init commit

eks-kube2iam-clusterrolebinding.tf

+resource "kubernetes_cluster_role" "kube2iam_cluster_role" {
+  metadata {
+    name = "kube2iam-svc-acc"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["namespaces", "pods", "configmaps", "nodes", "ingresses", "endpoints", "services"]
+    verbs      = ["get", "list", "watch", "create", "update"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "kube2iam_cluster_role_bind" {
+  metadata {
+    name = "kube2iam-svc-acc"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "kube2iam-svc-acc"
+  }
+
+  subject {
+    api_group = ""
+    kind      = "ServiceAccount"
+    name      = "kube2iam-svc-acc"
+    namespace = "kube-system"
+  }
+}

eks-kube2iam-serviceaccount.tf

+resource "kubernetes_service_account" "kube2iam_service_account" {
+  metadata {
+    name      = "kube2iam-svc-acc"
+    namespace = "kube-system"
+  }
+
+  automount_service_account_token = "true"
+}

eks-kube2iam.tf

-module "kubernetes_service" "kube2iam" {
+resource "kubernetes_daemonset" "kube2iam_daemonset" {
   metadata {
-    name = "kube2iam"
+    name      = "kube2iam"
+    namespace = "kube-system"
 
     labels {
-      App = "kube2iam-service"
+      app = "kube2iam"
     }
   }
 
-  type = "DaemonSet"
-
   spec {
-    container {
-      image = "${var.kube2iam-container}"
-      name  = "kube2iam-container"
+    selector {
+      match_labels {
+        app = "kube2iam"
+      }
     }
-  }
 
-  port {
-    port        = 8181
-    target_port = 8181
+    template {
+      metadata {
+        name = "kube2iam"
+
+        labels {
+          app = "kube2iam"
+        }
+      }
+
+      spec {
+        service_account_name = "kube2iam-svc-acc"
+        host_network         = true
+
+        container {
+          image             = "jtblin/kube2iam:0.10.6"
+          name              = "kube2iam-container"
+          image_pull_policy = "IfNotPresent"
+
+          args = ["--host-interface=eni+", "--default-role=eks-kube2iam-default-role", "--use-regional-sts-endpoint", "--iptables=true", "--auto-discover-base-arn", "--app-port=8181", "--host-ip=$(HOST_IP)"]
+
+          security_context {
+            privileged = "true"
+          }
+
+          env {
+            name = "HOST_IP"
+
+            value_from = {
+              field_ref = {
+                field_path = "status.podIP"
+              }
+            }
+          }
+
+          resources {
+            limits {
+              cpu    = "0.5"
+              memory = "512Mi"
+            }
+
+            requests {
+              cpu    = "250m"
+              memory = "50Mi"
+            }
+          }
+        }
+      }
+    }
   }
 }

iam.tf

+data "aws_iam_policy_document" "eks_worker" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "eks_worker" {
+  policy = "${data.aws_iam_policy_document.eks_worker.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "eks_worker" {
+  role       = "${var.worker_iam_role_name}"
+  policy_arn = "${aws_iam_policy.eks_worker.arn}"
+}
+
+data "aws_iam_policy_document" "default" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${var.worker_iam_role_arn}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "default" {
+  name               = "eks-kube2iam-default-role"
+  assume_role_policy = "${data.aws_iam_policy_document.default.json}"
+}

variables.tf

-variable "kube2iam-container" {
-  default = "jtblin/kube2iam:latest"
-}
+variable "worker_iam_role_name" {}
+variable "worker_iam_role_arn" {}