First kiam implementation incl. docs
This commit is contained in:
parent
93528227f7
commit
9d02c2d96d
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-kiam
|
||||
description: KubeZero Umbrella Chart for Kiam
|
||||
type: application
|
||||
version: 0.1.0
|
||||
version: 0.1.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/logo_small.png
|
||||
keywords:
|
||||
|
69
charts/kubezero-kiam/README.md
Normal file
69
charts/kubezero-kiam/README.md
Normal file
@ -0,0 +1,69 @@
|
||||
kubezero-kiam
|
||||
=============
|
||||
KubeZero Umbrella Chart for Kiam
|
||||
|
||||
Current chart version is `0.1.1`
|
||||
|
||||
Source code can be found [here](https://kubezero.com)
|
||||
|
||||
## Chart Requirements
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.7.0 |
|
||||
|
||||
## KubeZero default configuration
|
||||
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
|
||||
This means we need to run kiam containers on the controllers using `hostnetwork: true`.
|
||||
Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
|
||||
Make sure any firewall rules between controllers and workers are adjusted accordingly.
|
||||
|
||||
## Kiam Certificates
|
||||
The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.
|
||||
[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)
|
||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||
|
||||
## Metadata restrictions
|
||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
||||
|
||||
- `/latest/meta-data/instance-id`
|
||||
- `/latest/dynamic/instance-identity/document`
|
||||
|
||||
## Chart Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| kiam.agent.host.iptables | bool | `true` | |
|
||||
| kiam.agent.log.level | string | `"warn"` | |
|
||||
| kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||
| kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
||||
| kiam.agent.tlsSecret | string | `"kiam-agent-tls"` | |
|
||||
| kiam.agent.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| kiam.agent.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| kiam.agent.whiteListRouteRegexp | string | `"^/latest/(meta-data/instance-id|dynamic)"` | |
|
||||
| kiam.server.assumeRoleArn | string | `"arn:aws:iam::123456789012:role/kiam-server-role"` | kiam server IAM role to assume, required as we run the agents next to the servers normally |
|
||||
| kiam.server.deployment.enabled | bool | `true` | |
|
||||
| kiam.server.deployment.replicas | int | `1` | |
|
||||
| kiam.server.log.level | string | `"warn"` | |
|
||||
| kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| kiam.server.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||
| kiam.server.service.port | int | `6444` | |
|
||||
| kiam.server.service.targetPort | int | `6444` | |
|
||||
| kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
||||
| kiam.server.tlsSecret | string | `"kiam-server-tls"` | |
|
||||
| kiam.server.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| kiam.server.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| kiam.server.useHostNetwork | bool | `true` | |
|
||||
|
||||
## Debugging
|
||||
- Verify iptables rules on hosts to be set by the kiam agent:
|
||||
`iptables -L -t nat -n --line-numbers`
|
||||
`iptables -t nat -D PREROUTING <wrong rule>`
|
||||
|
||||
## Resources
|
||||
- https://github.com/uswitch/kiam
|
||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||
|
||||
---
|
||||
![Architecture](kiam_architecure.png)
|
||||
Image Credits: Blue Matador, Inc.
|
40
charts/kubezero-kiam/README.md.gotmpl
Normal file
40
charts/kubezero-kiam/README.md.gotmpl
Normal file
@ -0,0 +1,40 @@
|
||||
{{ template "chart.header" . }}
|
||||
{{ template "chart.description" . }}
|
||||
|
||||
{{ template "chart.versionLine" . }}
|
||||
|
||||
{{ template "chart.sourceLinkLine" . }}
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
||||
## KubeZero default configuration
|
||||
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
|
||||
This means we need to run kiam containers on the controllers using `hostnetwork: true`.
|
||||
Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
|
||||
Make sure any firewall rules between controllers and workers are adjusted accordingly.
|
||||
|
||||
## Kiam Certificates
|
||||
The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.
|
||||
[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)
|
||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||
|
||||
## Metadata restrictions
|
||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
||||
|
||||
- `/latest/meta-data/instance-id`
|
||||
- `/latest/dynamic/instance-identity/document`
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
## Debugging
|
||||
- Verify iptables rules on hosts to be set by the kiam agent:
|
||||
`iptables -L -t nat -n --line-numbers`
|
||||
`iptables -t nat -D PREROUTING <wrong rule>`
|
||||
|
||||
## Resources
|
||||
- https://github.com/uswitch/kiam
|
||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||
|
||||
---
|
||||
![Architecture](kiam_architecure.png)
|
||||
Image Credits: Blue Matador, Inc.
|
2933
charts/kubezero-kiam/kiam-grafana-dashboard.json
Normal file
2933
charts/kubezero-kiam/kiam-grafana-dashboard.json
Normal file
File diff suppressed because it is too large
Load Diff
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0a37511a23d3180d5c7d236c004a56c4b69afda33315920570e99e391ee1e732
|
||||
size 43992
|
28
charts/kubezero-kiam/templates/certificates.yaml
Normal file
28
charts/kubezero-kiam/templates/certificates.yaml
Normal file
@ -0,0 +1,28 @@
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: kiam-agent
|
||||
spec:
|
||||
secretName: kiam-agent-tls
|
||||
issuerRef:
|
||||
name: kubezero-local-ca-issuer
|
||||
usages:
|
||||
- "any"
|
||||
dnsNames:
|
||||
- "kiam-agent"
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: kiam-server
|
||||
spec:
|
||||
secretName: kiam-server-tls
|
||||
issuerRef:
|
||||
name: kubezero-local-ca-issuer
|
||||
usages:
|
||||
- "any"
|
||||
dnsNames:
|
||||
- "localhost"
|
||||
- "kiam-server"
|
||||
ipAddresses:
|
||||
- "127.0.0.1"
|
6
charts/kubezero-kiam/templates/namespace.yaml
Normal file
6
charts/kubezero-kiam/templates/namespace.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: kube-system
|
||||
annotations:
|
||||
iam.amazonaws.com/permitted: ".*"
|
@ -1,6 +1,7 @@
|
||||
kiam:
|
||||
server:
|
||||
# assumeRoleArn: <INSERT_CLOUDFORMATION_OUTPUT_KiamServerRoleArn>
|
||||
# kiam.server.assumeRoleArn -- kiam server IAM role to assume, required as we run the agents next to the servers normally
|
||||
assumeRoleArn: arn:aws:iam::123456789012:role/kiam-server-role
|
||||
useHostNetwork: true
|
||||
sslCertHostPath: /etc/ssl/certs
|
||||
tlsSecret: kiam-server-tls
|
||||
@ -9,7 +10,7 @@ kiam:
|
||||
targetPort: 6444
|
||||
deployment:
|
||||
enabled: true
|
||||
replicas: 2
|
||||
replicas: 1
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
@ -18,9 +19,9 @@ kiam:
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: false
|
||||
# log:
|
||||
# level: warn
|
||||
|
||||
log:
|
||||
level: warn
|
||||
|
||||
agent:
|
||||
host:
|
||||
iptables: true
|
||||
@ -33,8 +34,8 @@ kiam:
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: false
|
||||
# log:
|
||||
# level: warn
|
||||
log:
|
||||
level: warn
|
||||
# extraEnv:
|
||||
# - name: GRPC_GO_LOG_SEVERITY_LEVEL
|
||||
# value: "info"
|
||||
|
Loading…
Reference in New Issue
Block a user