forked from jtblin/kube2iam
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add kube2iam to control AWS IAM policy access (jtblin#216)
* kube2iam chart * set hostNetwork at the spec level * fixes from code review h/t @mgoodness * cleanup/style * linter, host needs to be a dictionary * move kube2iam to stable
- Loading branch information
Showing
6 changed files
with
193 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| name: kube2iam | ||
| version: 0.1.0 | ||
| description: Provide IAM credentials to containers running inside a kubernetes cluster based on annotations. | ||
| keywords: | ||
| - kube2iam | ||
| - aws | ||
| - iam | ||
| - security | ||
| sources: | ||
| - https://github.com/jtblin/kube2iam | ||
| maintainers: | ||
| - name: Josh Carp | ||
| email: jm.carp@gmail.com | ||
| - name: Michael Haselton | ||
| email: michael.haselton@gmail.com | ||
| engine: gotpl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| # kube2iam | ||
|
|
||
| * Installs [kube2iam](https://github.com/jtblin/kube2iam) to provide IAM credentials to containers running inside a kubernetes cluster based on annotations. | ||
|
|
||
| ## TL;DR; | ||
|
|
||
| ```console | ||
| $ helm install stable/kube2iam | ||
| ``` | ||
|
|
||
| ## Introduction | ||
|
|
||
| This chart bootstraps a [kube2iam](https://github.com/jtblin/kube2iam) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - Kubernetes 1.4+ with Beta APIs enabled | ||
|
|
||
| ## Installing the Chart | ||
|
|
||
| To install the chart with the release name `my-release`: | ||
|
|
||
| ```console | ||
| $ helm install --name my-release stable/kube2iam | ||
| ``` | ||
|
|
||
| The command deploys kube2iam on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. | ||
|
|
||
| ## Uninstalling the Chart | ||
|
|
||
| To uninstall/delete the `my-release` deployment: | ||
|
|
||
| ```console | ||
| $ helm delete my-release | ||
| ``` | ||
|
|
||
| The command removes all the Kubernetes components associated with the chart and deletes the release. | ||
|
|
||
| ## Configuration | ||
|
|
||
| The following tables lists the configurable parameters of the kube2iam chart and their default values. | ||
|
|
||
| | Parameter | Description | Default | | ||
| | --------------------------- | ------------------------------------------ | ---------------------------------------------------------- | | ||
| | `image` | Image | `jtblin/kube2iam` | | ||
| | `imageTag` | Image tag | `0.2.2` | | ||
| | `imagePullPolicy` | Image pull policy | `Always` if `imageTag` is `latest`, else `IfNotPresent` | | ||
| | `resources.limits.cpu` | CPU limit | `100m` | | ||
| | `resources.limits.memory` | Memory limit | `200Mi` | | ||
| | `resources.requests.cpu` | CPU request | `100m` | | ||
| | `resources.requests.memory` | Memory request | `200Mi` | | ||
| | `containerPort` | Container port | `8181` | | ||
| | `host.ip` | IP address of host | `$(HOST_IP)` | | ||
| | `host.iptables` | Add iptables rule | `false` | | ||
| | `host.interface` | Host interface for proxying AWS metadata | `docker0` | | ||
| | `extraArgs` | Extra arguments | `nil` | | ||
|
|
||
| Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, | ||
|
|
||
| ```console | ||
| $ helm install --name my-release \ | ||
| --set=extraArgs.base-role-arn=arn:aws:iam::0123456789:role/, \ | ||
| extraArgs.default-role=kube2iam-default, \ | ||
| host.iptables=true,host.interface=cbr0 | ||
| ``` | ||
|
|
||
| Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, | ||
|
|
||
| ```console | ||
| $ helm install --name my-release -f values.yaml stable/kube2iam | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| To verify that kube2iam is working has started, run: | ||
|
|
||
| kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "fullname" . }}" | ||
|
|
||
| Add an iam.amazonaws.com/role annotation to your pods with the role that you want to assume for this pod. | ||
|
|
||
| https://github.com/jtblin/kube2iam#kubernetes-annotation | ||
|
|
||
| Verification of the role bound to the deployed pod can be done with `curl`. | ||
|
|
||
| curl 169.254.169.254/latest/meta-data/iam/security-credentials/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| {{/* vim: set filetype=mustache: */}} | ||
| {{/* | ||
| Expand the name of the chart. | ||
| */}} | ||
| {{- define "name" -}} | ||
| {{- default .Chart.Name .Values.nameOverride | trunc 24 -}} | ||
| {{- end -}} | ||
|
|
||
| {{/* | ||
| Create a default fully qualified app name. | ||
| We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
| */}} | ||
| {{- define "fullname" -}} | ||
| {{- $name := default .Chart.Name .Values.nameOverride -}} | ||
| {{- printf "%s-%s" .Release.Name $name | trunc 24 -}} | ||
| {{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| apiVersion: extensions/v1beta1 | ||
| kind: DaemonSet | ||
| metadata: | ||
| name: {{ template "fullname" . }} | ||
| labels: | ||
| app: {{ template "fullname" . }} | ||
| chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
| heritage: "{{ .Release.Service }}" | ||
| release: "{{ .Release.Name }}" | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: {{ template "fullname" . }} | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: {{ template "fullname" . }} | ||
| release: "{{ .Release.Name }}" | ||
| spec: | ||
| hostNetwork: true | ||
| containers: | ||
| - name: kube2iam | ||
| image: "{{ .Values.image }}:{{ .Values.imageTag }}" | ||
| imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} | ||
| args: | ||
| - --app-port={{ default 8181 .Values.containerPort }} | ||
| - --iptables={{ default false .Values.host.iptables }} | ||
| - --host-interface={{ default "docker0" .Values.host.interface | quote }} | ||
| {{- if .Values.host.iptables }} | ||
| - --host-ip={{ default "$(HOST_IP)" .Values.host.ip }} | ||
| {{- end }} | ||
| {{- range $key, $value := .Values.extraArgs }} | ||
| - --{{ $key }}={{ $value }} | ||
| {{- end }} | ||
| env: | ||
| - name: HOST_IP | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: status.podIP | ||
| resources: | ||
| {{ toYaml .Values.resources | indent 10 }} | ||
| ports: | ||
| - containerPort: {{ default 8181 .Values.containerPort }} | ||
| {{- if .Values.host.iptables }} | ||
| securityContext: | ||
| privileged: true | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| image: jtblin/kube2iam | ||
| imageTag: 0.2.2 | ||
|
|
||
| ## Specify a imagePullPolicy | ||
| ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' | ||
| ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images | ||
| ## | ||
| # imagePullPolicy: | ||
|
|
||
| ## Configure resource requests and limits | ||
| ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ | ||
| ## | ||
| resources: | ||
| limits: | ||
| cpu: 100m | ||
| memory: 200Mi | ||
| requests: | ||
| cpu: 100m | ||
| memory: 200Mi | ||
|
|
||
| # containerPort: 8181 | ||
|
|
||
| host: | ||
| # ip: 127.0.0.1 | ||
| iptables: false | ||
| interface: docker0 | ||
|
|
||
| # extraArgs: | ||
| # base-role-arn: arn:aws:iam::0123456789:role/ | ||
| # default-role: kube2iam-default | ||
| # api-server: ... | ||
| # api-token: ... |