forked from jtblin/kube2iam
-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.go
89 lines (77 loc) · 3.22 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package main
import (
"strings"
"time"
log "github.com/Sirupsen/logrus"
"github.com/spf13/pflag"
"github.com/jtblin/kube2iam/iam"
"github.com/jtblin/kube2iam/iptables"
"github.com/jtblin/kube2iam/server"
"github.com/jtblin/kube2iam/version"
)
const (
defaultAppPort = "8181"
defaultMaxInterval = 2 * time.Second
defaultMaxElapsedTime = 30 * time.Second
defaultMetadataAddress = "169.254.169.254"
defaultNamespaceKey = "iam.amazonaws.com/allowed-roles"
)
// addFlags adds the command line flags.
func addFlags(s *server.Server, fs *pflag.FlagSet) {
fs.StringVar(&s.APIServer, "api-server", s.APIServer, "Endpoint for the api server")
fs.StringVar(&s.APIToken, "api-token", s.APIToken, "Token to authenticate with the api server")
fs.StringVar(&s.AppPort, "app-port", defaultAppPort, "Http port")
fs.StringVar(&s.BaseRoleARN, "base-role-arn", s.BaseRoleARN, "Base role ARN")
fs.BoolVar(&s.Debug, "debug", s.Debug, "Enable debug features")
fs.BoolVar(&s.Insecure, "insecure", false, "Kubernetes server should be accessed without verifying the TLS. Testing only")
fs.StringVar(&s.MetadataAddress, "metadata-addr", defaultMetadataAddress, "Address for the ec3 metadata")
fs.BoolVar(&s.AddIPTablesRule, "iptables", false, "Add iptables rule (also requires --host-ip)")
fs.BoolVar(&s.AutoDiscoverBaseArn, "auto-discover-base-arn", false, "Queries EC2 Metadata to determine the base ARN")
fs.StringVar(&s.HostInterface, "host-interface", "docker0", "Host interface for proxying AWS metadata")
fs.BoolVar(&s.NamespaceRestriction, "namespace-restrictions", false, "Enable namespace restrictions")
fs.StringVar(&s.NamespaceKey, "namespace-key", defaultNamespaceKey, "Namespace annotation key used to retrieve the IAM roles allowed (value in annotation should be json array)")
fs.StringVar(&s.HostIP, "host-ip", s.HostIP, "IP address of host")
fs.DurationVar(&s.BackoffMaxInterval, "backoff-max-interval", defaultMaxInterval, "Max interval for backoff when querying for role.")
fs.DurationVar(&s.BackoffMaxElapsedTime, "backoff-max-elapsed-time", defaultMaxElapsedTime, "Max elapsed time for backoff when querying for role.")
fs.BoolVar(&s.Verbose, "verbose", false, "Verbose")
fs.BoolVar(&s.Version, "version", false, "Print the version and exits")
}
func main() {
var s server.Server
addFlags(&s, pflag.CommandLine)
pflag.Parse()
log.SetLevel(log.InfoLevel)
if s.Verbose {
log.SetLevel(log.DebugLevel)
}
if s.Version {
version.PrintVersionAndExit()
}
if s.BaseRoleARN != "" {
if !iam.IsValidBaseARN(s.BaseRoleARN) {
log.Fatalf("Invalid --base-role-arn specified, expected: %s", iam.ARNRegexp.String())
}
if !strings.HasSuffix(s.BaseRoleARN, "/") {
s.BaseRoleARN += "/"
}
}
if s.AutoDiscoverBaseArn {
if s.BaseRoleARN != "" {
log.Fatal("--auto-discover-base-arn cannot be used if --base-role-arn is specified")
}
arn, err := iam.GetBaseArn()
if err != nil {
log.Fatalf("%s", err)
}
log.Infof("base ARN autodetected, %s", arn)
s.BaseRoleARN = arn
}
if s.AddIPTablesRule {
if err := iptables.AddRule(s.AppPort, s.MetadataAddress, s.HostInterface, s.HostIP); err != nil {
log.Fatalf("%s", err)
}
}
if err := s.Run(s.APIServer, s.APIToken, s.Insecure); err != nil {
log.Fatalf("%s", err)
}
}