-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
iam.go
145 lines (115 loc) · 4.71 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
package v1alpha5
import (
"fmt"
"strings"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// Commonly-used constants
const (
AnnotationEKSRoleARN = "eks.amazonaws.com/role-arn"
)
// ClusterIAM holds all IAM attributes of a cluster
type ClusterIAM struct {
// +optional
ServiceRoleARN *string `json:"serviceRoleARN,omitempty"`
// permissions boundary for all identity-based entities created by eksctl.
// See [AWS Permission Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
// +optional
ServiceRolePermissionsBoundary *string `json:"serviceRolePermissionsBoundary,omitempty"`
// role used by pods to access AWS APIs. This role is added to the Kubernetes RBAC for authorization.
// See [Pod Execution Role](https://docs.aws.amazon.com/eks/latest/userguide/pod-execution-role.html)
// +optional
FargatePodExecutionRoleARN *string `json:"fargatePodExecutionRoleARN,omitempty"`
// permissions boundary for the fargate pod execution role`. See [EKS Fargate Support](/usage/fargate-support/)
// +optional
FargatePodExecutionRolePermissionsBoundary *string `json:"fargatePodExecutionRolePermissionsBoundary,omitempty"`
// enables the IAM OIDC provider as well as IRSA for the Amazon CNI plugin
// +optional
WithOIDC *bool `json:"withOIDC,omitempty"`
// service accounts to create in the cluster.
// See [IAM Service Accounts](/iamserviceaccounts/#usage-with-config-files)
// +optional
ServiceAccounts []*ClusterIAMServiceAccount `json:"serviceAccounts,omitempty"`
// VPCResourceControllerPolicy attaches the IAM policy
// necessary to run the VPC controller in the control plane
// Defaults to `true`
VPCResourceControllerPolicy *bool `json:"vpcResourceControllerPolicy,omitempty"`
}
// ClusterIAMMeta holds information we can use to create ObjectMeta for service
// accounts
type ClusterIAMMeta struct {
// +optional
Name string `json:"name,omitempty"`
// +optional
Namespace string `json:"namespace,omitempty"`
// +optional
Labels map[string]string `json:"labels,omitempty"`
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
}
// AsObjectMeta gives us the k8s ObjectMeta needed to create the service account
func (iamMeta *ClusterIAMMeta) AsObjectMeta() metav1.ObjectMeta {
return metav1.ObjectMeta{
Name: iamMeta.Name,
Namespace: iamMeta.Namespace,
Annotations: iamMeta.Annotations,
Labels: iamMeta.Labels,
}
}
// ClusterIAMServiceAccount holds an IAM service account metadata and configuration
type ClusterIAMServiceAccount struct {
ClusterIAMMeta `json:"metadata,omitempty"`
// list of ARNs of the IAM policies to attach
// +optional
AttachPolicyARNs []string `json:"attachPolicyARNs,omitempty"`
WellKnownPolicies WellKnownPolicies `json:"wellKnownPolicies,omitempty"`
// AttachPolicy holds a policy document to attach to this service account
// +optional
AttachPolicy InlineDocument `json:"attachPolicy,omitempty"`
// ARN of the role to attach to the service account
AttachRoleARN string `json:"attachRoleARN,omitempty"`
// ARN of the permissions boundary to associate with the service account
// +optional
PermissionsBoundary string `json:"permissionsBoundary,omitempty"`
// +optional
Status *ClusterIAMServiceAccountStatus `json:"status,omitempty"`
// Specific role name instead of the Cloudformation-generated role name
// +optional
RoleName string `json:"roleName,omitempty"`
// Specify if only the IAM Service Account role should be created without creating/annotating the service account
// +optional
RoleOnly *bool `json:"roleOnly,omitempty"`
// AWS tags for the service account
// +optional
Tags map[string]string `json:"tags,omitempty"`
}
// ClusterIAMServiceAccountStatus holds status of the IAM service account
type ClusterIAMServiceAccountStatus struct {
// +optional
RoleARN *string `json:"roleARN,omitempty"`
}
// NameString returns common name string
func (sa *ClusterIAMServiceAccount) NameString() string {
return sa.Namespace + "/" + sa.Name
}
// ClusterIAMServiceAccountNameStringToClusterIAMMeta constructs metav1.ObjectMeta from <ns>/<name> string
func ClusterIAMServiceAccountNameStringToClusterIAMMeta(name string) (*ClusterIAMMeta, error) {
nameParts := strings.Split(name, "/")
if len(nameParts) != 2 {
return nil, fmt.Errorf("unexpected serviceaccount name format %q", name)
}
meta := &ClusterIAMMeta{
Namespace: nameParts[0],
Name: nameParts[1],
}
return meta, nil
}
// SetAnnotations sets eks.amazonaws.com/role-arn annotation according to IAM role used
func (sa *ClusterIAMServiceAccount) SetAnnotations() {
if sa.Annotations == nil {
sa.Annotations = make(map[string]string)
}
if sa.Status != nil && sa.Status.RoleARN != nil {
sa.Annotations[AnnotationEKSRoleARN] = *sa.Status.RoleARN
}
}