Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Amazon S3: buckets with IAM role for K8s service accounts #27

Merged
merged 10 commits into from
Jul 28, 2020

Conversation

copelco
Copy link
Member

@copelco copelco commented Jul 17, 2020

Add optional support for enabling a Kubernetes service account and associated IAM role that defines the access to public and private S3 buckets for each environment. This provides similar functionality of EC2 instance profiles within Kubernetes namespaces.

At a high level, the process is:

  1. Create environment-specific public and private S3 buckets
  2. Enable IAM roles for cluster service accounts
    • Requirement: eksctl must be installed
  3. Create an IAM role with a trust relatinoship and S3 policy for a service account
  4. Annotate the service account with the ARN of the IAM role
  5. Pods have read/write access to buckets w/o access keys

The securityContext also had to be updated so that non-root users could access the token on the filesystem in the container per this solution.

I debated whether or not this should exist here or within ansible-role-k8s-web-cluster. I ended up settling on here due to the re-use of environment-specific variables. However, it certainly touches on both projects and am open to suggestions.

@copelco copelco requested review from tobiasmcnulty and vkurup July 20, 2020 15:07
Copy link
Contributor

@vkurup vkurup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, though I haven't tried it out. Good question about which repo this should live in, but I agree with your thought process, and separating it from the main deploy.yaml script makes sense to me. How does this work with the existing CloudFormation code we have to make S3 buckets. Seems like we'd be duplicating that work. Or does it work just to manually specify k8s_public_bucket and k8s_private_bucket to match the values that CloudFormation created for us?

README.rst Outdated
Amazon S3: IAM role for service accounts
````````````````````````````````````````

Django applications running on AWS typically use Amazon S3 for static and media
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just say "web applications" because of #26 :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

region: "{{ k8s_s3_region }}"
encryption: AES256

# Not available via Ansible module as of 7/2020
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bummer :( I've subscribed to the relevant github issue...

],
"Resource": [
"arn:aws:s3:::{{ k8s_s3_public_bucket }}",
"arn:aws:s3:::{{ k8s_s3_private_bucket }}",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how strict these have to be but JSON doesn't allow trailing commas.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants