Skip to content

Latest commit

 

History

History
105 lines (87 loc) · 4.2 KB

README.md

File metadata and controls

105 lines (87 loc) · 4.2 KB

group-operator

The group-operator is a Kubernetes operator that enumerates the members of an IAM group and adds them to the mapUsers list in the aws-auth ConfigMap. It utilizes Zalando's kopf, a framework for writing Kubernetes operators in Python.
The operator watches for the creation, modification, or deletion of a iamgroup object. The iamgroup object is implemented as a Custom Resource Definition (CRD) that specifies the IAM group you want to add to the aws-auth ConfigMap and the RBAC role/group to associate with the users of that group.

Installing the operator

Creating a IAM role and service account

Since the operator needs to get the members of an IAM group, it needs a Kubernetes service account that allows it to assume an IAM role that grants it permission to call get_group API. This is accomplished using the new IAM Roles for Service Accounts (IRSA) feature for EKS which requires Kubernetes v1.13 or higher.

eksctl is far and away the easiest way to create the IAM role and corresponding Kubernetes service account. Start by running the following command:

eksctl utils associate-iam-oidc-provider --name=<cluster> --approve
eksctl create iamserviceaccount --cluster=<clusterName> --name=iamreader --namespace=default --attach-policy-arn=<policyARN>

Use the ARN of the IAMReadOnlyAccess AWS managed policy, e.g. arn:aws:iam::aws:policy/IAMReadOnlyAccess when creating the service account or scope the policy to only allow the service account to list the members of an IAM group.

Creating the RBAC roles

In addition to calling IAM API, the operator calls several Kubernetes APIs. For example, the operator reads iamgroup objects and updates the aws-auth ConfigMap. There are also a set of permissions required for the kopf framework. All of these permissions are packaged in the rbac.yaml manifest. You can apply these permissions to the cluster by running:

kubectl apply -f rbac.yaml

Creating the iamgroups CRD

the group-operator relies on a CRD that specifies the IAM group to add to the aws-auth ConfigMap and the Kubernetes RBAC role, e.g. system:masters that should be assigned to the members of that group. Create the CRD by running:

kubectl apply -f crd.yaml 

After the CRD has been created you can create iamgroup objects. Below is an example of a iamgroup that adds the members of newgroup to the aws-auth ConfigMap and assigns them the system:masters role.

apiVersion: jicomusic.com/v1
kind: IAMGroup
metadata:
  name: newgroup
spec:
  groupName: newgroup
  rbacRole: system:masters

Note: the metadata name only accepts lowercase characters.

Deploying the operator

The deployment.yaml manifest in this repository references a serviceAccountName that has to be set to the service account created in the Creating an IAM role and service account step above.
Once that's done, the operator can be deployed by running:

kubectl apply -f deployment.yaml 

Create a iamgroup object

With the operator running, create a new iamgroup manifest and apply it to the cluster. For an example, see the obj.yaml in this repository.

After the object has been applied to the cluster, get the aws-auth ConfigMap by running:

kubectl get configmap aws-auth -n kube-system -o yaml

If the operator is working properly, you should see output resembling this:

apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws:iam::123456789012:role/grateful-banana-nodegroup-ng-bc4be-NodeInstanceRole-10RG7REOWCU6G
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
  mapUsers: |
    - groups:
      - system:masters
      userarn: arn:aws:iam::123456789012:user/rex-ray
      username: rex-ray
    - groups:
      - system:masters
      userarn: arn:aws:iam::123456789012:user/kube-logger
      username: kube-logger
    - groups:
      - view
      userarn: arn:aws:iam::123456789012:user/heptio-ark
      username: heptio-ark
    - groups:
      - view
      userarn: arn:aws:iam::123456789012:user/eks-user
      username: eks-user
kind: ConfigMap