diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl index 549c5b7ee..a3ee66ae2 100644 --- a/builtin/files/cluster.yaml.tmpl +++ b/builtin/files/cluster.yaml.tmpl @@ -1646,6 +1646,7 @@ kubeAwsPlugins: # image: quay.io/uswitch/kiam # tag: v3.2 # sessionDuration: 30m + # assumeRoleArn: arn:aws:iam::.... # server: # portName: grpclb # address: localhost:443 diff --git a/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml b/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml index ca96461d8..df5f9a729 100644 --- a/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml +++ b/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml @@ -4,14 +4,12 @@ metadata: namespace: kube-system name: kiam-agent spec: - updateStrategy: - rollingUpdate: - maxUnavailable: 100% - type: RollingUpdate selector: matchLabels: app: kiam role: agent + updateStrategy: + type: OnDelete template: metadata: annotations: @@ -21,28 +19,17 @@ spec: app: kiam role: agent spec: - priorityClassName: system-node-critical - tolerations: - - operator: Exists - effect: NoSchedule - - operator: Exists - effect: NoExecute - - operator: Exists - key: CriticalAddonsOnly hostNetwork: true dnsPolicy: ClusterFirstWithHostNet - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.kubernetes.io/role - operator: NotIn - values: - - master + nodeSelector: + kubernetes.io/role: node volumes: - name: ssl-certs hostPath: + # for AWS linux or RHEL distros + # path: /etc/pki/ca-trust/extracted/pem/ + # debian or ubuntu distros + # path: /etc/ssl/certs path: /usr/share/ca-certificates - name: tls secret: @@ -50,12 +37,14 @@ spec: - name: xtables hostPath: path: /run/xtables.lock + type: FileOrCreate containers: - name: kiam securityContext: capabilities: add: ["NET_ADMIN"] image: {{ .Values.image }}:{{ .Values.tag }} + imagePullPolicy: Always command: - {{ if checkVersion ">= 3.0" .Values.tag }}/kiam{{ else }}/agent{{ end }} args: @@ -65,18 +54,20 @@ spec: - --gateway-timeout-creation=1s {{ end -}} - --iptables - {{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }} + {{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }} - --host-interface=!eni0 - {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }} + {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }} + - --host-interface=cali+ + {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "calico" }} - --host-interface=cali+ - {{- else}} + {{- else}} - --host-interface=cni0 - {{- end }} + {{- end }} - --json-log - --port=8181 - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/agent.pem + - --key=/etc/kiam/tls/agent-key.pem + - --ca=/etc/kiam/tls/ca.pem - --server-address={{ .Values.agent.address }} - --prometheus-listen-addr=0.0.0.0:9620 - --prometheus-sync-interval=5s diff --git a/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml b/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml index 7c9b190aa..fe4f69118 100644 --- a/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml +++ b/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: kiam-agent-tls namespace: kube-system -type: kubernetes.io/tls +type: Opaque data: - tls.crt: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }} - tls.key: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }} - ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file + agent.pem: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }} + agent-key.pem: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }} + ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/rbac.yaml b/builtin/files/plugins/kiam/manifests/rbac.yaml new file mode 100644 index 000000000..e115ea798 --- /dev/null +++ b/builtin/files/plugins/kiam/manifests/rbac.yaml @@ -0,0 +1,60 @@ +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: kiam-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kiam-read +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + verbs: + - watch + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kiam-read +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiam-read +subjects: + - kind: ServiceAccount + name: kiam-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kiam-write +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kiam-write +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiam-write +subjects: + - kind: ServiceAccount + name: kiam-server + namespace: kube-system \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml b/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml deleted file mode 100644 index 916985861..000000000 --- a/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: kiam-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kiam-server -subjects: -- kind: ServiceAccount - name: kiam-server - namespace: kube-system \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml b/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml deleted file mode 100644 index 610dff6d6..000000000 --- a/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: kiam-server -rules: -- apiGroups: - - "" - resources: - - namespaces - - pods - verbs: - - watch - - get - - list -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/server-daemonset.yaml b/builtin/files/plugins/kiam/manifests/server-daemonset.yaml index 18f46bd06..af1adc56e 100644 --- a/builtin/files/plugins/kiam/manifests/server-daemonset.yaml +++ b/builtin/files/plugins/kiam/manifests/server-daemonset.yaml @@ -50,10 +50,13 @@ spec: {{ end -}} - --json-log - --bind=0.0.0.0:443 - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/server.pem + - --key=/etc/kiam/tls/server-key.pem + - --ca=/etc/kiam/tls/ca.pem - --role-base-arn-autodetect + {{- if .Values.assumeRoleArn }} + - --assume-role-arn={{ .Values.assumeRoleArn }} + {{- end }} - --sync=1m - --prometheus-listen-addr=0.0.0.0:9620 - --prometheus-sync-interval=5s @@ -74,9 +77,9 @@ spec: - /health - --server-address-refresh=2s {{ end -}} - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/server.pem + - --key=/etc/kiam/tls/server-key.pem + - --ca=/etc/kiam/tls/ca.pem - --server-address={{ .Values.server.address }} - --timeout=5s initialDelaySeconds: 10 @@ -93,9 +96,9 @@ spec: - /health - --server-address-refresh=2s {{ end -}} - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/server.pem + - --key=/etc/kiam/tls/server-key.pem + - --ca=/etc/kiam/tls/ca.pem - --server-address={{ .Values.server.address }} - --timeout=5s initialDelaySeconds: 3 diff --git a/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml b/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml index ece545933..7cd557d1e 100644 --- a/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml +++ b/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: kiam-server-tls namespace: kube-system -type: kubernetes.io/tls +type: Opaque data: - tls.crt: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }} - tls.key: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }} - ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file + server.pem: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }} + server-key.pem: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }} + ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/service-account.yaml b/builtin/files/plugins/kiam/manifests/service-account.yaml deleted file mode 100644 index 4c52d4096..000000000 --- a/builtin/files/plugins/kiam/manifests/service-account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -kind: ServiceAccount -apiVersion: v1 -metadata: - name: kiam-server - namespace: kube-system \ No newline at end of file diff --git a/builtin/files/plugins/kiam/plugin.yaml b/builtin/files/plugins/kiam/plugin.yaml index a7802dc96..82f632053 100644 --- a/builtin/files/plugins/kiam/plugin.yaml +++ b/builtin/files/plugins/kiam/plugin.yaml @@ -7,6 +7,7 @@ spec: image: quay.io/uswitch/kiam tag: v3.2 sessionDuration: 30m + assumeRoleArn: "" server: portName: grpclb address: localhost:443 @@ -40,11 +41,7 @@ spec: - source: path: manifests/service.yaml - source: - path: manifests/service-account.yaml - - source: - path: manifests/server-cluster-role.yaml - - source: - path: manifests/server-cluster-role-binding.yaml + path: manifests/rbac.yaml pki: keypairs: @@ -58,11 +55,9 @@ spec: commonName: kiam-server organization: kube-aws-kiam dnsNames: - - kiam-server - - kiam-server:443 - localhost - - localhost:443 - - localhost:9610 + - 127.0.0.1 + - kiam-server duration: 8760h usages: - server diff --git a/pkg/model/etcd_cluster.go b/pkg/model/etcd_cluster.go index 650b6a039..cd7d2b2ef 100644 --- a/pkg/model/etcd_cluster.go +++ b/pkg/model/etcd_cluster.go @@ -45,6 +45,11 @@ func (c EtcdCluster) DNSNames() []string { dnsName = fmt.Sprintf("*.%s", c.region.PrivateDomainName()) } } + + privateDomainSan := fmt.Sprintf("*.%s", c.region.PrivateDomainName()) + if dnsName != privateDomainSan && c.GetMemberIdentityProvider() == api.MemberIdentityProviderENI { + return []string{dnsName, privateDomainSan} + } return []string{dnsName} } diff --git a/pkg/model/etcd_cluster_test.go b/pkg/model/etcd_cluster_test.go index 92c9224b8..ee79b1157 100644 --- a/pkg/model/etcd_cluster_test.go +++ b/pkg/model/etcd_cluster_test.go @@ -22,7 +22,7 @@ func TestEtcdClusterDNSNames(t *testing.T) { actual := cluster.DNSNames() expected := []string{"*.ec2.internal"} if !reflect.DeepEqual(actual, expected) { - t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual) + t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual) } }) t.Run("us-west-1", func(t *testing.T) { @@ -30,7 +30,7 @@ func TestEtcdClusterDNSNames(t *testing.T) { actual := cluster.DNSNames() expected := []string{"*.us-west-1.compute.internal"} if !reflect.DeepEqual(actual, expected) { - t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual) + t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual) } }) }) @@ -42,17 +42,17 @@ func TestEtcdClusterDNSNames(t *testing.T) { t.Run("us-east-1", func(t *testing.T) { cluster := NewEtcdCluster(config, usEast1, etcdNet, etcdCount) actual := cluster.DNSNames() - expected := []string{"*.internal.example.com"} + expected := []string{"*.internal.example.com", "*.ec2.internal"} if !reflect.DeepEqual(actual, expected) { - t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual) + t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual) } }) t.Run("us-west-1", func(t *testing.T) { cluster := NewEtcdCluster(config, usWest1, etcdNet, etcdCount) actual := cluster.DNSNames() - expected := []string{"*.internal.example.com"} + expected := []string{"*.internal.example.com", "*.us-west-1.compute.internal"} if !reflect.DeepEqual(actual, expected) { - t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual) + t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual) } }) }) @@ -67,7 +67,7 @@ func TestEtcdClusterDNSNames(t *testing.T) { actual := cluster.DNSNames() expected := []string{"*.compute-1.amazonaws.com"} if !reflect.DeepEqual(actual, expected) { - t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual) + t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual) } }) t.Run("us-west-1", func(t *testing.T) { @@ -75,7 +75,7 @@ func TestEtcdClusterDNSNames(t *testing.T) { actual := cluster.DNSNames() expected := []string{"*.us-west-1.compute.amazonaws.com"} if !reflect.DeepEqual(actual, expected) { - t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual) + t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual) } }) })