Merge pull request #1892 from dominicgunn/feature/kiam-updates

[v0.16.x] KIAM updates to support assumeRoleArn functionalilty
kubernetes-retired · Aug 25, 2020 · d1681b6 · d1681b6
2 parents b06335b + 74d6610
commit d1681b6
Show file tree

Hide file tree

Showing 10 changed files with 104 additions and 92 deletions.
diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl
@@ -1646,6 +1646,7 @@ kubeAwsPlugins:
     # image: quay.io/uswitch/kiam
     # tag: v3.2
     # sessionDuration: 30m
+    # assumeRoleArn: arn:aws:iam::....
     # server:
     #  portName: grpclb
     #  address: localhost:443

diff --git a/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml b/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml
@@ -4,14 +4,12 @@ metadata:
   namespace: kube-system
   name: kiam-agent
 spec:
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 100%
-    type: RollingUpdate
   selector:
     matchLabels:
       app: kiam
       role: agent
+  updateStrategy:
+    type: OnDelete
   template:
     metadata:
       annotations:
@@ -21,41 +19,32 @@ spec:
         app: kiam
         role: agent
     spec:
-      priorityClassName: system-node-critical
-      tolerations:
-      - operator: Exists
-        effect: NoSchedule
-      - operator: Exists
-        effect: NoExecute
-      - operator: Exists
-        key: CriticalAddonsOnly
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node.kubernetes.io/role
-                operator: NotIn
-                values:
-                - master
+      nodeSelector:
+        kubernetes.io/role: node
       volumes:
         - name: ssl-certs
           hostPath:
+            # for AWS linux or RHEL distros
+            # path: /etc/pki/ca-trust/extracted/pem/
+            # debian or ubuntu distros
+            # path: /etc/ssl/certs
             path: /usr/share/ca-certificates
         - name: tls
           secret:
             secretName: kiam-agent-tls
         - name: xtables
           hostPath:
             path: /run/xtables.lock
+            type: FileOrCreate
       containers:
         - name: kiam
           securityContext:
             capabilities:
               add: ["NET_ADMIN"]
           image: {{ .Values.image }}:{{ .Values.tag }}
+          imagePullPolicy: Always
           command:
             - {{ if checkVersion ">= 3.0" .Values.tag }}/kiam{{ else }}/agent{{ end }}
           args:
@@ -65,18 +54,20 @@ spec:
             - --gateway-timeout-creation=1s
             {{ end -}}
             - --iptables
-      {{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }}
+            {{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }}
             - --host-interface=!eni0
-      {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }}
+            {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }}
+            - --host-interface=cali+
+            {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "calico" }}
             - --host-interface=cali+
-      {{- else}}
+            {{- else}}
             - --host-interface=cni0
-      {{- end }}
+            {{- end }}
             - --json-log
             - --port=8181
-            - --cert=/etc/kiam/tls/tls.crt
-            - --key=/etc/kiam/tls/tls.key
-            - --ca=/etc/kiam/tls/ca.crt
+            - --cert=/etc/kiam/tls/agent.pem
+            - --key=/etc/kiam/tls/agent-key.pem
+            - --ca=/etc/kiam/tls/ca.pem
             - --server-address={{ .Values.agent.address }}
             - --prometheus-listen-addr=0.0.0.0:9620
             - --prometheus-sync-interval=5s

