Add a new template variable {{EC2PrivateDNSName}} that looks up priva…

…te DNS

- kubelet reports itself as system:node:<aws-private-dns>
- modifies authenticator to be able to discover an ec2 instance's private dns
  and use it for the node name when {{EC2PrivateDNSName}} is used in the
  template username
- allows a role to be specified in the config file to assume for the describe
  instances call, in case it is in a separate account.

Signed-off-by: Nick Turner <nic@amazon.com>

README.md

@@ -173,6 +173,9 @@ server:
   # output `path` where a generated webhook kubeconfig will be stored.
   generateKubeconfig: /etc/kubernetes/heptio-authenticator-aws.kubeconfig # (default)
 
+  # role to assume before querying EC2 API in order to discover metadata like EC2 private DNS Name
+  defaultEC2DescribeInstancesRoleARN: arn:aws:iam::000000000000:role/DescribeInstancesRole
+
   # each mapRoles entry maps an IAM role to a username and set of groups
   # Each username and group can optionally contain template parameters:
   #  1) "{{AccountID}}" is the 12 digit AWS ID.
@@ -195,6 +198,17 @@ server:
     - system:bootstrappers
     - aws:instances
 
+  # map nodes that should conform to the username "system:node:<private-DNS>".  This
+  # requires the authenticator to query the EC2 API in order to discover the private
+  # DNS of the EC2 instance originating the authentication request.  Optionally, you
+  # may specify a role that should be assumed before querying the EC2 API with the
+  # top level key "defaultEC2DescribeInstancesRoleARN".
+  - roleARN: arn:aws:iam::000000000000:role/KubernetesNode
+    username: system:node:{{EC2PrivateDNSName}}
+    groups:
+    - system:nodes
+    - system:bootstrappers
+
   # map federated users in my "KubernetesAdmin" role to users like
   # "admin:alice-example.com". The SessionName is an arbitrary role name
   # like an e-mail address passed by the identity provider. Note that if this
@@ -219,4 +233,5 @@ server:
   mapAccounts:
   - "012345678901"
   - "456789012345"
+
 ```

cmd/heptio-authenticator-aws/root.go

@@ -75,11 +75,12 @@ func initConfig() {
 
 func getConfig() (config.Config, error) {
 	config := config.Config{
-		ClusterID:              viper.GetString("clusterID"),
-		LocalhostPort:          viper.GetInt("server.port"),
-		GenerateKubeconfigPath: viper.GetString("server.generateKubeconfig"),
-		KubeconfigPregenerated: viper.GetBool("server.kubeconfigPregenerated"),
-		StateDir:               viper.GetString("server.stateDir"),
+		ClusterID:                          viper.GetString("clusterID"),
+		DefaultEC2DescribeInstancesRoleARN: viper.GetString("defaultEC2DescribeInstancesRoleARN"),
+		LocalhostPort:                      viper.GetInt("server.port"),
+		GenerateKubeconfigPath:             viper.GetString("server.generateKubeconfig"),
+		KubeconfigPregenerated:             viper.GetBool("server.kubeconfigPregenerated"),
+		StateDir:                           viper.GetString("server.stateDir"),
 	}
 	if err := viper.UnmarshalKey("server.mapRoles", &config.RoleMappings); err != nil {
 		return config, fmt.Errorf("invalid server role mappings: %v", err)

pkg/config/constants.go

@@ -29,4 +29,7 @@ const (
 
 	// certLifetime is the lifetime of the CA certificate (100 years)
 	certLifetime = time.Hour * 24 * 365 * 100
+
+	// nodeNamePrefix is the username prefix that the apiserver expects of kubelet
+	NodeNamePrefix = "system:node:"
 )

pkg/config/types.go

@@ -92,4 +92,10 @@ type Config struct {
 	// AutoMappedAWSAccounts is a list of AWS accounts that are allowed without an explicit user/role mapping.
 	// IAM ARN from these accounts automatically maps to the Kubernetes username.
 	AutoMappedAWSAccounts []string
+
+	// DefaultEC2DescribeInstancesRoleARN is an optional AWS Resource Name for an IAM Role to be assumed
+	// before calling ec2:DescribeInstances to determine the private DNS of the calling kubelet (EC2 Instance).
+	// If nil, defaults to using the IAM Role attached to the instance where heptio-authenticator-aws is
+	// running.
+	DefaultEC2DescribeInstancesRoleARN string
 }