diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml index 522186a6..f7c4238f 100644 --- a/charts/kubeadm/templates/ClusterConfiguration.yaml +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -41,6 +41,7 @@ apiServer: audit-log-maxbackup: "3" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml + authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml enable-admission-plugins: NodeRestriction,EventRateLimit {{- if .Values.clusterHighAvailable }} goaway-chance: ".001" diff --git a/charts/kubeadm/templates/aws-iam-authenticator.yaml b/charts/kubeadm/templates/aws-iam-authenticator.yaml new file mode 100644 index 00000000..962805ed --- /dev/null +++ b/charts/kubeadm/templates/aws-iam-authenticator.yaml @@ -0,0 +1,186 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: iamidentitymappings.iamauthenticator.k8s.aws +spec: + group: iamauthenticator.k8s.aws + version: v1alpha1 + scope: Cluster + names: + plural: iamidentitymappings + singular: iamidentitymapping + kind: IAMIdentityMapping + categories: + - all + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + required: + - arn + - username + properties: + arn: + type: string + username: + type: string + groups: + type: array + items: + type: string +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aws-iam-authenticator +rules: +- apiGroups: + - iamauthenticator.k8s.aws + resources: + - iamidentitymappings + verbs: + - get + - list + - watch +- apiGroups: + - iamauthenticator.k8s.aws + resources: + - iamidentitymappings/status + verbs: + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - aws-auth + verbs: + - get + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-iam-authenticator + namespace: kube-system + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: aws-iam-authenticator + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-iam-authenticator +subjects: +- kind: ServiceAccount + name: aws-iam-authenticator + namespace: kube-system + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: kube-system + name: aws-iam-authenticator + labels: + k8s-app: aws-iam-authenticator +data: + config.yaml: | + clusterID: {{ .Values.clusterName }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + namespace: kube-system + name: aws-iam-authenticator + labels: + k8s-app: aws-iam-authenticator + annotations: + seccomp.security.alpha.kubernetes.io/pod: runtime/default +spec: + selector: + matchLabels: + k8s-app: aws-iam-authenticator + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + labels: + k8s-app: aws-iam-authenticator + spec: + # use service account with access to + serviceAccountName: aws-iam-authenticator + + # run on the host network (don't depend on CNI) + hostNetwork: true + + # run on each master node + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - key: CriticalAddonsOnly + operator: Exists + + containers: + - name: aws-iam-authenticator + image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2 + args: + - server + - --backend-mode=CRD,MountedFile + - --config=/etc/aws-iam-authenticator/config.yaml + - --state-dir=/var/aws-iam-authenticator + - --kubeconfig-pregenerated=true + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + resources: + requests: + memory: 20Mi + cpu: 10m + limits: + memory: 20Mi + cpu: 100m + + volumeMounts: + - name: config + mountPath: /etc/aws-iam-authenticator/ + - name: state + mountPath: /var/aws-iam-authenticator/ + + volumes: + - name: config + configMap: + name: aws-iam-authenticator + - name: state + hostPath: + path: /var/aws-iam-authenticator/