Merge pull request #168 from dlom/release-4.14-rebase

OCPBUGS-21761: Backport the recent rebase to 4.14

.github/workflows/test.yaml

@@ -0,0 +1,17 @@
+name: test
+
+on: pull_request
+jobs:
+  test:
+    # this is to prevent the job to run at forked projects
+    if: github.repository == 'aws/amazon-eks-pod-identity-webhook'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.19.x
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Test
+      run: go mod tidy && go mod vendor && go test ./...

.gitignore

@@ -1,7 +1,6 @@
 *.swp
 .idea
 amazon-eks-pod-identity-webhook
-deploy/mutatingwebhook-ca-bundle.yaml
 deploy/deployment.yaml
 build
 /certs/

Dockerfile

@@ -1,14 +1,11 @@
-FROM golang AS builder
+FROM --platform=$BUILDPLATFORM golang:1.19 AS builder
 
 WORKDIR $GOPATH/src/github.com/aws/amazon-eks-pod-identity-webhook
 COPY . ./
-RUN GOPROXY=direct CGO_ENABLED=0 GOOS=linux go build -o /webhook -v -a -installsuffix nocgo -ldflags="-buildid='' -w -s" .
+ARG TARGETOS TARGETARCH
+RUN GOPROXY=direct CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /webhook -v -a -ldflags="-buildid='' -w -s" .
 
-FROM scratch
-COPY ATTRIBUTIONS.txt /ATTRIBUTIONS.txt
+FROM --platform=$TARGETPLATFORM public.ecr.aws/eks-distro/kubernetes/go-runner:v0.13.0-eks-1-23-latest
 COPY --from=builder /webhook /webhook
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-EXPOSE 443
-VOLUME /etc/webhook
-ENTRYPOINT ["/webhook"]
-CMD ["--logtostderr"]
+ENTRYPOINT ["/go-runner"]
+CMD ["/webhook"]

Makefile

@@ -25,7 +25,7 @@ test:
 
 docker:
 	@echo 'Building image $(IMAGE)...'
-	docker build --no-cache -t $(IMAGE) .
+	docker buildx build --output=type=docker --platform linux/amd64 --no-cache -t $(IMAGE) .
 
 push: docker
 	if ! aws ecr get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY_ID).dkr.ecr.$(REGION).amazonaws.com; then \
@@ -70,30 +70,23 @@ cluster-up: deploy-config
 cluster-down: delete-config
 
 prep-config:
-	@echo 'Generating certs and deploying into active cluster...'
+	@echo 'Deploying into active cluster...'
 	cat deploy/deployment-base.yaml | sed -e "s|IMAGE|${IMAGE}|g" | tee deploy/deployment.yaml
-	cat deploy/mutatingwebhook.yaml | hack/webhook-patch-ca-bundle.sh > deploy/mutatingwebhook-ca-bundle.yaml
 
 deploy-config: prep-config
 	@echo 'Applying configuration to active cluster...'
 	kubectl apply -f deploy/auth.yaml
 	kubectl apply -f deploy/deployment.yaml
 	kubectl apply -f deploy/service.yaml
-	kubectl apply -f deploy/mutatingwebhook-ca-bundle.yaml
-	until kubectl get csr -o \
-		jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}' | \
-		grep -m 1 "csr-"; \
-		do echo "Waiting for CSR to be created" && sleep 1 ; \
-	done
-	kubectl certificate approve $$(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}')
+	kubectl apply -f deploy/mutatingwebhook.yaml
 
 delete-config:
 	@echo 'Tearing down mutating controller and associated resources...'
-	kubectl delete -f deploy/mutatingwebhook-ca-bundle.yaml
 	kubectl delete -f deploy/service.yaml
 	kubectl delete -f deploy/deployment.yaml
 	kubectl delete -f deploy/auth.yaml
-	kubectl delete secret pod-identity-webhook
+	kubectl delete -f deploy/mutatingwebhook.yaml
+	kubectl delete secret pod-identity-webhook-cert
 
 clean::
 	rm -rf ./amazon-eks-pod-identity-webhook

README.md

@@ -4,6 +4,12 @@
 
 This webhook is for mutating pods that will require AWS IAM access.
 
