Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP first pass at aws-iam documentation #245

Open
wants to merge 1 commit into
base: master
from

Conversation

@hyperbolic2346
Copy link
Contributor

commented Jul 29, 2019

Just wanted to get this up here so you can start changing my z's to s's.

@hyperbolic2346 hyperbolic2346 requested a review from evilnick Jul 29, 2019

@evilnick
Copy link
Collaborator

left a comment

Did you get someone else to write this for you? It is dramatically easier to follow than usual 👍

nav: "shared/_side-navigation.md"
context:
title: "AWS-IAM on Charmed Kubernetes"
description: Using AWS credentials to authenticate and authorize on Charmed Kubernetes

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

authorise

## AWS IAM

[AWS IAM](https://aws.amazon.com/iam/) credentials can be used for
authentication and authorization on your Charmed Kubernetes cluster without

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

authorisation


[AWS IAM](https://aws.amazon.com/iam/) credentials can be used for
authentication and authorization on your Charmed Kubernetes cluster without
regard to where it is hosted. The only requirement is that the client

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

... that both the client...

The [aws-iam-authenticator](aws-iam-authenticator-github) is configured via
[Custom Resource Definition or CRD](k8s-crd-docs)s. These resource definitions map an AWS IAM role or user
to a [Kubernetes RBAC](k8s-rbac-docs) user or group. This means that
authentication happens via AWS IAM credentials, but authorization depends

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

authorisation

authentication happens via AWS IAM credentials, but authorization depends
on standard Kubernetes RBAC rules. The CRD for this mapping is called an
IAMIdentityMapping and looks something like this:
```yaml

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

insert a blank line before code blocks


In order to use the [aws-iam-authenticator](aws-iam-authenticator-github) with
kubectl, an updated config file is needed. The config file written to the
kubernetes-master unit will have a user named aws-iam-user that uses the

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

I would put backticks around aws-iam-user and aws-iam-authenticator

juju scp kubernetes-master/0:config ~/.kube/config
```

The config file will need to be edited in order to add the desired arn

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

I would spell out - Amazon Resource Name(ARN)

kubectl config use-context aws-iam-authenticator
```

### A note about authorization

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

s/z/s

### A note about authorization

The AWS-IAM charm can be used for authentication only or can be used in an
RBAC-enabled cluster to authorize users as well. If the charm is related to

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

authorise

RBAC-enabled cluster to authorize users as well. If the charm is related to
a Charmed Kubernetes cluster without RBAC enabled, any valid AWS IAM
credential that can assume a role specified in the IAMIdentityMapping
CRD will be able to do any commands against the cluster. If RBAC is enabled,

This comment has been minimized.

Copy link
@evilnick

evilnick Aug 2, 2019

Collaborator

...able to run commands

### Installing

The subordinate charm [aws-iam-authenticator](aws-iam-charm)
and some relations are all that are required. This can be added with the

This comment has been minimized.

Copy link
@tvansteenburgh

tvansteenburgh Aug 2, 2019

Contributor

s/This/These

charm: cs:~containers/aws-iam
relations:
- ['aws-iam', 'kubernetes-master']
- ['aws-iam', 'easyrsa']

This comment has been minimized.

Copy link
@tvansteenburgh

tvansteenburgh Aug 2, 2019

Contributor

Let's make sure we test with Vault also.

@tvansteenburgh

This comment has been minimized.

Copy link
Contributor

commented Aug 2, 2019

Nicely done, thanks @hyperbolic2346

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.