First kiam implementation incl. docs
This commit is contained in:
parent
93528227f7
commit
9d02c2d96d
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-kiam
|
name: kubezero-kiam
|
||||||
description: KubeZero Umbrella Chart for Kiam
|
description: KubeZero Umbrella Chart for Kiam
|
||||||
type: application
|
type: application
|
||||||
version: 0.1.0
|
version: 0.1.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/logo_small.png
|
icon: https://cdn.zero-downtime.net/assets/logo_small.png
|
||||||
keywords:
|
keywords:
|
||||||
|
69
charts/kubezero-kiam/README.md
Normal file
69
charts/kubezero-kiam/README.md
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
kubezero-kiam
|
||||||
|
=============
|
||||||
|
KubeZero Umbrella Chart for Kiam
|
||||||
|
|
||||||
|
Current chart version is `0.1.1`
|
||||||
|
|
||||||
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
## Chart Requirements
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.7.0 |
|
||||||
|
|
||||||
|
## KubeZero default configuration
|
||||||
|
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
|
||||||
|
This means we need to run kiam containers on the controllers using `hostnetwork: true`.
|
||||||
|
Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
|
||||||
|
Make sure any firewall rules between controllers and workers are adjusted accordingly.
|
||||||
|
|
||||||
|
## Kiam Certificates
|
||||||
|
The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.
|
||||||
|
[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)
|
||||||
|
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||||
|
|
||||||
|
## Metadata restrictions
|
||||||
|
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
||||||
|
|
||||||
|
- `/latest/meta-data/instance-id`
|
||||||
|
- `/latest/dynamic/instance-identity/document`
|
||||||
|
|
||||||
|
## Chart Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| kiam.agent.host.iptables | bool | `true` | |
|
||||||
|
| kiam.agent.log.level | string | `"warn"` | |
|
||||||
|
| kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||||
|
| kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
||||||
|
| kiam.agent.tlsSecret | string | `"kiam-agent-tls"` | |
|
||||||
|
| kiam.agent.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
| kiam.agent.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| kiam.agent.whiteListRouteRegexp | string | `"^/latest/(meta-data/instance-id|dynamic)"` | |
|
||||||
|
| kiam.server.assumeRoleArn | string | `"arn:aws:iam::123456789012:role/kiam-server-role"` | kiam server IAM role to assume, required as we run the agents next to the servers normally |
|
||||||
|
| kiam.server.deployment.enabled | bool | `true` | |
|
||||||
|
| kiam.server.deployment.replicas | int | `1` | |
|
||||||
|
| kiam.server.log.level | string | `"warn"` | |
|
||||||
|
| kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
|
| kiam.server.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||||
|
| kiam.server.service.port | int | `6444` | |
|
||||||
|
| kiam.server.service.targetPort | int | `6444` | |
|
||||||
|
| kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
||||||
|
| kiam.server.tlsSecret | string | `"kiam-server-tls"` | |
|
||||||
|
| kiam.server.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
| kiam.server.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| kiam.server.useHostNetwork | bool | `true` | |
|
||||||
|
|
||||||
|
## Debugging
|
||||||
|
- Verify iptables rules on hosts to be set by the kiam agent:
|
||||||
|
`iptables -L -t nat -n --line-numbers`
|
||||||
|
`iptables -t nat -D PREROUTING <wrong rule>`
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
- https://github.com/uswitch/kiam
|
||||||
|
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||||
|
|
||||||
|
---
|
||||||
|
![Architecture](kiam_architecure.png)
|
||||||
|
Image Credits: Blue Matador, Inc.
|
40
charts/kubezero-kiam/README.md.gotmpl
Normal file
40
charts/kubezero-kiam/README.md.gotmpl
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
{{ template "chart.versionLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourceLinkLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
## KubeZero default configuration
|
||||||
|
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
|
||||||
|
This means we need to run kiam containers on the controllers using `hostnetwork: true`.
|
||||||
|
Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
|
||||||
|
Make sure any firewall rules between controllers and workers are adjusted accordingly.
|
||||||
|
|
||||||
|
## Kiam Certificates
|
||||||
|
The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.