+## Note
+After version v0.3.0, `--in-cluster=true` no longer works and is deprecated.  Please use `--in-cluster=false`
+and manage the cluster certificate with cert-manager or some other external certificate provisioning system.
+This is because certificates using the `legacy-unknown` signer are no longer signed when using the v1
+certificates API.
+
 ## EKS Walkthrough
 
 1. [Create an OIDC provider][1] in IAM for your cluster. You can find the OIDC
@@ -137,11 +143,12 @@ When running a container with a non-root user, you need to give the container ac
 
 ```
 Usage of amazon-eks-pod-identity-webhook:
+      --add_dir_header                   If true, adds the file directory to the header
       --alsologtostderr                  log to standard error as well as files
       --annotation-prefix string         The Service Account annotation to look for (default "eks.amazonaws.com")
       --aws-default-region string        If set, AWS_DEFAULT_REGION and AWS_REGION will be set to this value in mutated containers
+      --enable-debugging-handlers        Enable debugging handlers. Currently /debug/alpha/cache is supported
       --in-cluster                       Use in-cluster authentication and certificate request API (default true)
-      --enable-debugging-handlers        Enable debugging handlers on the metrics port (http). Currently /debug/alpha/cache is supported (default false) [ALPHA]
       --kube-api string                  (out-of-cluster) The url to the API server
       --kubeconfig string                (out-of-cluster) Absolute path to the API server kubeconfig file
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
@@ -150,11 +157,11 @@ Usage of amazon-eks-pod-identity-webhook:
       --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
       --logtostderr                      log to standard error instead of files (default true)
       --metrics-port int                 Port to listen on for metrics and healthz (http) (default 9999)
-      --namespace string                 (in-cluster) The namespace name this webhook and the tls secret resides in (default "eks")
+      --namespace string                 (in-cluster) The namespace name this webhook, the TLS secret, and configmap resides in (default "eks")
       --port int                         Port to listen on (default 443)
       --service-name string              (in-cluster) The service name fronting this webhook (default "pod-identity-webhook")
       --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when openning log files
+      --skip_log_headers                 If true, avoid headers when opening log files
       --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
       --sts-regional-endpoint false      Whether to inject the AWS_STS_REGIONAL_ENDPOINTS=regional env var in mutated pods. Defaults to false.
       --tls-cert string                  (out-of-cluster) TLS certificate file path (default "/etc/webhook/certs/tls.crt")
@@ -166,6 +173,7 @@ Usage of amazon-eks-pod-identity-webhook:
   -v, --v Level                          number for the log level verbosity
       --version                          Display the version and exit
       --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+      --watch-config-map                 Enables watching serviceaccounts that are configured through the pod-identity-webhook configmap instead of using annotations
 ```
 
 ### AWS_DEFAULT_REGION Injection
@@ -183,26 +191,61 @@ almost all cases, unless the STS regional endpoint is [disabled in your
 account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html).
 
 You can also enable this per-service account with the annotation
-`eks.amazonaws.com/sts-regional-endpoint` set to `"true"`.
+`eks.amazonaws.com/sts-regional-endpoints` set to `"true"`.
+
+### pod-identity-webhook ConfigMap
+
+The purpose of the `pod-identity-webhook` ConfigMap is to simplify the mapping of IAM roles and ServiceAccount
+when using tools/installers like [kOps](https://kops.sigs.k8s.io/) that directly manage IAM roles and trust policies. When using these tools,
+users do not need to configure annotations on the ServiceAccounts as the tools already know the relationship can relay it to the webhook.
+
+When the `watch-config-map` flag is set to `true`, the webhook will watch the
+`pod-identity-webhook` ConfigMap in the namespace configured by the `--namespace` flag
+for additional ServiceAccounts. The webhook will mutate Pods configured to use these
+ServiceAccounts even if they have no annotations.
+
+Should the same ServiceAccount both be referenced both in the ConfigMap and have annotations, the annotations takes presedence. 
+
+Here is an example ConfigMap:
+
+```
+apiVersion: v1
+data:
+  config: '{"default/myserviceaccount":{"RoleARN":"arn:aws-test:iam::123456789012:role/myserviceaccount.default.sa.minimal.example.com","Audience":"amazonaws.com","UseRegionalSTS":true,"TokenExpiration":0},"myapp/myotherserviceaccount":{"RoleARN":"arn:aws-test:iam::123456789012:role/myotherserviceaccount.myapp.sa.minimal.example.com","Audience":"amazonaws.com","UseRegionalSTS":true,"TokenExpiration":0},"test-*/myserviceaccount":{"RoleARN":"arn:aws-test:iam::123456789012:role/myserviceaccount.test-wildcard.sa.minimal.example.com","Audience":"amazonaws.com","UseRegionalSTS":true,"TokenExpiration":0}}'
+kind: ConfigMap
+metadata:
+  annotations:
+    prometheus.io/port: "443"
+    prometheus.io/scheme: https
+    prometheus.io/scrape: "true"
+  creationTimestamp: null
+  name: pod-identity-webhook
+  namespace: kube-system
+```
+
 
 ## Container Images
 
 Container images for amazon-eks-pod-identity-webhook can be found on [Docker Hub](https://hub.docker.com/r/amazon/amazon-eks-pod-identity-webhook).
 
