-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is a rework of the readme PR. (#46)
* Updating Readme file * Files needed for setup are now in config/setup * Simplified the readme to get a better getting started flow. * Added links to references, and updated prereqs
- Loading branch information
1 parent
dcef21a
commit 9e1831a
Showing
9 changed files
with
330 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
config/setup/aws-eks-cluster-controller-management-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# this role need to be created in child aws account | ||
AWSTemplateFormatVersion: "2010-09-09" | ||
Description: "Role for the aws-eks-cluster-controller to assume" | ||
|
||
Parameters: | ||
TrustedEntities: | ||
Type: CommaDelimitedList | ||
Description: AWS entities(IAM role ARNs, IAM user ARN, etc) allowed to assume this role in comma separated fashion | ||
|
||
Resources: | ||
AWSServiceControllerRole: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
RoleName: aws-eks-cluster-controller-management | ||
AssumeRolePolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- | ||
Effect: "Allow" | ||
Principal: | ||
AWS: !Ref TrustedEntities | ||
Action: "sts:AssumeRole" | ||
Policies: | ||
- PolicyName: aws-eks-cluster-controller-management | ||
PolicyDocument: | | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"ec2:*", | ||
"autoscaling:*", | ||
"iam:*", | ||
"cloudformation:*", | ||
"eks:*", | ||
"sts:*" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# this role need to be created in parent AWS account to be used with kube2iam | ||
AWSTemplateFormatVersion: "2010-09-09" | ||
Description: "Role for the eks-cluster-controller" | ||
|
||
Parameters: | ||
WorkerArn: | ||
Type: String | ||
Description: The arn of the worker nodes used to assume this role | ||
|
||
Resources: | ||
AWSServiceControllerRole: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
RoleName: aws-eks-cluster-controller | ||
AssumeRolePolicyDocument: !Sub | ||
- | | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "ec2.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"AWS": "${WorkerArn}" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
- WorkerArn: !Ref WorkerArn | ||
Policies: | ||
- PolicyName: aws-eks-cluster-controller | ||
PolicyDocument: | | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"sts:AssumeRole" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: kube2iam | ||
namespace: default | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: kube2iam | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- namespaces | ||
- pods | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: kube2iam | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: kube2iam | ||
subjects: | ||
- kind: ServiceAccount | ||
name: kube2iam | ||
namespace: default | ||
--- | ||
apiVersion: extensions/v1beta1 | ||
kind: DaemonSet | ||
metadata: | ||
generation: 1 | ||
labels: | ||
app: kube2iam | ||
name: kube2iam | ||
namespace: default | ||
spec: | ||
revisionHistoryLimit: 10 | ||
selector: | ||
matchLabels: | ||
name: kube2iam | ||
template: | ||
metadata: | ||
labels: | ||
name: kube2iam | ||
spec: | ||
containers: | ||
- args: | ||
- --auto-discover-base-arn | ||
- --host-interface=eni+ | ||
- --host-ip=$(HOST_IP) | ||
- --iptables=true | ||
env: | ||
- name: HOST_IP | ||
valueFrom: | ||
fieldRef: | ||
apiVersion: v1 | ||
fieldPath: status.podIP | ||
image: jtblin/kube2iam:0.10.4 | ||
imagePullPolicy: IfNotPresent | ||
name: kube2iam | ||
ports: | ||
- containerPort: 8181 | ||
hostPort: 8181 | ||
name: http | ||
protocol: TCP | ||
securityContext: | ||
privileged: true | ||
dnsPolicy: ClusterFirst | ||
hostNetwork: true | ||
serviceAccountName: kube2iam | ||
updateStrategy: | ||
rollingUpdate: | ||
maxUnavailable: 1 | ||
type: RollingUpdate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
aws-eks-cluster-controller models following resources as Kubernetes [CustomResourceDefinitions(CRDs)](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/): | ||
|
||
### Current Resources | ||
1. EKS Clusters | ||
1. EKS Controlplane | ||
1. EKS Nodegroups | ||
1. Kubernetes [Deployments](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#deployment-v1-apps) | ||
1. Kubernetes [Services](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#service-v1-core) | ||
1. Kubernetes [ConfigMaps](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#configmap-v1-core) | ||
1. Kubernetes [Ingress](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingress-v1beta1-extensions) | ||
1. Kubernetes [Secrets](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#secret-v1-core) | ||
|
||
### Future Resources | ||
None current planned. Please include a link to the issue that describing the use case. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
### Create resources on child AWS account | ||
Make sure you can access parent EKS cluster using kubectl. | ||
|
||
#### Create EKS cluster in child account | ||
* Check the `config/samples/cluster_v1alpha1_eks.yaml` and make necessary changes | ||
``` | ||
kubectl apply -f config/samples/cluster_v1alpha1_eks.yaml | ||
``` | ||
#### Create Deployment in child EKS cluster | ||
* Make changes to `config/samples/components_v1alpha1_deployment.yaml`, if required. | ||
``` | ||
kubectl apply -f config/samples/components_v1alpha1_deployment.yaml | ||
``` | ||
#### Create Service in child EKS cluster | ||
* Make changes to `config/samples/components_v1alpha1_service.yaml`, if required. | ||
``` | ||
kubectl apply -f config/samples/components_v1alpha1_service.yaml | ||
``` | ||
#### Other samples | ||
There are sample files in `config/samples` directory for other resources. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Local Development | ||
This is the process where you can start building and testing locally. | ||
|
||
### Prerequisites | ||
The same prerequisites from the [readme](../README.md#Prerequisites) | ||
|
||
You will also need a kubernetes cluster running, docker comes with one, or follow the steps from the readme [Setup Parent EKS cluster](../README.md#Setup-Parent-EKS-cluster) | ||
|
||
Your local environment will need to be able to assume the role that manages the remote environment. | ||
|
||
##### Run controller locally | ||
1. Run the controller | ||
``` | ||
make run | ||
``` | ||
Generally you will iterate on this step in development or testing out something quickly. |