Create role for kubernetes admin and use this with heptio and kubeconfig

eb0b09a7 · Chris Merrett · f70b6936 · eb0b09a7 · eb0b09a7 · eb0b09a7
Commit eb0b09a7 authored Jun 22, 2018 by Chris Merrett
Showing with 34 additions and 1 deletion

cluster.tf cluster.tf +6 -0

data.tf data.tf +22 -1

config-map-aws-auth.yaml.tpl templates/config-map-aws-auth.yaml.tpl +4 -0

kubeconfig.tpl templates/kubeconfig.tpl +2 -0

No files found.
--- a/cluster.tf
+++ b/cluster.tf
@@ -55,3 +55,9 @@ resource "aws_iam_role_policy_attachment" "masters_service_policy" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
  role       = "${aws_iam_role.masters.name}"
 }
+
+resource "aws_iam_role" "admin" {
+  name = "${var.cluster_name}-eks-kubernetes-admin"
+
+  assume_role_policy = "${data.aws_iam_policy_document.admin.json}"
+}
--- a/data.tf
+++ b/data.tf
 data "aws_region" "current" {}

+data "aws_caller_identity" "current" {}
+
 data "aws_iam_policy_document" "masters" {
  statement {
    actions = [
@@ -42,6 +44,23 @@ data "aws_iam_policy_document" "workers" {
  }
 }

+data "aws_iam_policy_document" "admin" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Steamhaus",
+      ]
+    }
+  }
+}
+
 data "template_file" "kubeconfig" {
  template = "${file("${path.module}/templates/kubeconfig.tpl")}"

@@ -50,6 +69,7 @@ data "template_file" "kubeconfig" {
    endpoint            = "${aws_eks_cluster.cluster.endpoint}"
    region              = "${data.aws_region.current.name}"
    cluster_auth_base64 = "${aws_eks_cluster.cluster.certificate_authority.0.data}"
+    admin_role_arn      = "${aws_iam_role.admin.arn}"
  }
 }

@@ -57,7 +77,8 @@ data "template_file" "config_map_aws_auth" {
  template = "${file("${path.module}/templates/config-map-aws-auth.yaml.tpl")}"

  vars {
-    role_arn = "${aws_iam_role.workers.arn}"
+    role_arn       = "${aws_iam_role.workers.arn}"
+    admin_role_arn = "${aws_iam_role.admin.arn}"
  }
 }


--- a/templates/config-map-aws-auth.yaml.tpl
+++ b/templates/config-map-aws-auth.yaml.tpl
@@ -10,3 +10,7 @@ data:
      groups:
        - system:bootstrappers
        - system:nodes
+    - rolearn: ${admin_role_arn}
+      username: kubernetes-admin
+      groups:
+        - system:masters
--- a/templates/kubeconfig.tpl
+++ b/templates/kubeconfig.tpl
@@ -25,3 +25,5 @@ users:
        - "token"
        - "-i"
        - "${cluster_name}"
+        - "-r"
+        - "${admin_role_arn}"