aws · max-rocket-internet · Oct 29, 2019 · Feb 6, 2020 · Feb 6, 2020 · Feb 6, 2020
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,18 @@
+apiVersion: v1
+appVersion: "c0431e1"
+description: A Helm chart for the Amazon EKS Pod Identity Webhook
+name: aws-pod-identity-webhook
+version: "1.0"
+icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
+home: https://github.com/aws/amazon-eks-pod-identity-webhook
+sources:
+- https://github.com/aws/amazon-eks-pod-identity-webhook
+maintainers:
+- name: Micah Hausler
+  email: micahhausler@users.noreply.github.com
+- name: Nicholas Turner
+  url: https://github.com/nckturner
+  email: nckturner@users.noreply.github.com
+- name: Stefan Prodan
+  url: https://github.com/stefanprodan
+  email: stefanprodan@users.noreply.github.com
@@ -0,0 +1,76 @@
+# AWS Pod Identity Webhook
+
+This chart will install the [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). This tool allows you to specify IAM Roles for Kubernetes Service Accounts. This allows a pod to assume a IAM role.
+
+Further details can be found here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
+
+## Prerequisites
+
+- Kubernetes 1.12+
+
+For installation into a non-EKS cluster, see [Self-hosted Kubernetes setup](https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md)
+
+## Installing the Chart
+
+You first need to retrieve `ca.crt` from your cluster as this is used as a value for the chart:
+
+```sh
+secret_name=$(kubectl get sa default -o jsonpath='{.secrets[0].name}')
+export CA_BUNDLE=$(kubectl get secret/$secret_name -o jsonpath='{.data.ca\.crt}' | tr -d '\n')
+```
+
+And add the EKS repository to Helm:
+
+```sh
+helm repo add eks https://aws.github.io/eks-charts
+```
+
+Then install the chart:
+
+```sh
+helm upgrade -i pod-identity-webhook eks/aws-pod-identity-webhook \
+--namespace kube-system --set caBundle="${CA_BUNDLE}"
+```
+
+After installation you need to approve the certificate. Follow the chart notes after installation for this step.
+
+The webhook will request a new CSR prior to expiration. This new CSR will also need to be manually approved.
+
+## Uninstalling the Chart
+
+To delete the chart:
+
+```sh
+helm delete --purge pod-identity-webhook
+```
+
+## Configuration
+
+The following table lists the configurable parameters for this chart and their default values.
+
+| Parameter                   | Description                           | Default                                                                 |
+| ----------------------------|---------------------------------------|-------------------------------------------------------------------------|
+| `tlsSecretName`             | Name of the secret containing the     | `pod-identity-webhook`                                                  |
+| `annotationPrefix`          | Prefix for annotation                 | `eks.amazonaws.com`                                                     |
+| `tokenAudience`             | Token audience                        | `sts.amazonaws.com`                                                     |
+| `caBundle`                  | CA cert bundle data                   | None. Must be provided on chart install                                 |
+| `image.repository`          | Image repository                      | `602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook` |
+| `image.tag`                 | Image tag                             | `latest`                                                                |
+| `image.pullPolicy`          | Container pull policy                 | `IfNotPresent`                                                          |
+| `replicas`                  | Number of deployment replicas         | `3`                                                                     |
+| `fullnameOverride`          | Override the fullname of the chart    | `nil`                                                                   |
+| `nameOverride`              | Override the name of the chart        | `nil`                                                                   |
+| `priorityClassName`         | Set a priority class for pods         | `nil`                                                                   |
+| `resources.requests.cpu`    | pod CPU request                       | `100m`                                                                  |
+| `resources.requests.memory` | pod memory request                    | `64Mi`                                                                  |
+| `resources.limits.cpu`      | pod CPU limit                         | `2000m`                                                                 |
+| `resources.limits.memory`   | pod memory limit                      | `1Gi`                                                                   |
+| `nodeSelector`              | Node labels for pod assignment        | `{}`                                                                    |
+| `tolerations`               | Optional deployment tolerations       | `[]`                                                                    |
+| `affinity`                  | Map of node/pod affinities            | `{}`                                                                    |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install` or provide a YAML file containing the values for the above parameters:
+
+```sh
+helm update -i pod-identity-webhook eks/aws-pod-identity-webhook --namespace kube-system --values values.yaml
+```
@@ -0,0 +1,10 @@
+
+If this is your first installation of {{ .Chart.Name }} then you need to approve the certificate.
+
+Wait until the pod has started:
+
+  kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/name={{ include "aws-pod-identity-webhook.name" . }}
+
+Then approve the certificate:
+
+  kubectl certificate approve $(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:{{ .Release.Namespace }}:{{ include "aws-pod-identity-webhook.fullname" . }}")].metadata.name}')
@@ -0,0 +1,56 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "aws-pod-identity-webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "aws-pod-identity-webhook.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "aws-pod-identity-webhook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "aws-pod-identity-webhook.labels" -}}
+app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+helm.sh/chart: {{ include "aws-pod-identity-webhook.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "aws-pod-identity-webhook.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "aws-pod-identity-webhook.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      {{- if .Values.podAnnotations }}
+      annotations:
+      {{- range $key, $value := .Values.podAnnotations }}
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- end }}
+      labels:
+        app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+    {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+    {{- end }}
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "aws-pod-identity-webhook.fullname" . }}
+      containers:
+      - name: webhook
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command:
+        - /webhook
+        - --in-cluster
+        - --namespace={{ .Release.Namespace }}
+        - --service-name={{ include "aws-pod-identity-webhook.fullname" . }}
+        - --tls-secret={{ .Values.tlsSecretName }}
+        - --annotation-prefix={{ .Values.annotationPrefix }}
+        - --token-audience={{ .Values.tokenAudience }}
+        - --logtostderr
+        volumeMounts:
+        - name: webhook-certs
+          mountPath: /var/run/app/certs
+          readOnly: false
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      volumes:
+      - name: webhook-certs
+        emptyDir: {}
@@ -0,0 +1,20 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+webhooks:
+- name: pod-identity-webhook.amazonaws.com
+  failurePolicy: Ignore
+  clientConfig:
+    service:
+      name: {{ include "aws-pod-identity-webhook.fullname" . }}
+      namespace: {{ .Release.Namespace }}
+      path: "/mutate"
+    caBundle: {{ .Values.caBundle | quote }}
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - update
+  - patch
+  resourceNames:
+  - "{{ .Values.tlsSecretName }}"
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "aws-pod-identity-webhook.fullname" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    prometheus.io/port: "443"
+    prometheus.io/scheme: "https"
+    prometheus.io/scrape: "true"
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app.kubernetes.io/name: {{ include "aws-pod-identity-webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "aws-pod-identity-webhook.serviceAccountName" . }}
+  labels:
+{{ include "aws-pod-identity-webhook.labels" . | indent 4 }}
+{{- end -}}