First kiam implementation incl. docs

charts/kubezero-kiam/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-kiam
 description: KubeZero Umbrella Chart for Kiam
 type: application
-version: 0.1.0
+version: 0.1.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/logo_small.png
 keywords:

charts/kubezero-kiam/README.md

@@ -0,0 +1,69 @@
+kubezero-kiam
+=============
+KubeZero Umbrella Chart for Kiam
+
+Current chart version is `0.1.1`
+
+Source code can be found [here](https://kubezero.com)
+
+## Chart Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.7.0 |
+
+## KubeZero default configuration
+We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
+This means we need to run kiam containers on the controllers using `hostnetwork: true`.
+Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
+Make sure any firewall rules between controllers and workers are adjusted accordingly.
+
+## Kiam Certificates
+The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.  
+[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)  
+[KubeZero cert-manager](../kubezero-cert-manager/README.md)
+
+## Metadata restrictions
+Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
+
+- `/latest/meta-data/instance-id`
+- `/latest/dynamic/instance-identity/document`
+
+## Chart Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| kiam.agent.host.iptables | bool | `true` |  |
+| kiam.agent.log.level | string | `"warn"` |  |
+| kiam.agent.prometheus.servicemonitor.enabled | bool | `false` |  |
+| kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` |  |
+| kiam.agent.tlsSecret | string | `"kiam-agent-tls"` |  |
+| kiam.agent.tolerations[0].effect | string | `"NoSchedule"` |  |
+| kiam.agent.tolerations[0].key | string | `"node-role.kubernetes.io/master"` |  |
+| kiam.agent.whiteListRouteRegexp | string | `"^/latest/(meta-data/instance-id|dynamic)"` |  |
+| kiam.server.assumeRoleArn | string | `"arn:aws:iam::123456789012:role/kiam-server-role"` |  kiam server IAM role to assume, required as we run the agents next to the servers normally |
+| kiam.server.deployment.enabled | bool | `true` |  |
+| kiam.server.deployment.replicas | int | `1` |  |
+| kiam.server.log.level | string | `"warn"` |  |
+| kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` |  |
+| kiam.server.prometheus.servicemonitor.enabled | bool | `false` |  |
+| kiam.server.service.port | int | `6444` |  |
+| kiam.server.service.targetPort | int | `6444` |  |
+| kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` |  |
+| kiam.server.tlsSecret | string | `"kiam-server-tls"` |  |
+| kiam.server.tolerations[0].effect | string | `"NoSchedule"` |  |
+| kiam.server.tolerations[0].key | string | `"node-role.kubernetes.io/master"` |  |
+| kiam.server.useHostNetwork | bool | `true` |  |
+
+## Debugging
+- Verify iptables rules on hosts to be set by the kiam agent:  
+  `iptables -L -t nat -n --line-numbers`  
+  `iptables -t nat -D PREROUTING <wrong rule>`
+
+## Resources
+- https://github.com/uswitch/kiam
+- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
+
+---
+![Architecture](kiam_architecure.png)  
+Image Credits: Blue Matador, Inc.

charts/kubezero-kiam/README.md.gotmpl

@@ -0,0 +1,40 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionLine" . }}
+
+{{ template "chart.sourceLinkLine" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+## KubeZero default configuration
+We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
+This means we need to run kiam containers on the controllers using `hostnetwork: true`.
+Therefore we also change the default port from 443 to 6444 to not collide with the potential api-server port on the controllers.
+Make sure any firewall rules between controllers and workers are adjusted accordingly.
+
+## Kiam Certificates
+The required certificates for Kiam server and agents are provided by a local cert-manager, which is configured to have a cluster local self-signing CA as part of the KubeZero platform.  
+[Kiam TLS Config](https://github.com/uswitch/kiam/blob/master/docs/TLS.md#cert-manager)  
+[KubeZero cert-manager](../kubezero-cert-manager/README.md)
+
+## Metadata restrictions
+Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
+
+- `/latest/meta-data/instance-id`
+- `/latest/dynamic/instance-identity/document`
+
+{{ template "chart.valuesSection" . }}
+
+## Debugging
+- Verify iptables rules on hosts to be set by the kiam agent:  
+  `iptables -L -t nat -n --line-numbers`  
+  `iptables -t nat -D PREROUTING <wrong rule>`
+
+## Resources
+- https://github.com/uswitch/kiam
+- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
+
+---
+![Architecture](kiam_architecure.png)  
+Image Credits: Blue Matador, Inc.

charts/kubezero-kiam/templates/certificates.yaml

@@ -0,0 +1,28 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: kiam-agent
+spec:
+  secretName: kiam-agent-tls
+  issuerRef:
+    name: kubezero-local-ca-issuer
+  usages:
+  - "any"
+  dnsNames:
+  - "kiam-agent"
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: kiam-server
+spec:
+  secretName: kiam-server-tls
+  issuerRef:
+    name: kubezero-local-ca-issuer
+  usages:
+  - "any"
+  dnsNames:
+  - "localhost"
+  - "kiam-server"
+  ipAddresses:
+  - "127.0.0.1"

charts/kubezero-kiam/templates/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+  annotations:
+    iam.amazonaws.com/permitted: ".*"

charts/kubezero-kiam/values.yaml

@@ -1,6 +1,7 @@
 kiam:
   server:
-    # assumeRoleArn: <INSERT_CLOUDFORMATION_OUTPUT_KiamServerRoleArn> 
+    # kiam.server.assumeRoleArn --  kiam server IAM role to assume, required as we run the agents next to the servers normally
+    assumeRoleArn: arn:aws:iam::123456789012:role/kiam-server-role
     useHostNetwork: true
     sslCertHostPath: /etc/ssl/certs
     tlsSecret: kiam-server-tls
@@ -9,7 +10,7 @@ kiam:
       targetPort: 6444
     deployment:
       enabled: true
-      replicas: 2
+      replicas: 1
     tolerations:
     - key: node-role.kubernetes.io/master
       effect: NoSchedule
@@ -18,9 +19,9 @@ kiam:
     prometheus:
       servicemonitor:
         enabled: false
-  #  log:
-  #    level: warn
-  
+    log:
+      level: warn
+
   agent:
     host:
       iptables: true
@@ -33,8 +34,8 @@ kiam:
     prometheus:
       servicemonitor:
         enabled: false
-  #  log:
-  #    level: warn
+    log:
+      level: warn
   #  extraEnv:
   #  - name: GRPC_GO_LOG_SEVERITY_LEVEL
   #    value: "info"