37 lines
1.5 KiB
Go Template
37 lines
1.5 KiB
Go Template
{{ template "chart.header" . }}
|
|
{{ template "chart.description" . }}
|
|
|
|
{{ template "chart.versionLine" . }}
|
|
|
|
{{ template "chart.sourceLinkLine" . }}
|
|
|
|
{{ template "chart.requirementsSection" . }}
|
|
|
|
## KubeZero default configuration
|
|
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
|
|
This means we need to run kiam containers on the controllers using `hostnetwork: true`.
|
|
Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
|
|
Make sure any firewall rules between controllers and workers are adjusted accordingly.
|
|
|
|
## Kiam Certificates
|
|
The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.
|
|
[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)
|
|
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
|
|
|
## Metadata restrictions
|
|
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
|
|
|
- `/latest/meta-data/instance-id`
|
|
- `/latest/dynamic/instance-identity/document`
|
|
|
|
{{ template "chart.valuesSection" . }}
|
|
|
|
## Debugging
|
|
- Verify iptables rules on hosts to be set by the kiam agent:
|
|
`iptables -L -t nat -n --line-numbers`
|
|
`iptables -t nat -D PREROUTING <wrong rule>`
|
|
|
|
## Resources
|
|
- https://github.com/uswitch/kiam
|
|
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|