From 9f91146e44b7dfce9207f6761e32d994a15f70d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= Date: Sat, 21 Apr 2018 00:28:24 +0200 Subject: [PATCH] Configurable task role Configurable task role via `iam.amazonaws.com/role`, which is also used by kube2iam. --- providers/aws/fargate/cluster.go | 3 +++ providers/aws/fargate/pod.go | 22 +++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/providers/aws/fargate/cluster.go b/providers/aws/fargate/cluster.go index 51402a817..2aec94e65 100644 --- a/providers/aws/fargate/cluster.go +++ b/providers/aws/fargate/cluster.go @@ -221,6 +221,9 @@ func (c *Cluster) loadPodState() error { pod.uid = k8sTypes.UID(*task.StartedBy) pod.taskDefArn = *task.TaskDefinitionArn pod.taskArn = *task.TaskArn + if taskDef.TaskRoleArn != nil { + pod.taskRoleArn = *taskDef.TaskRoleArn + } pod.taskStatus = *task.LastStatus pod.taskRefreshTime = time.Now() diff --git a/providers/aws/fargate/pod.go b/providers/aws/fargate/pod.go index f106f59df..4bab6bf75 100644 --- a/providers/aws/fargate/pod.go +++ b/providers/aws/fargate/pod.go @@ -33,6 +33,9 @@ const ( // Reason used for task state changes. taskGenericReason = "Initiated by user" + + // Annotation to configure the task role. + taskRoleAnnotation = "iam.amazonaws.com/role" ) // Pod is the representation of a Kubernetes pod in Fargate. @@ -46,6 +49,7 @@ type Pod struct { cluster *Cluster taskDefArn string taskArn string + taskRoleArn string taskStatus string taskRefreshTime time.Time taskCPU int64 @@ -104,6 +108,11 @@ func NewPod(cluster *Cluster, pod *corev1.Pod) (*Pod, error) { taskDef.Cpu = aws.String(strconv.Itoa(int(fgPod.taskCPU))) taskDef.Memory = aws.String(strconv.Itoa(int(fgPod.taskMemory))) + if val, ok := pod.Annotations[taskRoleAnnotation]; ok { + taskDef.TaskRoleArn = aws.String(val) + fgPod.taskRoleArn = *taskDef.TaskRoleArn + } + // Register the task definition with Fargate. log.Printf("RegisterTaskDefinition input:%+v", taskDef) output, err := api.RegisterTaskDefinition(taskDef) @@ -372,15 +381,22 @@ func (pod *Pod) getSpec(task *ecs.Task) (*corev1.Pod, error) { containers = append(containers, cntr) } + annotations := make(map[string]string) + + if pod.taskRoleArn != "" { + annotations[taskRoleAnnotation] = pod.taskRoleArn + } + podSpec := corev1.Pod{ TypeMeta: metav1.TypeMeta{ Kind: "Pod", APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Namespace: pod.namespace, - Name: pod.name, - UID: pod.uid, + Namespace: pod.namespace, + Name: pod.name, + UID: pod.uid, + Annotations: annotations, }, Spec: corev1.PodSpec{ NodeName: pod.cluster.nodeName,