Merge pull request #2052 from MarcusNoble/iam_for_service_account

✨ Add support for AWS_CONTROLLER_IAM_ROLE env var

bootstrap/eks/config/manager/kustomization.yaml

@@ -1,8 +1,11 @@
 resources:
 - manager.yaml
+- serviceaccount.yaml
 
 patchesStrategicMerge:
 - manager_image_patch.yaml
 - manager_pull_policy.yaml
 - manager_auth_proxy_patch.yaml
-- manager_manager_args_patch.yaml
+- manager_args_patch.yaml
+- manager_service_account_patch.yaml
+- manager_iam_patch.yaml

bootstrap/eks/config/manager/manager_iam_patch.yaml

@@ -0,0 +1,12 @@
+# This patch injects annotations to run using KIAM / kube2iam
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      metadata:
+        annotations:
+          iam.amazonaws.com/role: ${AWS_CONTROLLER_IAM_ROLE:=""}

bootstrap/eks/config/manager/manager_service_account_patch.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      serviceAccountName: controller-manager
+      securityContext:
+        fsGroup: 1000

bootstrap/eks/config/manager/serviceaccount.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+  annotations:
+    ${AWS_CONTROLLER_IAM_ROLE/#arn/eks.amazonaws.com/role-arn: arn}

config/manager/kustomization.yaml

@@ -1,7 +1,10 @@
 resources:
 - manager.yaml
+- serviceaccount.yaml
 
 patchesStrategicMerge:
 - manager_image_patch.yaml
 - manager_pull_policy.yaml
 - manager_auth_proxy_patch.yaml
+- manager_service_account_patch.yaml
+- manager_iam_patch.yaml

config/manager/manager_iam_patch.yaml

@@ -0,0 +1,12 @@
+# This patch injects annotations to run using KIAM / kube2iam
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      metadata:
+        annotations:
+          iam.amazonaws.com/role: ${AWS_CONTROLLER_IAM_ROLE:=""}

config/manager/manager_service_account_patch.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      serviceAccountName: controller-manager
+      securityContext:
+        fsGroup: 1000

config/manager/serviceaccount.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: capa-controller-manager
+  annotations:
+    ${AWS_CONTROLLER_IAM_ROLE/#arn/eks.amazonaws.com/role-arn: arn}

controlplane/eks/config/manager/kustomization.yaml

@@ -1,8 +1,11 @@
 resources:
 - manager.yaml
+- serviceaccount.yaml
 
 patchesStrategicMerge:
 - manager_image_patch.yaml
 - manager_pull_policy.yaml
 - manager_auth_proxy_patch.yaml
 - manager_args_patch.yaml
+- manager_service_account_patch.yaml
+- manager_iam_patch.yaml

controlplane/eks/config/manager/manager_iam_patch.yaml

@@ -0,0 +1,12 @@
+# This patch injects annotations to run using KIAM / kube2iam
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      metadata:
+        annotations:
+          iam.amazonaws.com/role: ${AWS_CONTROLLER_IAM_ROLE:=""}

controlplane/eks/config/manager/manager_service_account_patch.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      serviceAccountName: controller-manager
+      securityContext:
+        fsGroup: 1000

controlplane/eks/config/manager/serviceaccount.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+  annotations:
+    ${AWS_CONTROLLER_IAM_ROLE/#arn/eks.amazonaws.com/role-arn: arn}

docs/book/src/SUMMARY.md

@@ -9,6 +9,7 @@
   - [Machine Pools](./topics/machinepools.md)
   - [EKS Support](./topics/eks.md)
   - [Consuming Existing AWS Infrastructure](./topics/consuming-existing-aws-infrastructure.md)
+  - [Specifying the IAM Role to use for Management Components](./topics/specify-management-iam-role.md)
   - [Multi-AZ Control Planes](./topics/multi-az-control-planes.md)
   - [Restricting Cluster API to certain namespaces](./topics/restricting-cluster-api-to-certain-namespaces.md)
   - [Using Cluster API with cross-account role assumption](./topics/using-cluster-api-with-cross-account-role-assumption.md)

docs/book/src/topics/specify-management-iam-role.md

@@ -0,0 +1,81 @@
+# Specifying the IAM Role to use for Management Components
+
+## Prerequisites
+
+To be able to specify the IAM role that the management components should run as your cluster must be set up with the ability to assume IAM roles using one of the following solutions:
+
+* [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
+* [Kiam](https://github.com/uswitch/kiam)
+* [Kube2iam](https://github.com/jtblin/kube2iam)
+
+## Setting IAM Role
+
+Set the `AWS_CONTROLLER_IAM_ROLE` environment variable to the ARN of the IAM role to use when performing the `clustercrl init` command.
+
+For example:
+
+```bash
+export AWS_CONTROLLER_IAM_ROLE=arn:aws:iam::1234567890:role/capa-management-components
+
+clusterctl init --infrastructure=aws
+```
+
+## IAM Role Trust Policy
+
+### IAM Roles for Service Accounts
+
+When creating the IAM role the following trust policy will need to be used with the `AWS_ACCOUNT_ID`, `AWS_REGION` and `OIDC_PROVIDER_ID` environment variables replaced.
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/oidc.eks.${AWS_REGION}.amazonaws.com/id/${OIDC_PROVIDER_ID}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "ForAnyValue:StringEquals": {
+          "oidc.eks.${AWS_REGION}.amazonaws.com/id/${OIDC_PROVIDER_ID}:sub": [
+            "system:serviceaccount:capa-system:capa-controller-manager",
+            "system:serviceaccount:capi-system:capi-controller-manager",
+            "system:serviceaccount:capa-eks-control-plane-system:capa-eks-control-plane-controller-manager",
+            "system:serviceaccount:capa-eks-bootstrap-system:capa-eks-bootstrap-controller-manager",
+          ]
+        }
+      }
+    }
+  ]
+}
+```
+
+### Kiam / kube2iam
+
+When creating the IAM role the you will need to give apply the `kubernetes.io/cluster/${CLUSTER_NAME}/role": "enabled"` tag to the role and use the following trust policy with the `AWS_ACCOUNT_ID` and `CLUSTER_NAME` environment variables correctly replaced.
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${CLUSTER_NAME}.worker-node-role"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```