interacting with the cluster
+    // and we only have this role when kubectl is enabled.
+    if (!props.cluster.kubectlEnabled) {
+      throw new Error('adding Faregate Profiles to clusters without kubectl enabled is currently unsupported');
+    }
+
     const provider = ClusterResourceProvider.getOrCreate(this);
 
     const role = props.podExecutionRole ?? new iam.Role(this, 'PodExecutionRole', {
@@ -173,5 +179,16 @@ export class FargateProfile extends Construct implements ITaggable {
 
     this.fargateProfileArn = resource.getAttString('fargateProfileArn');
     this.fargateProfileName = resource.ref;
+
+    // map the fargate pod execution role to the relevant groups in rbac
+    // see https://github.com/aws/aws-cdk/issues/7981
+    props.cluster.awsAuth.addRoleMapping(role, {
+      username: 'system:node:{{SessionName}}',
+      groups: [
+        'system:bootstrappers',
+        'system:nodes',
+        'system:node-proxier',
+      ],
+    });
   }
 }

packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json

@@ -925,6 +925,13 @@
                 ]
               },
               "\\\",\\\"groups\\\":[\\\"system:masters\\\"]},{\\\"rolearn\\\":\\\"",
+              {
+                "Fn::GetAtt": [
+                  "ClusterfargateprofiledefaultPodExecutionRole09952CFF",
+                  "Arn"
+                ]
+              },
+              "\\\",\\\"username\\\":\\\"system:node:{{SessionName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\",\\\"system:node-proxier\\\"]},{\\\"rolearn\\\":\\\"",
               {
                 "Fn::GetAtt": [
                   "ClusterNodesInstanceRoleC3C01328",

packages/@aws-cdk/aws-eks/test/test.fargate.ts

@@ -251,4 +251,46 @@ export = {
     }));
     test.done();
   },
+
+  'fargate role is added to RBAC'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new eks.FargateCluster(stack, 'FargateCluster');
+
+    // THEN
+    expect(stack).to(haveResource('Custom::AWSCDK-EKS-KubernetesResource', {
+      Manifest: {
+        'Fn::Join': [
+          '',
+          [
+            '[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system"},"data":{"mapRoles":"[{\\"rolearn\\":\\"',
+            {
+              'Fn::GetAtt': [
+                'FargateClusterfargateprofiledefaultPodExecutionRole66F2610E',
+                'Arn',
+              ],
+            },
+            '\\",\\"username\\":\\"system:node:{{SessionName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\",\\"system:node-proxier\\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]',
+          ],
+        ],
+      },
+    }));
+    test.done();
+  },
+
+  'cannot be added to a cluster without kubectl enabled'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const cluster = new eks.Cluster(stack, 'MyCluster', { kubectlEnabled: false });
+
+    // WHEN
+    test.throws(() => new eks.FargateProfile(stack, 'MyFargateProfile', {
+      cluster,
+      selectors: [ { namespace: 'default' } ],
+    }), /unsupported/);
+
+    test.done();
+  },
 };