Skip to content

Removed kube2iam and added support for IRSA #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bmonkman merged 4 commits into from
Apr 14, 2020
Merged

Removed kube2iam and added support for IRSA #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ce189ee
Removed kube2iam and added support for IRSA
bmonkman Apr 8, 2020
20be305
Removed commented blocks, added documentation
bmonkman Apr 8, 2020
233d346
Update kubernetes/terraform/modules/kubernetes/monitoring/main.tf
bmonkman Apr 9, 2020
10e367f
Update kubernetes/terraform/modules/kubernetes/monitoring/main.tf
bmonkman Apr 9, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ EC2 instance sizing can be configured in [terraform/environments/staging/main.tf
## AWS Setting the Kubernetes context
```
aws eks update-kubeconfig --name <cluster-name> --region us-west-2
aws eks update-kubeconfig --name <cluster-name> --region us-west-2 --role-arn <role-arn>
```

## Workin with Kubernetes
Expand Down
20 changes: 1 addition & 19 deletions kubernetes/terraform/environments/development/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,26 +16,8 @@ module "kubernetes" {
region = "<% index .Params `region` %>"

# Authenticate with the EKS cluster via the cluster id
cluster_name = "<% .Name %>-dev-cluster"

# Assume-role policy used by monitoring fluentd daemonset
assume_role_policy = data.aws_iam_policy_document.assumerole_root_policy.json
cluster_name = "<% .Name %>-dev-<% index .Params `region` %>"

external_dns_zone = "<% index .Params `stagingHost` %>"
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
external_dns_assume_roles = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/k8s-staging-workers" ]
}

# Data sources for EKS IAM
data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "assumerole_root_policy" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
}
20 changes: 1 addition & 19 deletions kubernetes/terraform/environments/production/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,26 +16,8 @@ module "kubernetes" {
region = "<% index .Params `region` %>"

# Authenticate with the EKS cluster via the cluster id
cluster_name = "<% .Name %>-production-cluster"

# Assume-role policy used by monitoring fluentd daemonset
assume_role_policy = data.aws_iam_policy_document.assumerole_root_policy.json
cluster_name = "<% .Name %>-production-<% index .Params `region` %>"

external_dns_zone = "<% index .Params `productionHost` %>"
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
external_dns_assume_roles = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/k8s-production-workers" ]
}

# Data sources for EKS IAM
data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "assumerole_root_policy" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
}
20 changes: 1 addition & 19 deletions kubernetes/terraform/environments/staging/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,26 +20,8 @@ module "kubernetes" {
region = "<% index .Params `region` %>"

# Authenticate with the EKS cluster via the cluster id
cluster_name = "<% .Name %>-staging-cluster"

# Assume-role policy used by monitoring fluentd daemonset
assume_role_policy = data.aws_iam_policy_document.assumerole_root_policy.json
cluster_name = "<% .Name %>-staging-<% index .Params `region` %>"

external_dns_zone = "<% index .Params `stagingHost` %>"
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
external_dns_assume_roles = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/k8s-<% .Name %>-staging-<% index .Params `region` %>-workers" ]
}

# Data sources for EKS IAM
data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "assumerole_root_policy" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
}
40 changes: 23 additions & 17 deletions kubernetes/terraform/modules/kubernetes/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,30 @@

This Terraform module contains configuration to provision kubernetes resources.

## Core Components

[Nginx Ingress Controller](https://github.com/kubernetes/ingress-nginx/)
Use Nginx as a reverse proxy and load balancer for your cluster. This will create an AWS load balancer (ELB/ALB/NLB) and whenever an ingress is created to route traffic to your application, the controller will make sure the LB is up to date and sending traffic where it needs to go.

[External DNS](https://github.com/kubernetes-sigs/external-dns)
For any ingresses that are added to route traffic for hosts, external-dns will automatically create DNS records for those hosts and point it to the LB created by the ingress controller.
This makes is extremely easy to bring up a new site at a specific domain or subdomain.

[Cert Manager](https://github.com/jetstack/cert-manager)
For any ingresses that specify that they need TLS, cert-manager will automatically provision a certificate using Lets Encrypt, and handle renewing it automatically on a regular basis.
Alongside external-dns, this allows you to make sure your new domains are always secured using HTTPS.

[Cloudwatch Agent/Fluentd](https://github.com/fluent/fluentd)
A unified logging layer, Fluentd handles capturing all log output from your cluster and routing it to various sources like Cloudwatch, Elasticsearch, etc.


