This repository has moved to particule to a more general repository supporting multiple cloud providers. It is also available on TF registry
Provides various addons that are often used on Kubernetes with AWS
- Common addons with associated IAM permissions if needed:
- cluster-autoscaler: scale worker nodes based on workload.
- external-dns: sync ingress and service records in route53.
- cert-manager: automatically generate TLS certificates, supports ACME v2.
- kiam: prevents pods to access EC2 metadata and enables pods to assume specific AWS IAM roles.
- nginx-ingress: processes Ingress object and acts as a HTTP/HTTPS proxy (compatible with cert-manager).
- metrics-server: enable metrics API and horizontal pod scaling (HPA).
- prometheus-operator: Monitoring / Alerting / Dashboards.
- karma: An alertmanager dashboard
- fluentd-cloudwatch: forwards logs to AWS Cloudwatch.
- node-problem-detector: Forwards node problems to Kubernetes events
- flux: Continous Delivery with Gitops workflow.
- sealed-secrets: Technology agnostic, store secrets on git.
- istio-operator: Service mesh for Kubernetes.
- cni-metrics-helper: Provides cloudwatch metrics for VPC CNI plugins.
- kong: API Gateway ingress controller.
- keycloak : Identity and access management
- alb-ingress: Use AWS ALB for ingress ressources.
- aws-calico: Use calico for network policy
- aws-node-termination-handler: Manage spot instance lifecyle
- aws-for-fluent-bit: Cloudwatch logging with fluent bit instead of fluentd
User guides, feature documentation and examples are available here
This module can use either IRSA which is the recommanded method or Kiam.
Kiam prevents pods from accessing EC2 instances IAM role and therefore using the instances role to perform actions on AWS. It also allows pods to assume specific IAM roles if needed. To do so kiam-agent acts as an iptables proxy on nodes. It intercepts requests made to EC2 metadata and redirect them to a kiam-server that fetches IAM credentials and pass them to pods.
Kiam is running with an IAM user and use a secret key and a access key (AK/SK).
Some addons interface with AWS API, for example:
cluster-autoscalerexternal-dnscert-managervirtual-kubeletcni-metric-helperflux
| Name | Version |
|---|---|
| aws | n/a |
| helm | n/a |
| http | n/a |
| kubectl | n/a |
| kubernetes | n/a |
| random | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws | AWS provider customization | any |
{} |
no |
| cert_manager | Customize cert-manager chart, see cert_manager.tf for supported values |
any |
{} |
no |
| cluster-name | Name of the Kubernetes cluster | string |
"sample-cluster" |
no |
| cluster_autoscaler | Customize cluster-autoscaler chart, see cluster_autoscaler.tf for supported values |
any |
{} |
no |
| cni_metrics_helper | Customize cni-metrics-helper deployment, see cni_metrics_helper.tf for supported values |
any |
{} |
no |
| eks | EKS cluster inputs | any |
{} |
no |
| external_dns | Customize external-dns chart, see external_dns.tf for supported values |
any |
{} |
no |
| fluentd_cloudwatch | Customize fluentd-cloudwatch chart, see fluentd-cloudwatch.tf for supported values |
any |
{} |
no |
| flux | Customize fluxcd chart, see flux.tf for supported values |
any |
{} |
no |
| helm_defaults | Customize default Helm behavior | any |
{} |
no |
| istio_operator | Customize istio operator deployment, see istio_operator.tf for supported values |
any |
{} |
no |
| karma | Customize karma chart, see karma.tf for supported values |
any |
{} |
no |
| keycloak | Customize keycloak chart, see keycloak.tf for supported values |
any |
{} |
no |
| kiam | Customize kiam chart, see kiam.tf for supported values |
any |
{} |
no |
| kong | Customize kong-ingress chart, see kong.tf for supported values |
any |
{} |
no |
| metrics_server | Customize metrics-server chart, see metrics_server.tf for supported values |
any |
{} |
no |
| nginx_ingress | Customize nginx-ingress chart, see nginx-ingress.tf for supported values |
any |
{} |
no |
| npd | Customize node-problem-detector chart, see npd.tf for supported values |
any |
{} |
no |
| priority_class | Customize a priority class for addons | any |
{} |
no |
| priority_class_ds | Customize a priority class for addons daemonsets | any |
{} |
no |
| prometheus_operator | Customize prometheus-operator chart, see kube_prometheus.tf for supported values |
any |
{} |
no |
| sealed_secrets | Customize sealed-secrets chart, see sealed-secrets.tf for supported values |
any |
{} |
no |
| Name | Description |
|---|---|
| flux-role-arn-irsa | n/a |
| flux-role-arn-kiam | n/a |
| flux-role-name-irsa | n/a |
| flux-role-name-kiam | n/a |
| grafana_password | n/a |
| kiam-server-role-arn | n/a |
| kiam-server-role-name | n/a |