This Kubernetes controller is watching Deployment objects using the Kubernetes API. Whenever a Deployment is created or updated,
the controller will check if the Deployment contains the armesto.net/iam-role-annotator annotation, and, in that case, add the iam.amazonaws.com/role annotation containing the appropiate IAM Role.
The IAM Role Annotator assumes that an IAM Role is already created for every application. The IAM Role ARN used in the annotation
will be an ARN of the form arn:aws:iam::<AWS_ACCOUNT_ID>:role/<APPLICATION_NAME>, where the application name is the name of the Deployment object.
We provide a Makefile that you can use to build this application
$ makeOr if you are running linux
$ make build/iam-role-annotator-linux-amd64You can run the tests using the Makefile
$ make testYou can start the application with the following command
$ go run *.go --namespace your-namespace --aws-account-id 12345Or using environment variables
$ NAMESPACE="your-namespace" AWS_ACCOUNT_ID="12345" go run *.goThese are the available parameters (all parameters can be also passed as environment variables)
- namespace: Only Deployments in this namespace will be watched
- aws-account-id: The AWS account id used in the role's ARN
- resync-seconds: The controller will reprocess all watched objects every
resync-secondsseconds - kubeconfig: Kubernetes configuration file used to connect to the cluster, only used when running the controller outside the cluster
This application is package using Docker containers that are published in this repository
$ make release