...

## Organization

```
main.tf - Configuration entrypoint.
ingress/ - Confioguration required to provision nginx-ingress-controller.
main.tf
provider.tf
variables.tf
monitoring/ - Configuration required to provision cluster monitoring.
main.tf
provider.tf
variables.tf
fluentd/
main.tf
files/
...
cloudwatch/
main.tf
files/
...
```
external_dns.tf - Set up external-dns
ingress/ - Provision nginx-ingress-controller.
monitoring/ - Provision cluster monitoring (cloudwatch agent and fluentd).
```
59 changes: 25 additions & 34 deletions kubernetes/terraform/modules/kubernetes/external_dns.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,18 @@
# Trust relationship
data "aws_iam_policy_document" "external_dns_trust_relationship" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}

statement {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = var.external_dns_assume_roles
}
}
# Create a role using oidc to map service accounts
module "iam_assumable_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> v2.6.0"
create_role = true
role_name = "<% .Name %>-k8s-${var.environment}-external-dns"
provider_url = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")
role_policy_arns = [aws_iam_policy.external_dns.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:external-dns"]
}

# external-dns role
resource "aws_iam_role" "external_dns_role" {
name = "k8s-external-dns-role"
assume_role_policy = data.aws_iam_policy_document.external_dns_trust_relationship.json
resource "aws_iam_policy" "external_dns" {
name_prefix = "external-dns"
description = "EKS external-dns policy for cluster ${var.cluster_name}"
policy = data.aws_iam_policy_document.external_dns_policy_doc.json
}

data "aws_iam_policy_document" "external_dns_policy_doc" {
Expand All @@ -48,16 +38,13 @@ data "aws_iam_policy_document" "external_dns_policy_doc" {
}
}

resource "aws_iam_role_policy" "external_dns_policy" {
name = "k8s-external-dns-policy"
role = aws_iam_role.external_dns_role.id
policy = data.aws_iam_policy_document.external_dns_policy_doc.json
}

resource "kubernetes_service_account" "external_dns" {
metadata {
name = "external-dns"
namespace = "kube-system"
name = "external-dns"
namespace = "kube-system"
annotations = {
"eks.amazonaws.com/role-arn" = module.iam_assumable_role.this_iam_role_arn
}
}
}

Expand Down Expand Up @@ -116,25 +103,29 @@ resource "kubernetes_deployment" "external_dns" {
"app" = "external-dns",
}
annotations = {
"iam.amazonaws.com/role" = "k8s-external-dns-role",
"eks.amazonaws.com/role-arn" = module.iam_assumable_role.this_iam_role_arn
}
}
spec {
container {
name = "external-dns"
image = "registry.opensource.zalan.do/teapot/external-dns:latest"
args = [
"--source=service",
"--source=ingress",
"--domain-filter=${var.external_dns_zone}", # Give access only to the specified zone
"--provider=aws",
"--aws-zone-type=public",
"--policy=upsert-only", # Prevent ExternalDNS from deleting any records
"--registry=txt",
"--txt-owner-id=${var.external_dns_owner_id}", # ID of txt record to manage state
"--txt-owner-id=${var.cluster_name}", # ID of txt record to manage state
"--aws-batch-change-size=2", # Set the batch size to 2 so that a single record failure won't block other updates
]
}

security_context {
fs_group = 65534
Copy link
Copy Markdown
Contributor Author

@bmonkman bmonkman Apr 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Required for applications inside the container to be able to access the token file that gets mounted

}

service_account_name = "external-dns"
automount_service_account_token = true
}
Expand Down
6 changes: 0 additions & 6 deletions kubernetes/terraform/modules/kubernetes/kube2iam/README.md
View file
Open in desktop

This file was deleted.

105 changes: 0 additions & 105 deletions kubernetes/terraform/modules/kubernetes/kube2iam/main.tf
View file
Open in desktop

This file was deleted.

7 changes: 0 additions & 7 deletions kubernetes/terraform/modules/kubernetes/kube2iam/variables.tf
View file
Open in desktop

This file was deleted.

6 changes: 0 additions & 6 deletions kubernetes/terraform/modules/kubernetes/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,8 @@
module "kube2iam" {
source = "./kube2iam"
environment = var.environment
region = var.region
}

module "monitoring" {
source = "./monitoring"
environment = var.environment
region = var.region
assume_role_policy = var.assume_role_policy
cluster_name = var.cluster_name
}

Expand Down
Loading