diff --git a/README.md b/README.md index 9dbc5879..c20c8112 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,31 @@ EOF 1. Install the operator from the [Installation](#installation) section. -2. Create secret: +2. When running on AWS, you have a number of ways to give permission to the managed K8sGPT workload to access Amazon Bedrock. +* Grant access to Bedrock using the Kubernetes Service Account. This is the [best practices method for assigning permissions to Kubernetes Pods](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#identities-and-credentials-for-eks-pods). There are a few ways to do this: + * On Amazon EKS, using [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) + * On Amazon EKS, using [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) + * On self-managed Kubernetes, using IAM Roles for Service Accounts (IRSA) with the [Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook) +* Grant access to Bedrock using AWS credentials in a Kubernetes Secret. Note this goes [against AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles) and should be used with caution. + +To grant access to Bedrock using a Kubernetes Service account, create an IAM role with Bedrock permissions. An example policy is included below: +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "bedrock:InvokeModel", + "bedrock:InvokeModelWithResponseStream" + ], + "Resource": "*" + } + ] +} +``` + +To grant access to Bedrock using AWS credentials in a Kubernetes secret you can create a secret: ```sh kubectl create secret generic bedrock-sample-secret --from-literal=AWS_ACCESS_KEY_ID="$(echo $AWS_ACCESS_KEY_ID)" --from-literal=AWS_SECRET_ACCESS_KEY="$(echo $AWS_SECRET_ACCESS_KEY)" -n k8sgpt-operator-system ``` @@ -297,8 +321,8 @@ metadata: spec: ai: enabled: true - secret: - name: bedrock-sample-secret + # secret: + # name: bedrock-sample-secret model: anthropic.claude-v2 region: eu-central-1 backend: amazonbedrock diff --git a/chart/operator/templates/k8sgpt-sa.yaml b/chart/operator/templates/k8sgpt-sa.yaml index b4c8f454..105a4a93 100644 --- a/chart/operator/templates/k8sgpt-sa.yaml +++ b/chart/operator/templates/k8sgpt-sa.yaml @@ -1,9 +1,15 @@ +{{- if or .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: - name: "k8sgpt" + name: {{ default "k8sgpt" .Values.serviceAccount.name }} labels: app.kubernetes.io/component: rbac app.kubernetes.io/created-by: k8sgpt-operator app.kubernetes.io/part-of: k8sgpt-operator {{- include "chart.labels" . | nindent 4 }} + {{- if .Values.serviceAccount.annotations }} + annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} + {{- end }} +{{- end }} + diff --git a/chart/operator/values.yaml b/chart/operator/values.yaml index de2d9ac2..e7e2b913 100644 --- a/chart/operator/values.yaml +++ b/chart/operator/values.yaml @@ -1,3 +1,8 @@ +serviceAccount: + create: true + name: "k8sgpt" + # -- Annotations for the managed k8sgpt workload service account + annotations: {} serviceMonitor: enabled: false additionalLabels: {} diff --git a/pkg/resources/k8sgpt.go b/pkg/resources/k8sgpt.go index 37541f00..89cabf2c 100644 --- a/pkg/resources/k8sgpt.go +++ b/pkg/resources/k8sgpt.go @@ -295,14 +295,13 @@ func GetDeployment(config v1alpha1.K8sGPT, outOfClusterMode bool, c client.Clien } // Add checks for amazonbedrock if config.Spec.AI.Backend == v1alpha1.AmazonBedrock { - if config.Spec.AI.Secret == nil { - return &appsv1.Deployment{}, err.New("secret is required for amazonbedrock backend") - } - if err := addSecretAsEnvToDeployment(config.Spec.AI.Secret.Name, "AWS_ACCESS_KEY_ID", config, c, &deployment); err != nil { - return &appsv1.Deployment{}, err - } - if err := addSecretAsEnvToDeployment(config.Spec.AI.Secret.Name, "AWS_SECRET_ACCESS_KEY", config, c, &deployment); err != nil { - return &appsv1.Deployment{}, err + if config.Spec.AI.Secret != nil { + if err := addSecretAsEnvToDeployment(config.Spec.AI.Secret.Name, "AWS_ACCESS_KEY_ID", config, c, &deployment); err != nil { + return &appsv1.Deployment{}, err + } + if err := addSecretAsEnvToDeployment(config.Spec.AI.Secret.Name, "AWS_SECRET_ACCESS_KEY", config, c, &deployment); err != nil { + return &appsv1.Deployment{}, err + } } if config.Spec.AI.Region == "" { return &appsv1.Deployment{}, err.New("default region is required for amazonbedrock backend")