IAMIdentityMapping CRD Implementation #116
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
size/XXL
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
2 times, most recently
from
8cf7da5 to
7002524
Compare
k8s-ci-robot
added
cncf-cla: yes
|
Updated with resolved tests. |
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
3 times, most recently
from
a9aa336 to
aaf8e42
Compare
christopherhein
changed the title
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
from
aaf8e42 to
25b3bbc
Compare
christopherhein
changed the title
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
from
25b3bbc to
83b0ce4
Compare
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
2 times, most recently
from
9db0efe to
7cd562b
Compare
|
@mattlandis Updated the commit history so it follows the format above, sorry for the delay on that. Still need to work on the locking for the About the removing role references, besides where we fall back to the static file for the time being the role vs user arn should have all been merged, did I miss something? The only kind that doesn't naturally fit is |
|
/assign |
pkg/config/types.go
Outdated
| @@ -109,4 +109,7 @@ type Config struct { | |||
| // Bind defines the hostname or IP Address to bind the HTTPS server to listen to. This is useful when creating | |||
| // a local server to handle the authentication request for development. | |||
| Bind string | |||
|
|
|||
| // CanonicalRoleMappings is a shared RoleMapping with keys based on the rolearns | |||
There was a problem hiding this comment.
It also removes 'Role' from the AWS IAM side of the naming which may help reduce confusion with the RBAC roles. It is either ARN or IAMARN or IAMidentity, all of which exist only on the AWS side.
Did we make any progress on this one? I'd agree with the benefit of getting rid of references to Role where possible. I'm guessing Role here refers to users, too?
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
from
7cd562b to
cc9e507
Compare
|
It needs docs still but the feature is tested and working with the new informer set up if you’re interesting in giving it a CR I’d welcome that @errordeveloper |
|
Is it testable on EKS?
…On Sat, 1 Jun 2019, 2:16 pm Christopher Hein, ***@***.***> wrote:
It needs docs still but the feature is tested and working with the new
informer set up if you’re interesting in giving it a CR I’d welcome that
@errordeveloper <https://github.com/errordeveloper>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#116?email_source=notifications&email_token=AAB5MSYILSRPJYW2NSJLCMDPYJZEBA5CNFSM4FIYU3F2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWXAPHA#issuecomment-497944476>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAB5MSZV35IXVJZIJ5FXTD3PYJZEBANCNFSM4FIYU3FQ>
.
|
|
No, since you can’t reconfigure the webhook. I typically just setup a kops cluster with thw authenticator, then I redeploy my config over it |
|
@mumoshu any chance you could test this with kube-aws or on a kops cluster, if you have time... |
| @@ -88,12 +88,6 @@ func getConfig() (config.Config, error) { | |||
| Kubeconfig: viper.GetString("server.kubeconfig"), | |||
| Master: viper.GetString("server.master"), | |||
| } | |||
| if err := viper.UnmarshalKey("server.mapRoles", &config.RoleMappings); err != nil { | |||
There was a problem hiding this comment.
Do you have thoughts on upgrade? My first thought is that we should keep these in a deprecated state for the first version. If the mappings in the config are detected, only the config file is used and it takes precedence. This prevents the authenticator from failing on startup if the kubernetes config is not present but mappings in the config file are. Otherwise, upgrade is a bit more difficult.
There was a problem hiding this comment.
yeah, that's a good point.
example-role.yaml
Outdated
| @@ -0,0 +1,10 @@ | |||
| --- | |||
There was a problem hiding this comment.
Maybe put the examples in an examples dir?
cmd/aws-iam-authenticator/server.go
Outdated
| "b", | ||
| serverCmd.Flags().String("kubeconfig", | ||
| "", | ||
| "kubeconfig file path for using a local kubeconfig to configure the client.") |
There was a problem hiding this comment.
This flag is a bit confusing due to the other kubeconfig flags which don't refer to the same kubeconfig. Can you specify in the description that "configure the client" means that we are talking about this server (the authenticator server) talking to an API server for mapping configuration?
example.yaml
Outdated
| @@ -18,6 +18,80 @@ | |||
| # may also need to rework other bits to work in your cluster (e.g., node labels). | |||
| # | |||
| # This was tested with a kubeadm-installed cluster. | |||
| --- | |||
There was a problem hiding this comment.
