Amazon S3: buckets with IAM role for K8s service accounts #27
Conversation
There was a problem hiding this comment.
Looks good to me, though I haven't tried it out. Good question about which repo this should live in, but I agree with your thought process, and separating it from the main deploy.yaml script makes sense to me. How does this work with the existing CloudFormation code we have to make S3 buckets. Seems like we'd be duplicating that work. Or does it work just to manually specify k8s_public_bucket and k8s_private_bucket to match the values that CloudFormation created for us?
README.rst
Outdated
| Amazon S3: IAM role for service accounts | ||
| ```````````````````````````````````````` | ||
|
|
||
| Django applications running on AWS typically use Amazon S3 for static and media |
There was a problem hiding this comment.
Maybe just say "web applications" because of #26 :)
| region: "{{ k8s_s3_region }}" | ||
| encryption: AES256 | ||
|
|
||
| # Not available via Ansible module as of 7/2020 |
There was a problem hiding this comment.
Bummer :( I've subscribed to the relevant github issue...
| ], | ||
| "Resource": [ | ||
| "arn:aws:s3:::{{ k8s_s3_public_bucket }}", | ||
| "arn:aws:s3:::{{ k8s_s3_private_bucket }}", |
There was a problem hiding this comment.
Not sure how strict these have to be but JSON doesn't allow trailing commas.
Add optional support for enabling a Kubernetes service account and associated IAM role that defines the access to public and private S3 buckets for each environment. This provides similar functionality of EC2 instance profiles within Kubernetes namespaces.
At a high level, the process is:
The
securityContextalso had to be updated so that non-root users could access the token on the filesystem in the container per this solution.I debated whether or not this should exist here or within ansible-role-k8s-web-cluster. I ended up settling on here due to the re-use of environment-specific variables. However, it certainly touches on both projects and am open to suggestions.