Releasing IAM EKS User Mapper in open-source
So, why did we decide to build this? Well, at Qovery, we saw how tedious and error-prone it can be to manually handle cluster access. We thought, "There's got to be a better way!" And thus, the IAM EKS User Mapper was born, crafted with love in Rust 🦀. Why Rust, you ask? It's simple: for its unparalleled performance and reliability. We wanted a tool as robust and dependable as your needs.
Here’s a sneak peek into what makes this tool a must-have:
- Group Users Sync: Say goodbye to the hassle of manually updating access rights. This feature automatically syncs IAM users from groups directly into your Kubernetes cluster’s aws-auth configmap. It's all about making your life easier.
- SSO Support: We know how crucial SSO is for secure and efficient access management. That’s why our tool supports SSO roles in the aws-auth configmap, making it a breeze for users to connect to the cluster.
By open-sourcing the IAM EKS User Mapper, we’re inviting you to join in, contribute, and help shape the future of Kubernetes access management. Whether you're bug hunting, suggesting new features, or coding up a storm, we’re here for it and appreciate your input.
We’d love to hear from you. How do you currently handle Kubernetes cluster access? Any challenges or tips you'd like to share? Your experiences and feedback are gold to us. Please use this reddit thread or open an issue on GitHub if you want to share your experience.
In a nutshell, the IAM EKS User Mapper is our way of making Kubernetes management a little less stressful and a lot more secure. We can’t wait to see how you use it and make it even better.
Repository: IAM EKS User Mapper Repository
.svg)
.svg)
.svg)
Suggested articles
The part teams consistently underestimate is that OPA Gatekeeper, the tool most people reach for first, only enforces policy at the cluster level. It blocks non-compliant resources from being created within a single cluster. Propagating consistent Gatekeeper policies across 300 clusters, and detecting when those policies drift, is a fleet orchestration problem that Gatekeeper was not designed to solve.
Training a model in a notebook is easy. What breaks teams is the step after, serving it reliably without haemorrhaging cloud budget or burying your SREs in YAML. The common trap: picking a platform that handles the model but not the surrounding stack. An AI deployment platform should orchestrate the full application graph (inference endpoints, vector databases, caching layers, and frontends) inside a single VPC, with GPU autoscaling that doesn't require a dedicated platform engineer to babysit.
The mistake teams make early is assuming Kubernetes namespaces provide sufficient isolation between workloads or teams. They do not. Namespaces share the control plane, the node pool, and the underlying network fabric. A misconfigured workload in one namespace can exhaust node capacity or crash the API server for every other namespace simultaneously. That is when the multi-cluster conversation starts.
Migrating from nginx Ingress to Envoy Gateway? Discover how Alan migrated 100+ services in one month, the technical hurdles they faced (like Content-Length normalization), and why staging isn't always enough.
The cluster coming up is the easy part. What catches teams off guard is what happens six months later: certificates expire without a single alert, node pools run at 40% over-provisioned because nobody revisited the initial resource requests, and a manual kubectl patch applied during a 2am incident is now permanent state. Agentic control planes enforce declared state continuously. Monitoring tools just report the problem.
The instinct when setting up Kubernetes observability is to instrument everything and send it all to your APM vendor. That works fine at ten nodes. At a hundred, the bill becomes a board-level conversation. The less obvious problem is the fix most teams reach for: aggressive sampling. That is how intermittent failures affecting 1% of requests disappear from your monitoring entirely.
Scaling your deployments to zero is only half the battle. If your cluster autoscaler does not aggressively bin-pack and terminate the underlying worker nodes, you are still paying for idle metal. True environment sleeping requires tight integration between your ingress layer and your node provisioner to actually realize FinOps savings.
In 2026, the market has split clearly between basic infrastructure provisioners and agentic management platforms that handle Day-0, Day-1, and Day-2 operations. The following guide covers the ten tools that enterprise teams are actually running at fleet scale, what each one does well, and where each one will frustrate you.
.webp)