I think you should separate out the identity mapping stuff from the daemonset in the example, as it may be common to run the authenticator in other ways. Additionally, for simplicity I see them as two separate steps in the setup guide, first applying everything the authenticator needs to run in your cluster, and second, running the authenticator itself.
There was a problem hiding this comment.
Also we will need to change the daemonset container version at the bottom of this file.
pkg/controller/controller.go
Outdated
| } | ||
|
|
||
| logrus.Info("setting up event handlers") | ||
| // adding the handler functions for the different IAM Identities, we can ignore deletes because we're only using the Listers from other objects |
There was a problem hiding this comment.
Can you explain a little more why your ignoring deletes?
There was a problem hiding this comment.
Yeah, sounds good
We have been talking about our options in relation to EKS vs clusters using the open source authenticator. For the initial release of this feature, it will be protected behind a feature flag, and enabling it will be a binary switch for the authenticator server to look for mappings from CRDs. This will allow open source users to start using it and give us feedback. During this time, we will determine what the upgrade scenario for EKS will be from the EKS config map to custom resources. |
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
from
3606cc1 to
db96765
Compare
Signed-off-by: Christopher Hein <me@chrishein.com>
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
from
db96765 to
648e742
Compare
Signed-off-by: Christopher Hein <me@chrishein.com>
Signed-off-by: Christopher Hein <me@chrishein.com>
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
from
648e742 to
97db681
Compare
Signed-off-by: Christopher Hein <me@chrishein.com>
Signed-off-by: Christopher Hein <me@chrishein.com>
christopherhein
force-pushed
the
feature/crd-identity-mapping
branch
from
4aadb65 to
4217780
Compare
|
@nckturner all updated with the latest fixes. Uses a feature-gate now, you'll notice I had to use the fake clients for when the flag was turned off, I think this will make long term clean up much easier. to test, on a cluster for the authenticator config include: |
| @@ -298,32 +328,69 @@ func (h *handler) authenticateEndpoint(w http.ResponseWriter, req *http.Request) | |||
| } | |||
|
|
|||
| func (h *handler) doMapping(identity *token.Identity, arn string) (string, []string, error) { | |||
| if roleMapping, exists := h.lowercaseRoleMap[arn]; exists { | |||
| username, err := h.renderTemplate(roleMapping.Username, identity) | |||
| // IAMIdentityMappingCRD feature gate will only us the CRD implementation to validate users | |||
| @@ -114,6 +124,7 @@ func (c *Server) Run() { | |||
| "groups": mapping.Groups, | |||
| }).Infof("mapping IAM user") | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Can we only iterate the users and roles from the config file if the feature flag is not enabled? Otherwise you get logs when the authenticator starts up that suggest it will be using the mappings from the config file in addition to the custom resources:
INFO[2019-06-15T06:12:21Z] mapping IAM role groups="[system:bootstrappers system:nodes system:node-proxier]" role="arn:aws:iam::..." username="system:node:{{EC2PrivateDNSName}}"
INFO[2019-06-15T06:12:21Z] mapping IAM role groups="[system:masters]" role="arn:aws:iam::..." username="cross-account-{{SessionName}}"
INFO[2019-06-15T06:12:21Z] mapping IAM role groups="[system:masters]" role="arn:aws:iam::..." username="admin:{{SessionName}}"
INFO[2019-06-15T06:12:21Z] mapping IAM role groups="[system:masters]" role="arn:aws:iam::..." username=...
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
This change seems to have made the library error out on |
|
@metral can you send your errors? Are you using |
|
🚀 |
|
@christopherhein: running |
|
When will the release v0.5 be available to deliver this PR as alpha? We are using a build of the master branch to test it |
Original Spec
This adds an implementation of the CRD + Informer configuration for the authenticator. It implements the following object and will load the
config.yamlfile first into memory allowing existing clients to update then gracefully move over to the new mechanism.It uses the Kubernetes codegen libraries to generate all the informers for updating the spec you just have to run
./codegen.shAlso merging the user and role maps into a single map based on the IAMIdentities
This also adds a way to run the server locally using a local
kubeconfigand generate certificates bound to a specific IP address and hostname.closes #79