KubeZero/charts/kubezero-kiam/README.md

105 lines
5.4 KiB
Markdown
Raw Normal View History

# kubezero-kiam
2021-12-03 21:16:22 +00:00
![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.0](https://img.shields.io/badge/AppVersion-4.0-informational?style=flat-square)
2020-05-15 15:07:01 +00:00
KubeZero Umbrella Chart for Kiam
**Homepage:** <https://kubezero.com>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Quarky9 | | |
2020-05-15 15:07:01 +00:00
## Requirements
2020-05-15 15:07:01 +00:00
2021-03-25 15:32:49 +00:00
Kubernetes: `>= 1.18.0`
2020-05-15 15:07:01 +00:00
| Repository | Name | Version |
|------------|------|---------|
2021-12-03 21:16:22 +00:00
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.3 |
| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 6.0.0 |
2020-05-15 15:07:01 +00:00
## KubeZero default configuration
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
This means we need to run kiam containers on the controllers using `hostnetwork: true`.
Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
Make sure any firewall rules between controllers and workers are adjusted accordingly.
## Kiam Certificates
The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.
[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)
2020-05-15 15:07:01 +00:00
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
## Metadata restrictions
Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
By default all access to the meta-data service is blocked, expect for:
2020-05-15 15:07:01 +00:00
- `/latest/meta-data/instance-id`
- `/latest/dynamic/instance-identity/document`
## Values
2020-05-15 15:07:01 +00:00
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| annotateKubeSystemNameSpace | bool | `false` | |
2021-03-25 15:32:49 +00:00
| kiam.agent.allowRouteRegexp | string | `"^/latest/(meta-data/instance-id|dynamic)"` | |
2020-05-18 13:56:37 +00:00
| kiam.agent.gatewayTimeoutCreation | string | `"5s"` | |
| kiam.agent.host.interface | string | `"cali+"` | |
| kiam.agent.host.iptables | bool | `false` | |
| kiam.agent.log.level | string | `"info"` | |
| kiam.agent.priorityClassName | string | `"system-node-critical"` | |
2020-05-15 15:07:01 +00:00
| kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | |
| kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | |
| kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | |
2021-05-17 10:13:03 +00:00
| kiam.agent.resources.limits.memory | string | `"64Mi"` | |
2020-09-14 16:26:39 +00:00
| kiam.agent.resources.requests.cpu | string | `"50m"` | |
2021-05-17 10:13:03 +00:00
| kiam.agent.resources.requests.memory | string | `"16Mi"` | |
2020-05-15 15:07:01 +00:00
| kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | |
2020-05-18 13:56:37 +00:00
| kiam.agent.tlsCerts.caFileName | string | `"ca.crt"` | |
| kiam.agent.tlsCerts.certFileName | string | `"tls.crt"` | |
| kiam.agent.tlsCerts.keyFileName | string | `"tls.key"` | |
2020-05-15 15:07:01 +00:00
| kiam.agent.tlsSecret | string | `"kiam-agent-tls"` | |
| kiam.agent.tolerations[0].effect | string | `"NoSchedule"` | |
| kiam.agent.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
2021-12-03 21:16:22 +00:00
| kiam.agent.tolerations[1].effect | string | `"NoSchedule"` | |
| kiam.agent.tolerations[1].key | string | `"kubezero-workergroup"` | |
| kiam.agent.tolerations[1].operator | string | `"Exists"` | |
2020-05-18 13:56:37 +00:00
| kiam.agent.updateStrategy | string | `"RollingUpdate"` | |
2020-09-14 16:26:39 +00:00
| kiam.enabled | bool | `true` | |
| kiam.server.assumeRoleArn | string | `""` | kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role |
2020-05-15 15:07:01 +00:00
| kiam.server.deployment.enabled | bool | `true` | |
| kiam.server.deployment.replicas | int | `1` | |
| kiam.server.log.level | string | `"info"` | |
2020-05-15 15:07:01 +00:00
| kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| kiam.server.priorityClassName | string | `"system-cluster-critical"` | |
2020-05-15 15:07:01 +00:00
| kiam.server.prometheus.servicemonitor.enabled | bool | `false` | |
| kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | |
| kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | |
2021-05-17 10:13:03 +00:00
| kiam.server.resources.limits.memory | string | `"128Mi"` | |
2021-03-25 15:32:49 +00:00
| kiam.server.resources.requests.cpu | string | `"50m"` | |
2021-05-17 10:13:03 +00:00
| kiam.server.resources.requests.memory | string | `"64Mi"` | |
2020-05-15 15:07:01 +00:00
| kiam.server.service.port | int | `6444` | |
| kiam.server.service.targetPort | int | `6444` | |
| kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | |
2020-05-18 13:56:37 +00:00
| kiam.server.tlsCerts.caFileName | string | `"ca.crt"` | |
| kiam.server.tlsCerts.certFileName | string | `"tls.crt"` | |
| kiam.server.tlsCerts.keyFileName | string | `"tls.key"` | |
2020-05-15 15:07:01 +00:00
| kiam.server.tlsSecret | string | `"kiam-server-tls"` | |
| kiam.server.tolerations[0].effect | string | `"NoSchedule"` | |
| kiam.server.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
2020-05-18 13:56:37 +00:00
| kiam.server.updateStrategy | string | `"RollingUpdate"` | |
2020-05-15 15:07:01 +00:00
| kiam.server.useHostNetwork | bool | `true` | |
## Debugging
- Verify iptables rules on hosts to be set by the kiam agent:
`iptables -L -t nat -n --line-numbers`
2020-05-15 15:07:01 +00:00
`iptables -t nat -D PREROUTING <wrong rule>`
## Resources
- https://github.com/uswitch/kiam
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
- [Grafana Dashboard](https://raw.githubusercontent.com/uswitch/kiam/master/docs/dashboard-prom.json)
2020-07-29 14:07:41 +00:00
![Kiam overview](./kiam_architecure.png)