Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Add IRSA to EKS workload clusters #2070

Merged
merged 1 commit into from
Jan 15, 2021

Conversation

MarcusNoble
Copy link
Contributor

What this PR does / why we need it:
Creates an OIDC Identity Provider and associates it with the managed control plane so IAM Roles for Service Accounts can be used in the workload cluster.
An example boilerplate trust policy needed for IAM role to be usable by service accounts is provided as a ConfigMap in the default namespace of the workload cluster (envsubt compatible).

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2054

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 26, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @MarcusNoble. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 26, 2020
@MarcusNoble MarcusNoble marked this pull request as ready for review October 26, 2020 10:11
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 26, 2020
@voor
Copy link
Member

voor commented Oct 27, 2020

Maybe the iam stuff should be toggled? Those seem like pretty heavy hitting permissions.

@randomvariable
Copy link
Member

All of this functionality should be behind the EnableIAM flag as there is a risk of privilege escalation.

@randomvariable
Copy link
Member

/ok-to-test
/hold

I think we need to get e2e tests in place before we add more features.

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 27, 2020
@richardcase
Copy link
Member

I think we need to get e2e tests in place before we add more features.

Not too long until they are ready....got distracted by other work last week.

Copy link
Member

@richardcase richardcase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looking good to me.

pkg/cloud/services/eks/oidc.go Show resolved Hide resolved
@MarcusNoble
Copy link
Contributor Author

All of this functionality should be behind the EnableIAM flag as there is a risk of privilege escalation.

@randomvariable most of the code is behind the AssociateOIDCProvider property being set to true. Are you referring to the additional IAM permissions needed for managing OIDC?

@MarcusNoble MarcusNoble force-pushed the oidc branch 2 times, most recently from fbc419d to 3dfbf0f Compare October 29, 2020 07:44
@MarcusNoble
Copy link
Contributor Author

/assign @vincepri

pkg/cloud/services/eks/oidc.go Show resolved Hide resolved
func (s *Service) buildOIDCTrustPolicy() string {
providerARN := s.scope.ControlPlane.Status.OIDCProvider.ARN

return fmt.Sprintf(`{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should probably change this from a embedded string to use the iam types we have:
https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/master/cmd/clusterawsadm/api/iam/v1alpha1/types.go#L66

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

pkg/cloud/services/eks/oidc.go Show resolved Hide resolved
@richardcase
Copy link
Member

@MarcusNoble - this is looking good to me. Would you be able to squash the commits so that it tells a story?

@randomvariable
Copy link
Member

/unhold

We can bring this back to consideration

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 12, 2021
@MarcusNoble
Copy link
Contributor Author

/test ?

@k8s-ci-robot
Copy link
Contributor

@MarcusNoble: The following commands are available to trigger jobs:

  • /test pull-cluster-api-provider-aws-test
  • /test pull-cluster-api-provider-aws-build
  • /test pull-cluster-api-provider-aws-verify
  • /test pull-cluster-api-provider-aws-e2e-conformance
  • /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
  • /test pull-cluster-api-provider-aws-e2e
  • /test pull-cluster-api-provider-aws-e2e-eks

Use /test all to run the following jobs:

  • pull-cluster-api-provider-aws-test
  • pull-cluster-api-provider-aws-build
  • pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@MarcusNoble
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e-eks

@richardcase
Copy link
Member

@MarcusNoble - that failed quick :( Looks like there are some files have been removed from the hack/ folder. Let me fix the tests

@MarcusNoble
Copy link
Contributor Author

Ah! I thought it was me not rebasing. Looks like it was removed here: 30d870e#diff-4f4d6d4dd9d639f8061109d558a575d7b2d69335cc9427579ad1bd8b01842406

@richardcase
Copy link
Member

Just created #2199 with an update to the script. I've just set the tests off on that PR

@MarcusNoble
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e-eks

1 similar comment
@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e-eks

@randomvariable
Copy link
Member

lgtm in principle

squash that "clean up" commit perhaps.

/assign @richardcase

@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e-eks

@MarcusNoble
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e-eks

@randomvariable
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 15, 2021
@richardcase
Copy link
Member

The e2e tests passed so:

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 15, 2021
@k8s-ci-robot k8s-ci-robot merged commit 29f7b24 into kubernetes-sigs:master Jan 15, 2021
@MarcusNoble MarcusNoble deleted the oidc branch January 15, 2021 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for IAM roles for service account setup in workload cluster
7 participants