From 35d69477fa6c31cbc6cf1362ec7e5a4a2c2fea43 Mon Sep 17 00:00:00 2001 From: Dominic Gunn Date: Sat, 1 Aug 2020 16:11:16 +0100 Subject: [PATCH 1/2] KIAM updates to support assumeRoleArn functionalilty --- builtin/files/cluster.yaml.tmpl | 1 + .../kiam/manifests/agent-daemonset.yaml | 47 ++++++--------- .../kiam/manifests/agent-tls-secret.yaml | 8 +-- .../files/plugins/kiam/manifests/rbac.yaml | 60 +++++++++++++++++++ .../server-cluster-role-binding.yaml | 12 ---- .../kiam/manifests/server-cluster-role.yaml | 21 ------- .../kiam/manifests/server-daemonset.yaml | 21 ++++--- .../kiam/manifests/server-tls-secret.yaml | 8 +-- .../kiam/manifests/service-account.yaml | 5 -- builtin/files/plugins/kiam/plugin.yaml | 13 ++-- 10 files changed, 104 insertions(+), 92 deletions(-) create mode 100644 builtin/files/plugins/kiam/manifests/rbac.yaml delete mode 100644 builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml delete mode 100644 builtin/files/plugins/kiam/manifests/server-cluster-role.yaml delete mode 100644 builtin/files/plugins/kiam/manifests/service-account.yaml diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl index 549c5b7ee..5d9231ca9 100644 --- a/builtin/files/cluster.yaml.tmpl +++ b/builtin/files/cluster.yaml.tmpl @@ -1646,6 +1646,7 @@ kubeAwsPlugins: # image: quay.io/uswitch/kiam # tag: v3.2 # sessionDuration: 30m + # assumeRoleArn: arn..... # server: # portName: grpclb # address: localhost:443 diff --git a/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml b/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml index ca96461d8..df5f9a729 100644 --- a/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml +++ b/builtin/files/plugins/kiam/manifests/agent-daemonset.yaml @@ -4,14 +4,12 @@ metadata: namespace: kube-system name: kiam-agent spec: - updateStrategy: - rollingUpdate: - maxUnavailable: 100% - type: RollingUpdate selector: matchLabels: app: kiam role: agent + updateStrategy: + type: OnDelete template: metadata: annotations: @@ -21,28 +19,17 @@ spec: app: kiam role: agent spec: - priorityClassName: system-node-critical - tolerations: - - operator: Exists - effect: NoSchedule - - operator: Exists - effect: NoExecute - - operator: Exists - key: CriticalAddonsOnly hostNetwork: true dnsPolicy: ClusterFirstWithHostNet - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.kubernetes.io/role - operator: NotIn - values: - - master + nodeSelector: + kubernetes.io/role: node volumes: - name: ssl-certs hostPath: + # for AWS linux or RHEL distros + # path: /etc/pki/ca-trust/extracted/pem/ + # debian or ubuntu distros + # path: /etc/ssl/certs path: /usr/share/ca-certificates - name: tls secret: @@ -50,12 +37,14 @@ spec: - name: xtables hostPath: path: /run/xtables.lock + type: FileOrCreate containers: - name: kiam securityContext: capabilities: add: ["NET_ADMIN"] image: {{ .Values.image }}:{{ .Values.tag }} + imagePullPolicy: Always command: - {{ if checkVersion ">= 3.0" .Values.tag }}/kiam{{ else }}/agent{{ end }} args: @@ -65,18 +54,20 @@ spec: - --gateway-timeout-creation=1s {{ end -}} - --iptables - {{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }} + {{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }} - --host-interface=!eni0 - {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }} + {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }} + - --host-interface=cali+ + {{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "calico" }} - --host-interface=cali+ - {{- else}} + {{- else}} - --host-interface=cni0 - {{- end }} + {{- end }} - --json-log - --port=8181 - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/agent.pem + - --key=/etc/kiam/tls/agent-key.pem + - --ca=/etc/kiam/tls/ca.pem - --server-address={{ .Values.agent.address }} - --prometheus-listen-addr=0.0.0.0:9620 - --prometheus-sync-interval=5s diff --git a/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml b/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml index 7c9b190aa..fe4f69118 100644 --- a/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml +++ b/builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: kiam-agent-tls namespace: kube-system -type: kubernetes.io/tls +type: Opaque data: - tls.crt: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }} - tls.key: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }} - ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file + agent.pem: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }} + agent-key.pem: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }} + ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/rbac.yaml b/builtin/files/plugins/kiam/manifests/rbac.yaml new file mode 100644 index 000000000..e115ea798 --- /dev/null +++ b/builtin/files/plugins/kiam/manifests/rbac.yaml @@ -0,0 +1,60 @@ +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: kiam-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kiam-read +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + verbs: + - watch + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kiam-read +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiam-read +subjects: + - kind: ServiceAccount + name: