The mutation admission controller will inject the AWS SIGv4 Proxy as a sidecar into a pod if there are annotations specified in a container's deployment.yaml file or specific namespace labels.
A helm chart exists to deploy all the resources needed to use the admission controller here: https://github.com/aws/eks-charts/tree/master/stable/aws-sigv4-proxy-admission-controller/.
Add the EKS repository to Helm:
helm repo add eks https://aws.github.io/eks-charts
Install the AWS SIGv4 Admission Controller chart with default configuration:
helm install aws-sigv4-proxy-admission-controller eks/aws-sigv4-proxy-admission-controller --namespace <namespace>
To uninstall/delete the aws-sigv4-proxy-admission-controller
release:
helm uninstall aws-sigv4-proxy-admission-controller --namespace <namespace>
If you wish to build the image on your own, change the variables in Makefile for your image repo, image name, and tag.
Build and push image
make all
Build image
make build-image
Push image
make push-image
Run tests
make test
You can override the admission controller image and other parameters in the admission controller helm chart.
For each row in the chart below, you only need either the annotation or namespace label.
Annotation | Namespace Label | Required |
---|---|---|
sidecar.aws.signing-proxy/inject: true |
sidecar-inject=true |
✔ |
sidecar.aws.signing-proxy/host: <AWS_SIGV4_PROXY_HOST> |
sidecar-host=<AWS_SIGV4_PROXY_HOST> |
✔ |
sidecar.aws.signing-proxy/name: <AWS_SIGV4_PROXY_NAME> |
sidecar-host=<AWS_SIGV4_PROXY_NAME> |
|
sidecar.aws.signing-proxy/region: <AWS_SIGV4_PROXY_REGION> |
sidecar-host=<AWS_SIGV4_PROXY_REGION> |
|
sidecar.aws.signing-proxy/role-arn: <AWS_SIGV4_PROXY_ROLE_ARN> |
sidecar-role-arn=<AWS_SIGV4_PROXY_ROLE_ARN> |
|
sidecar.aws.signing-proxy/unsigned-payload: <AWS_SIGV4_PROXY_UNSIGNED_PAYLOAD> |
unsigned-payload=<AWS_SIGV4_PROXY_UNSIGNED_PAYLOAD> |
|
sidecar.aws.signing-proxy/upstream-url-scheme: <AWS_SIGV4_PROXY_UPSTREAM_URL_SCHEME> |
upstream-url-scheme=<AWS_SIGV4_PROXY_UPSTREAM_URL_SCHEME> |
For more information on the above annotations / namespace labels, please refer to the documentation in the AWS SIGv4 Proxy repository.
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
namespace: sidecar
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
annotations:
sidecar.aws.signing-proxy/inject: "true"
sidecar.aws.signing-proxy/host: "aps.us-west-2.amazonaws.com"
sidecar.aws.signing-proxy/name: "aps"
sidecar.aws.signing-proxy/region: "us-west-2"
sidecar.aws.signing-proxy/role-arn: "arn:aws:iam::123456789:role/assume-role"
sidecar.aws.signing-proxy/unsigned-payload: "false"
labels:
app: sleep
spec:
containers:
- name: sleep
image: tutum/curl
command: ["/bin/sleep","infinity"]
imagePullPolicy: IfNotPresent
To see the AWS SIGv4 Proxy installed as a sidecar in this deployment: save the above lines as a yaml file, make sure the admission controller helm chart is installed in your Kubernetes cluster, and run the following:
kubectl create namespace sidecar
kubectl create -f test-deploy.yaml
kubectl get pod -n sidecar
2 pods should be visible within the sleep pod.
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License.