-
Notifications
You must be signed in to change notification settings - Fork 16.8k
[stable/aws-pod-identity-webhook] Adding chart for AWS' new EKS Pod Identity Webhook #17099
Changes from all commits
608f243
918eaa8
d1e7a0c
0cf9904
7645d67
233a1c0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
appVersion: "1.0" | ||
description: A Helm chart for the Amazon EKS Pod Identity Webhook | ||
name: aws-pod-identity-webhook | ||
version: 0.1.0 | ||
icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png | ||
home: https://github.com/aws/amazon-eks-pod-identity-webhook | ||
sources: | ||
- https://github.com/aws/amazon-eks-pod-identity-webhook | ||
maintainers: | ||
- name: micahhausler | ||
email: hausler.m@gmail.com | ||
engine: gotpl |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
approvers: | ||
- micahhausler | ||
reviewers: | ||
- micahhausler |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# AWS Pod Identity Webhook | ||
|
||
This chart will install the [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). This tool allows you to specify IAM Roles for Kubernetes Service Accounts. This allows a pod to assume a IAM role. | ||
|
||
Further details can be found here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html | ||
|
||
## Prerequisites | ||
|
||
- Kubernetes 1.12+ | ||
|
||
For installation into a non-EKS cluster, see [Self-hosted Kubernetes setup](https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md) | ||
|
||
## Installing the Chart | ||
|
||
You first need to retrieve `ca.crt` from your cluster as this is used as a value for the chart: | ||
|
||
```shell | ||
secret_name=$(kubectl get sa default -o jsonpath='{.secrets[0].name}') | ||
export CA_BUNDLE=$(kubectl get secret/$secret_name -o jsonpath='{.data.ca\.crt}' | tr -d '\n') | ||
``` | ||
|
||
Then install the chart: | ||
|
||
```shell | ||
$ helm install --name my-release stable/aws-pod-identity-webhook --set caBundle="${CA_BUNDLE}" | ||
``` | ||
|
||
After installation you need to approve the certificate. Follow the chart notes after installation for this step. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you note that the webhook will request a new CSR prior to its expiry in 1 year, and it will need to be approved either by an operator or by some other automated process? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Cool. I added a note. Would be great to have something better here in the chart itself. Perhaps a cronjob. Or something in the webhook itself? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd lean toward a cronjob that can only approve rather than something in the webhook. Its pretty scary to grant something the ability to create and approve certs There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Makes sense. I'll leave this for a later PR though. |
||
|
||
The webhook will request a new CSR prior expiry in 1 year. This new CSR will also need to be manually approved. | ||
|
||
## Uninstalling the Chart | ||
|
||
To delete the chart: | ||
|
||
```shell | ||
$ helm delete my-release | ||
``` | ||
|
||
## Configuration | ||
|
||
The following table lists the configurable parameters for this chart and their default values. | ||
|
||
| Parameter | Description | Default | | ||
| -----------------------|---------------------------------------|-------------------------------------------------------------------------| | ||
| `tls_secret_name` | Name of the secret containing the | `pod-identity-webhook` | | ||
| `annotation_prefix` | Prefix for annotation | `eks.amazonaws.com` | | ||
| `token_audience` | Token audience | `sts.amazonaws.com` | | ||
| `caBundle` | CA cert bundle data | None. Must be provided on chart install | | ||
| `image.repository` | Image repository | `602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook` | | ||
| `image.tag` | Image tag | `latest` | | ||
| `image.pullPolicy` | Container pull policy | `IfNotPresent` | | ||
| `replicas` | Number of deployment replicas | `3` | | ||
| `fullnameOverride` | Override the fullname of the chart | `nil` | | ||
| `nameOverride` | Override the name of the chart | `nil` | | ||
| `priorityClassName` | Set a priority class for pods | `nil` | | ||
| `resources` | Pod resources | `{}` | | ||
| `nodeSelector` | Node labels for pod assignment | `{}` | | ||
| `tolerations` | Optional deployment tolerations | `[]` | | ||
| `affinity` | Map of node/pod affinities | `{}` | | ||
|
||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install` or provide a YAML file containing the values for the above parameters: | ||
|
||
```shell | ||
$ helm install --name my-release stable/aws-pod-identity-webhook --values values.yaml | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
|
||
If this is your first installation of {{ .Chart.Name }} then you need to approve the certificate. | ||
|
||
Wait until the pod has started: | ||
|
||
kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "aws-pod-identity-webhook.name" . }} | ||
|
||
Then approve the certificate: | ||
|
||
kubectl certificate approve $(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:{{ .Release.Namespace }}:{{ include "aws-pod-identity-webhook.fullname" . }}")].metadata.name}') |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.fullname" -}} | ||
{{- if .Values.fullnameOverride -}} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- if contains $name .Release.Name -}} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "aws-pod-identity-webhook.labels" -}} | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
helm.sh/chart: {{ include "aws-pod-identity-webhook.chart" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end -}} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- serviceaccounts | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
- apiGroups: | ||
- certificates.k8s.io | ||
resources: | ||
- certificatesigningrequests | ||
verbs: | ||
- create | ||
- get | ||
- list | ||
- watch |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
namespace: {{ .Release.Namespace }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
spec: | ||
replicas: {{ .Values.replicas }} | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
template: | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm surprised this isn't the default. I'm take it or leave it on adding it here |
||
spec: | ||
{{- if .Values.priorityClassName }} | ||
priorityClassName: "{{ .Values.priorityClassName }}" | ||
{{- end }} | ||
{{- with .Values.imagePullSecrets }} | ||
imagePullSecrets: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
serviceAccountName: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
containers: | ||
- name: webhook | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
command: | ||
- /webhook | ||
- --in-cluster | ||
- --namespace={{ .Release.Namespace }} | ||
- --service-name={{ include "aws-pod-identity-webhook.fullname" . }} | ||
- --tls-secret={{ .Values.tls_secret_name }} | ||
- --annotation-prefix={{ .Values.annotation_prefix }} | ||
- --token-audience={{ .Values.token_audience }} | ||
- --logtostderr | ||
volumeMounts: | ||
- name: webhook-certs | ||
mountPath: /var/run/app/certs | ||
readOnly: false | ||
resources: | ||
{{- toYaml .Values.resources | nindent 10 }} | ||
{{- with .Values.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.affinity }} | ||
affinity: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
volumes: | ||
- name: webhook-certs | ||
emptyDir: {} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: admissionregistration.k8s.io/v1beta1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
webhooks: | ||
- name: pod-identity-webhook.amazonaws.com | ||
failurePolicy: Ignore | ||
clientConfig: | ||
service: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
path: "/mutate" | ||
caBundle: {{ .Values.caBundle | quote }} | ||
rules: | ||
- operations: [ "CREATE" ] | ||
apiGroups: [""] | ||
apiVersions: ["v1"] | ||
resources: ["pods"] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- create | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- get | ||
- update | ||
- patch | ||
resourceNames: | ||
- "{{ .Values.tls_secret_name }}" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
namespace: {{ .Release.Namespace }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} | ||
namespace: {{ .Release.Namespace }} | ||
annotations: | ||
prometheus.io/port: "443" | ||
prometheus.io/scheme: "https" | ||
prometheus.io/scrape: "true" | ||
spec: | ||
ports: | ||
- port: 443 | ||
targetPort: 443 | ||
selector: | ||
app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
labels: | ||
{{ include "aws-pod-identity-webhook.labels" . | indent 4 }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
tls_secret_name: pod-identity-webhook | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you document these added fields in the REAME? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah yes, I forgot to add these. |
||
annotation_prefix: eks.amazonaws.com | ||
token_audience: sts.amazonaws.com | ||
|
||
replicas: 3 | ||
|
||
image: | ||
repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook | ||
tag: latest | ||
pullPolicy: IfNotPresent | ||
|
||
imagePullSecrets: [] | ||
nameOverride: "" | ||
fullnameOverride: "" | ||
|
||
resources: {} | ||
|
||
nodeSelector: {} | ||
|
||
tolerations: [] | ||
|
||
affinity: {} | ||
|
||
priorityClassName: "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add me as well here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had you there in the beginning but read the message here: #17099 (comment)
So I think we just have @micahhausler there for now as they are already a member of the kubernetes org.
And then you guys can create a PR later to add yourself when you become a trusted-collaborator