kiam-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kiam-write +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kiam-write +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiam-write +subjects: + - kind: ServiceAccount + name: kiam-server + namespace: kube-system \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml b/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml deleted file mode 100644 index 916985861..000000000 --- a/builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: kiam-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kiam-server -subjects: -- kind: ServiceAccount - name: kiam-server - namespace: kube-system \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml b/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml deleted file mode 100644 index 610dff6d6..000000000 --- a/builtin/files/plugins/kiam/manifests/server-cluster-role.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: kiam-server -rules: -- apiGroups: - - "" - resources: - - namespaces - - pods - verbs: - - watch - - get - - list -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/server-daemonset.yaml b/builtin/files/plugins/kiam/manifests/server-daemonset.yaml index 18f46bd06..af1adc56e 100644 --- a/builtin/files/plugins/kiam/manifests/server-daemonset.yaml +++ b/builtin/files/plugins/kiam/manifests/server-daemonset.yaml @@ -50,10 +50,13 @@ spec: {{ end -}} - --json-log - --bind=0.0.0.0:443 - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/server.pem + - --key=/etc/kiam/tls/server-key.pem + - --ca=/etc/kiam/tls/ca.pem - --role-base-arn-autodetect + {{- if .Values.assumeRoleArn }} + - --assume-role-arn={{ .Values.assumeRoleArn }} + {{- end }} - --sync=1m - --prometheus-listen-addr=0.0.0.0:9620 - --prometheus-sync-interval=5s @@ -74,9 +77,9 @@ spec: - /health - --server-address-refresh=2s {{ end -}} - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/server.pem + - --key=/etc/kiam/tls/server-key.pem + - --ca=/etc/kiam/tls/ca.pem - --server-address={{ .Values.server.address }} - --timeout=5s initialDelaySeconds: 10 @@ -93,9 +96,9 @@ spec: - /health - --server-address-refresh=2s {{ end -}} - - --cert=/etc/kiam/tls/tls.crt - - --key=/etc/kiam/tls/tls.key - - --ca=/etc/kiam/tls/ca.crt + - --cert=/etc/kiam/tls/server.pem + - --key=/etc/kiam/tls/server-key.pem + - --ca=/etc/kiam/tls/ca.pem - --server-address={{ .Values.server.address }} - --timeout=5s initialDelaySeconds: 3 diff --git a/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml b/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml index ece545933..7cd557d1e 100644 --- a/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml +++ b/builtin/files/plugins/kiam/manifests/server-tls-secret.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: kiam-server-tls namespace: kube-system -type: kubernetes.io/tls +type: Opaque data: - tls.crt: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }} - tls.key: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }} - ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file + server.pem: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }} + server-key.pem: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }} + ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }} \ No newline at end of file diff --git a/builtin/files/plugins/kiam/manifests/service-account.yaml b/builtin/files/plugins/kiam/manifests/service-account.yaml deleted file mode 100644 index 4c52d4096..000000000 --- a/builtin/files/plugins/kiam/manifests/service-account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -kind: ServiceAccount -apiVersion: v1 -metadata: - name: kiam-server - namespace: kube-system \ No newline at end of file diff --git a/builtin/files/plugins/kiam/plugin.yaml b/builtin/files/plugins/kiam/plugin.yaml index a7802dc96..82f632053 100644 --- a/builtin/files/plugins/kiam/plugin.yaml +++ b/builtin/files/plugins/kiam/plugin.yaml @@ -7,6 +7,7 @@ spec: image: quay.io/uswitch/kiam tag: v3.2 sessionDuration: 30m + assumeRoleArn: "" server: portName: grpclb address: localhost:443 @@ -40,11 +41,7 @@ spec: - source: path: manifests/service.yaml - source: - path: manifests/service-account.yaml - - source: - path: manifests/server-cluster-role.yaml - - source: - path: manifests/server-cluster-role-binding.yaml + path: manifests/rbac.yaml pki: keypairs: @@ -58,11 +55,9 @@ spec: commonName: kiam-server organization: kube-aws-kiam dnsNames: - - kiam-server - - kiam-server:443 - localhost - - localhost:443 - - localhost:9610 + - 127.0.0.1 + - kiam-server duration: 8760h usages: - server From 74d6610db6e8a88f90028c05533e10f55373c44e Mon Sep 17 00:00:00 2001 From: Dominic Gunn <4493719+dominicgunn@users.noreply.github.com> Date: Thu, 13 Aug 2020 15:15:11 +0100 Subject: [PATCH 2/2] Forced rebuild. --- builtin/files/cluster.yaml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl index 5d9231ca9..a3ee66ae2 100644 --- a/builtin/files/cluster.yaml.tmpl +++ b/builtin/files/cluster.yaml.tmpl @@ -1646,7 +1646,7 @@ kubeAwsPlugins: # image: quay.io/uswitch/kiam # tag: v3.2 # sessionDuration: 30m - # assumeRoleArn: arn..... + # assumeRoleArn: arn:aws:iam::.... # server: # portName: grpclb # address: localhost:443