Use CARM for namespace based IAM policies #1246
Description
HI,
Use case: With a cluster based installation of the ACK controllers - I want to still use namespace specific IAM roles in my multi-tenant cluster.
If possible? - I'd like to propose being able to use CARM to pass a namespace name rather than an account ID and then use this to map to a specific namespace IAM role within a single account
I've tested this and it does currently work, but it's not what CARM is intended for and of course isn't documented:
eg.
apiVersion: v1
kind: Namespace
metadata:
name: my-namespace-1
annotations:
services.k8s.aws/owner-account-id: "my-namespace-1"
services.k8s.aws/default-region: "eu-west-2"
apiVersion: v1
kind: ConfigMap
metadata:
name: ack-role-account-map
namespace: ack-system
data:
"my-namespace-1": arn:aws:iam::000000000000:role/my-namespaces-1 # map namespace to corresponding role
This may also require the code to check if the annotation services.k8s.aws/owner-account-id is not a 12 digit number (an account number) - and if so set the status.resourceMetadata.OwnerAccountID metadata to the current account number.
Perhaps this would all be better implemented with an alternative new annotation
"services.k8s.aws/owner-namespace-name"
and a ConfigMap
"ack-role-namespace-map"
?
Thanks
Andy