diff --git a/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml b/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml
@@ -3,8 +3,8 @@ kind: Secret
 metadata:
   name: kiam-agent-tls
   namespace: kube-system
-type: kubernetes.io/tls
+type: Opaque
 data:
-  tls.crt: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }}
-  tls.key: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }}
-  ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
+  agent.pem: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }}
+  agent-key.pem: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }}
+  ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
diff --git a/builtin/files/plugins/kiam/manifests/rbac.yaml b/builtin/files/plugins/kiam/manifests/rbac.yaml
@@ -0,0 +1,60 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: kiam-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kiam-read
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - pods
+    verbs:
+      - watch
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kiam-read
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kiam-read
+subjects:
+  - kind: ServiceAccount
+    name: kiam-server
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kiam-write
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kiam-write
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kiam-write
+subjects:
+  - kind: ServiceAccount
+    name: kiam-server
+    namespace: kube-system
diff --git a/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml b/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml
diff --git a/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml b/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml
diff --git a/builtin/files/plugins/kiam/manifests/server-daemonset.yaml b/builtin/files/plugins/kiam/manifests/server-daemonset.yaml
@@ -50,10 +50,13 @@ spec:
             {{ end -}}
             - --json-log
             - --bind=0.0.0.0:443
-            - --cert=/etc/kiam/tls/tls.crt
-            - --key=/etc/kiam/tls/tls.key
-            - --ca=/etc/kiam/tls/ca.crt
+            - --cert=/etc/kiam/tls/server.pem
+            - --key=/etc/kiam/tls/server-key.pem
+            - --ca=/etc/kiam/tls/ca.pem
             - --role-base-arn-autodetect
+            {{- if .Values.assumeRoleArn }}
+            - --assume-role-arn={{ .Values.assumeRoleArn }}
+            {{- end }}
             - --sync=1m
             - --prometheus-listen-addr=0.0.0.0:9620
             - --prometheus-sync-interval=5s
@@ -74,9 +77,9 @@ spec:
               - /health
               - --server-address-refresh=2s
               {{ end -}}
-              - --cert=/etc/kiam/tls/tls.crt
-              - --key=/etc/kiam/tls/tls.key
-              - --ca=/etc/kiam/tls/ca.crt
+              - --cert=/etc/kiam/tls/server.pem
+              - --key=/etc/kiam/tls/server-key.pem
+              - --ca=/etc/kiam/tls/ca.pem
               - --server-address={{ .Values.server.address }}
               - --timeout=5s
             initialDelaySeconds: 10
@@ -93,9 +96,9 @@ spec:
               - /health
               - --server-address-refresh=2s
               {{ end -}}
-              - --cert=/etc/kiam/tls/tls.crt
-              - --key=/etc/kiam/tls/tls.key
-              - --ca=/etc/kiam/tls/ca.crt
+              - --cert=/etc/kiam/tls/server.pem
+              - --key=/etc/kiam/tls/server-key.pem
+              - --ca=/etc/kiam/tls/ca.pem
               - --server-address={{ .Values.server.address }}
               - --timeout=5s
             initialDelaySeconds: 3

diff --git a/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml b/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml
@@ -3,8 +3,8 @@ kind: Secret
 metadata:
   name: kiam-server-tls
   namespace: kube-system
-type: kubernetes.io/tls
+type: Opaque
 data:
-  tls.crt: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }}
-  tls.key: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }}
-  ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
+  server.pem: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }}
+  server-key.pem: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }}
+  ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
diff --git a/builtin/files/plugins/kiam/manifests/service-account.yaml b/builtin/files/plugins/kiam/manifests/service-account.yaml
diff --git a/builtin/files/plugins/kiam/plugin.yaml b/builtin/files/plugins/kiam/plugin.yaml
@@ -7,6 +7,7 @@ spec:
       image: quay.io/uswitch/kiam
       tag: v3.2
       sessionDuration: 30m
+      assumeRoleArn: ""
       server:
         portName: grpclb
         address: localhost:443
@@ -40,11 +41,7 @@ spec:
       - source:
           path: manifests/service.yaml
       - source:
-          path: manifests/service-account.yaml
-      - source:
-          path: manifests/server-cluster-role.yaml
-      - source:
-          path: manifests/server-cluster-role-binding.yaml
+          path: manifests/rbac.yaml
 
     pki:
       keypairs:
@@ -58,11 +55,9 @@ spec:
         commonName: kiam-server
         organization: kube-aws-kiam
         dnsNames:
-        - kiam-server
-        - kiam-server:443
         - localhost
-        - localhost:443
-        - localhost:9610
+        - 127.0.0.1
+        - kiam-server
         duration: 8760h
         usages:
         - server