crossplane-iam-pod-role
Crossplane Iam Pod Role
crossplane-iam-pod-role is a kubernetes chart that is an aggregation of crossplane crd manifests with service account.
It allows for k8s applications to manage and create their own Aws cloud permissions. It uses Crossplane as its main crd manifests, an Aws OIDC identity provider is the natively Eks way of assuming Aws Iam roles, we combine both into 1 easy single helm chart for utilize the permissions.
Prerequisite of this chart
- Please follow the Oidc provider docs and install it into your cluster
- Please follow the Crossplane docs and install it into your cluster.
once installed, make sure to add Iam full permissions to your ProviderConfig.
Install using Helm chart
- Configure the below values
# -- # Defines the role name prefix. # -- # Part of the iam role/policy name that will be created role_name_prefix: "crossplane-eks-" # -- # Defines the pod name that will assume the permissions. # -- # Part of the iam role/policy name that will be created pod_name: "my-pod-name" # -- # Defines the cluster name that we are using. # -- # Part of the iam role/policy name that will be created cluster_name: "my-cluster-name" # -- # Defines the service account that will be created service_account: create: true # -- # Defines the imagePullSecrets atributes for the service account. (not required) imagePullSecrets: - name: my-secret # -- # Aws configurations # -- # Aws account id for the Iam role trust relationship policy aws_account_id: "1234567890" # -- # Aws Eks openId connect id for the Iam role trust relationship policy aws_eks_openId_connect_number: "1111111111222222222GGGGGGGGGPPPPPPPPPP" # -- # Aws region for the Iam role trust relationship policy aws_region: eu-west-1 # -- # Defines the Iam policies that will be created and attached to the Iam role policies: policydocument1: { "Id": "crossplane-eks-policydocument1", "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole" ], "Condition": { "StringEquals": { "iam:AWSServiceName": [ "elasticloadbalancing.amazonaws.com" ] } }, "Effect": "Allow", "Resource": "*", "Sid": "" } ] } policydocument2: { "Id": "crossplane-eks-policydocument2", "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole" ], "Condition": { "StringEquals": { "iam:AWSServiceName": [ "elasticloadbalancing.amazonaws.com" ] } }, "Effect": "Allow", "Resource": "*", "Sid": "" } ] } # -- # Defines the name of the crossplane provider-config, # -- # which should be predefined with Iam full access # -- # for more info, look at aws-provider docs below provider_config_name: aws-provider # -- # Iam role and policies Aws tags tags: Component: k8s Environment: dev ManageBy: crossplane-my-cluster Name: crossplane-k8s-my-pod Team: RND Type: Platform -
Install latest version of crossplane-iam-pod-role helm chart
$ helm repo add crossplane-iam-pod-role https://explorium-ai.github.io/crossplane-iam-pod-role/ $ helm repo update $ helm install crossplane-iam-pod-role/crossplane-iam-pod-role -f values.yamlContributing
Please read CONTRIBUTING.md for details on the process for submitting pull requests.
Code of Conduct
Please read CODE_OF_CONDUCT.md for details on our code of conduct, and how to report violations.
License
This project is licensed under the Apache 2.0 License - see the LICENSE file for details