|
||||||
|
[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)
|
||||||
|
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||||
|
|
||||||
|
## Metadata restrictions
|
||||||
|
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
||||||
|
|
||||||
|
- `/latest/meta-data/instance-id`
|
||||||
|
- `/latest/dynamic/instance-identity/document`
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
|
## Debugging
|
||||||
|
- Verify iptables rules on hosts to be set by the kiam agent:
|
||||||
|
`iptables -L -t nat -n --line-numbers`
|
||||||
|
`iptables -t nat -D PREROUTING <wrong rule>`
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
- https://github.com/uswitch/kiam
|
||||||
|
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||||
|
|
||||||
|
---
|
||||||
|
![Architecture](kiam_architecure.png)
|
||||||
|
Image Credits: Blue Matador, Inc.
|
2933
charts/kubezero-kiam/kiam-grafana-dashboard.json
Normal file
2933
charts/kubezero-kiam/kiam-grafana-dashboard.json
Normal file
File diff suppressed because it is too large
Load Diff
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:0a37511a23d3180d5c7d236c004a56c4b69afda33315920570e99e391ee1e732
|
||||||
|
size 43992
|
28
charts/kubezero-kiam/templates/certificates.yaml
Normal file
28
charts/kubezero-kiam/templates/certificates.yaml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
apiVersion: cert-manager.io/v1alpha2
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: kiam-agent
|
||||||
|
spec:
|
||||||
|
secretName: kiam-agent-tls
|
||||||
|
issuerRef:
|
||||||
|
name: kubezero-local-ca-issuer
|
||||||
|
usages:
|
||||||
|
- "any"
|
||||||
|
dnsNames:
|
||||||
|
- "kiam-agent"
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1alpha2
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: kiam-server
|
||||||
|
spec:
|
||||||
|
secretName: kiam-server-tls
|
||||||
|
issuerRef:
|
||||||
|
name: kubezero-local-ca-issuer
|
||||||
|
usages:
|
||||||
|
- "any"
|
||||||
|
dnsNames:
|
||||||
|
- "localhost"
|
||||||
|
- "kiam-server"
|
||||||
|
ipAddresses:
|
||||||
|
- "127.0.0.1"
|
6
charts/kubezero-kiam/templates/namespace.yaml
Normal file
6
charts/kubezero-kiam/templates/namespace.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: kube-system
|
||||||
|
annotations:
|
||||||
|
iam.amazonaws.com/permitted: ".*"
|
@ -1,6 +1,7 @@
|
|||||||
kiam:
|
kiam:
|
||||||
server:
|
server:
|
||||||
# assumeRoleArn: <INSERT_CLOUDFORMATION_OUTPUT_KiamServerRoleArn>
|
# kiam.server.assumeRoleArn -- kiam server IAM role to assume, required as we run the agents next to the servers normally
|
||||||
|
assumeRoleArn: arn:aws:iam::123456789012:role/kiam-server-role
|
||||||
useHostNetwork: true
|
useHostNetwork: true
|
||||||
sslCertHostPath: /etc/ssl/certs
|
sslCertHostPath: /etc/ssl/certs
|
||||||
tlsSecret: kiam-server-tls
|
tlsSecret: kiam-server-tls
|
||||||
@ -9,7 +10,7 @@ kiam:
|
|||||||
targetPort: 6444
|
targetPort: 6444
|
||||||
deployment:
|
deployment:
|
||||||
enabled: true
|
enabled: true
|
||||||
replicas: 2
|
replicas: 1
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
@ -18,9 +19,9 @@ kiam:
|
|||||||
prometheus:
|
prometheus:
|
||||||
servicemonitor:
|
servicemonitor:
|
||||||
enabled: false
|
enabled: false
|
||||||
# log:
|
log:
|
||||||
# level: warn
|
level: warn
|
||||||
|
|
||||||
agent:
|
agent:
|
||||||
host:
|
host:
|
||||||
iptables: true
|
iptables: true
|
||||||
@ -33,8 +34,8 @@ kiam:
|
|||||||
prometheus:
|
prometheus:
|
||||||
servicemonitor:
|
servicemonitor:
|
||||||
enabled: false
|
enabled: false
|
||||||
# log:
|
log:
|
||||||
# level: warn
|
level: warn
|
||||||
# extraEnv:
|
# extraEnv:
|
||||||
# - name: GRPC_GO_LOG_SEVERITY_LEVEL
|
# - name: GRPC_GO_LOG_SEVERITY_LEVEL
|
||||||
# value: "info"
|
# value: "info"
|
||||||
|
Loading…
Reference in New Issue
Block a user