Fix irsa for k8s < 1.20

kubernetes · Feb 8, 2022 · 7f64319 · 7f64319
1 parent 7f9bf4e
commit 7f64319
Show file tree

Hide file tree

Showing 35 changed files with 3,564 additions and 4 deletions.
diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go
@@ -767,6 +767,18 @@ func TestCustomIRSA(t *testing.T) {
 		runTestTerraformAWS(t)
 }
 
+// TestCustomIRSA119 runs a simple k8s 1.19 configuration, but with some additional IAM roles for ServiceAccounts
+func TestCustomIRSA119(t *testing.T) {
+	newIntegrationTest("minimal.example.com", "irsa119").
+		withOIDCDiscovery().
+		withServiceAccountRole("myserviceaccount.default", false).
+		withServiceAccountRole("myserviceaccount.test-wildcard", false).
+		withServiceAccountRole("myotherserviceaccount.myapp", true).
+		withKubeDNS().
+		withAddons(dnsControllerAddon).
+		runTestTerraformAWS(t)
+}
+
 // TestClusterNameDigit runs a configuration with a cluster name beginning with a digit
 func TestClusterNameDigit(t *testing.T) {
 	newIntegrationTest("123.example.com", "digit").

diff --git a/pkg/model/components/apiserver.go b/pkg/model/components/apiserver.go
@@ -177,11 +177,11 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 		}
 	}
 
-	if clusterSpec.CloudConfig != nil && clusterSpec.CloudConfig.AWSEBSCSIDriver != nil && fi.BoolValue(clusterSpec.CloudConfig.AWSEBSCSIDriver.Enabled) {
+	if c.FeatureGates == nil {
+		c.FeatureGates = make(map[string]string)
+	}
 
-		if c.FeatureGates == nil {
-			c.FeatureGates = make(map[string]string)
-		}
+	if clusterSpec.CloudConfig != nil && clusterSpec.CloudConfig.AWSEBSCSIDriver != nil && fi.BoolValue(clusterSpec.CloudConfig.AWSEBSCSIDriver.Enabled) {
 
 		if b.IsKubernetesLT("1.21.0") {
 			if _, found := c.FeatureGates["CSIMigrationAWSComplete"]; !found {
@@ -198,6 +198,12 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 		}
 	}
 
+	if b.IsKubernetesLT("1.20") && clusterSpec.ServiceAccountIssuerDiscovery != nil && fi.BoolValue(&clusterSpec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider) {
+		if _, found := c.FeatureGates["ServiceAccountIssuerDiscovery"]; !found {
+			c.FeatureGates["ServiceAccountIssuerDiscovery"] = "true"
+		}
+	}
+
 	return nil
 }
 

diff --git a/...s/integration/update_cluster/irsa119/data/aws_iam_role_masters.minimal.example.com_policy b/...s/integration/update_cluster/irsa119/data/aws_iam_role_masters.minimal.example.com_policy
@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": { "Service": "ec2.amazonaws.com"},
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
diff --git a/...uster/irsa119/data/aws_iam_role_myotherserviceaccount.myapp.sa.minimal.example.com_policy b/...uster/irsa119/data/aws_iam_role_myotherserviceaccount.myapp.sa.minimal.example.com_policy
@@ -0,0 +1,17 @@
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "discovery.example.com/minimal.example.com:sub": "system:serviceaccount:myapp:myotherserviceaccount"
+        }
+      },
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws-test:iam::123456789012:oidc-provider/discovery.example.com/minimal.example.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
diff --git a/..._cluster/irsa119/data/aws_iam_role_myserviceaccount.default.sa.minimal.example.com_policy b/..._cluster/irsa119/data/aws_iam_role_myserviceaccount.default.sa.minimal.example.com_policy
@@ -0,0 +1,17 @@
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "discovery.example.com/minimal.example.com:sub": "system:serviceaccount:default:myserviceaccount"
+        }
+      },
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws-test:iam::123456789012:oidc-provider/discovery.example.com/minimal.example.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
diff --git a/...er/irsa119/data/aws_iam_role_myserviceaccount.test-wildcard.sa.minimal.example.com_policy b/...er/irsa119/data/aws_iam_role_myserviceaccount.test-wildcard.sa.minimal.example.com_policy
@@ -0,0 +1,17 @@
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringLike": {
+          "discovery.example.com/minimal.example.com:sub": "system:serviceaccount:test-*:myserviceaccount"
+        }
+      },
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws-test:iam::123456789012:oidc-provider/discovery.example.com/minimal.example.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
diff --git a/tests/integration/update_cluster/irsa119/data/aws_iam_role_nodes.minimal.example.com_policy b/tests/integration/update_cluster/irsa119/data/aws_iam_role_nodes.minimal.example.com_policy
@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": { "Service": "ec2.amazonaws.com"},
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}