 ## Installation
 
+### Pre-requisites
+
+You must install cert-manager as it is a pre-requisite for below deployments. (See [cert-manager installation](https://cert-manager.io/docs/installation/))
+
 ### In-cluster
 
-You can use the provided configuration files in the `deploy` directory, along with the provided `Makefile`
+You can use the provided configuration files in the `deploy` directory, along with the provided `Makefile`.
 
 ```
-make cluster-up IMAGE=amazon/amazon-eks-pod-identity-webhook:2db5e53
+make cluster-up IMAGE=amazon/amazon-eks-pod-identity-webhook:latest
 ```
 
 This will:
-* Create a service account, role, cluster-role, role-binding, and cluster-role-binding that will the deployment requires
-* Create the deployment, service, and mutating webhook in the cluster
-* Approve the CSR that the deployment created for its TLS serving certificate
+* Create a service account, role, cluster-role, role-binding, and cluster-role-binding that the deployment requires
+* Create the deployment, service, ClusterIssuer, certificate, and mutating webhook in the cluster
+* Use `in-cluster=false` so that the webhook reloads certificates from the filesystem rather than creating CSRs to request certificates (using CSRs is now deprecated and will not work versions later than v0.3.0).
 
 For self-hosted API server configuration, see see [SELF_HOSTED_SETUP.md](/SELF_HOSTED_SETUP.md)
 
@@ -219,3 +262,4 @@ See [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
 ## License
 Apache 2.0 - Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 See [LICENSE](LICENSE)
+

SELF_HOSTED_SETUP.md

@@ -53,7 +53,7 @@ if [ $_bucket_name == "None" ]; then
     fi
 fi
 echo "export S3_BUCKET=$S3_BUCKET"
-export HOSTNAME=s3-$AWS_REGION.amazonaws.com
+export HOSTNAME=s3.$AWS_REGION.amazonaws.com
 export ISSUER_HOSTPATH=$HOSTNAME/$S3_BUCKET
 ```
 
@@ -65,7 +65,7 @@ Lets create these:
 ```bash
 cat <<EOF > discovery.json
 {
-    "issuer": "https://$ISSUER_HOSTPATH/",
+    "issuer": "https://$ISSUER_HOSTPATH",
     "jwks_uri": "https://$ISSUER_HOSTPATH/keys.json",
     "authorization_endpoint": "urn:kubernetes:programmatic_authorization",
     "response_types_supported": [
@@ -162,6 +162,11 @@ From here, you can mostly follow the process in the [EKS
 documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
 and substitute the cluster issuer with `https://$ISSUER_HOSTPATH`.
 
+## Deploying the webhook
+
+Follow the steps in the [In-cluster installation](https://github.com/aws/amazon-eks-pod-identity-webhook#in-cluster) section to launch the webhook
+and its required resources in the cluster.
+
 ## Troubleshooting
 
 ### `Certificate request was not signed: timed out waiting for the condition` appears in the logs

deploy/deployment-base.yaml

@@ -28,17 +28,44 @@ spec:
             drop: [ "ALL" ]
         command:
         - /webhook
-        - --in-cluster
+        - --in-cluster=false
         - --namespace=default
         - --service-name=pod-identity-webhook
-        - --tls-secret=pod-identity-webhook
         - --annotation-prefix=eks.amazonaws.com
         - --token-audience=sts.amazonaws.com
         - --logtostderr
         volumeMounts:
-        - name: webhook-certs
-          mountPath: /var/run/app/certs
-          readOnly: false
+        - name: cert
+          mountPath: "/etc/webhook/certs"
+          readOnly: true
       volumes:
-      - name: webhook-certs
-        emptyDir: {}
+      - name: cert
+        secret:
+          secretName: pod-identity-webhook-cert
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pod-identity-webhook
+  namespace: default
+spec:
+  secretName: pod-identity-webhook-cert
+  commonName: "pod-identity-webhook.default.svc"
+  dnsNames:
+  - "pod-identity-webhook"
+  - "pod-identity-webhook.default"
+  - "pod-identity-webhook.default.svc"
+  - "pod-identity-webhook.default.svc.local"
+  isCA: true
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer

deploy/mutatingwebhook.yaml

@@ -1,20 +1,22 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: pod-identity-webhook
   namespace: default
+  annotations:
+    cert-manager.io/inject-ca-from: default/pod-identity-webhook
 webhooks:
 - name: pod-identity-webhook.amazonaws.com
   failurePolicy: Ignore
-  sideEffects: None
   clientConfig:
     service:
       name: pod-identity-webhook
       namespace: default
       path: "/mutate"
-    caBundle: ${CA_BUNDLE}
   rules:
   - operations: [ "CREATE" ]
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
+  sideEffects: None
+  admissionReviewVersions: ["v1beta1"]