This chart will install the Amazon EKS Pod Identity Webhook. This tool allows you to specify IAM Roles for Kubernetes Service Accounts. This allows a pod to assume a IAM role.
Further details can be found here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
This chart can generate certificate using helm genCA
OR
It may ask the webhook server to generate one with CSR Kubernetes feature
- Kubernetes 1.12+
For those who are not using EKS, please take a look at https://registry.terraform.io/modules/int128/kubernetes-irsa/aws/latest
You first need to retrieve ca.crt from your cluster as this is used as a value for the chart:
secret_name=$(kubectl get sa default -o jsonpath='{.secrets[0].name}')
export CA_BUNDLE=$(kubectl get secret/$secret_name -o jsonpath='{.data.ca\.crt}' | tr -d '\n')Then install the chart:
pod-identity-webhook with only 1 replica to avoid creating as much CSR as replica count whereas only 1 CSR approval is required.
helm upgrade -i pod-identity-webhook eks/aws-pod-identity-webhook \
--namespace kube-system --set caBundle="${CA_BUNDLE}" --set replicas=1After installation you need to approve the certificate. Follow the chart notes after installation for this step.
The webhook will request a new CSR prior to expiration. This new CSR will also need to be manually approved.
When the value prometheus-operator.enable_alerting_rule is true, an alert is triggered when a CSR approvment is pending.
Then approve the certificate:
kubectl certificate approve $(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:kube-system:pod-identity-webhook")].metadata.name}')After this step, a secret named after the value .tlsSecretName (default pod-identity-webhook) must have been created.
kubectl get secret -n kube-system pod-identity-webhook -o json | jq -r '.data."tls.crt"' | base64 -d | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
...
Issuer: CN = kubernetes
Validity
Not Before: Jul 31 10:09:00 2020 GMT
Not After : Jul 31 10:09:00 2021 GMT
Subject: CN = pod-identity-webhook.kube-system.svc
...For macos user,
kubectl get secret -n kube-system pod-identity-webhook -o json | jq -r '.data."tls.crt"' | base64 -D | openssl x509 -text -noout
⚠️ See theNot Afterdate, This certificate has a one year validity. If you enable valuesprometheus_operator.enable_service_monitorandprometheus-operator.enable_alerting_rule, a Prometheus alert rule is set.
TODO: How to renew this certificate ? Is there a new certificate emit and which must be approved ?
To delete the chart:
helm delete --purge pod-identity-webhook
kubectl delete secret -n kube-system pod-identity-webhook # `pod-identity-webhook` must be the value if `.tlsSecretName`
# Delete the CSR
kubectl delete csr -o jsonpath="{.items[?(@.spec.username=='system:serviceaccount:${HELM_NAMESPACE}:pod-identity-webhook')].metadata.name}"The following table lists the configurable parameters for this chart and their default values.
| Parameter | Description | Default |
|---|---|---|
tlsSecretName |
Name of the secret containing the | pod-identity-webhook |
annotationPrefix |
Prefix for annotation | eks.amazonaws.com |
tokenAudience |
Token audience | sts.amazonaws.com |
caBundle |
CA cert bundle data | None. Must be provided on chart install |
image.repository |
Image repository | xxxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook |
image.tag |
Image tag | latest |
image.pullPolicy |
Container pull policy | IfNotPresent |
replicas |
Number of deployment replicas | 3 |
fullnameOverride |
Override the fullname of the chart | nil |
nameOverride |
Override the name of the chart | nil |
priorityClassName |
Set a priority class for pods | nil |
resources.requests.cpu |
pod CPU request | 100m |
resources.requests.memory |
pod memory request | 64Mi |
resources.limits.cpu |
pod CPU limit | 2000m |
resources.limits.memory |
pod memory limit | 1Gi |
nodeSelector |
Node labels for pod assignment | {} |
tolerations |
Optional deployment tolerations | [] |
affinity |
Map of node/pod affinities | {} |
prometheus_operator.enable_alerting_rule |
Deploy Promtheus Operator Alerting rule | true |
prometheus_operator.enable_service_monitor |
Enable metrics scraping with via ServiceMonitor | {} |
generateAdmissionControllerCerts |
Auto-generate TLS certificates for admission controller. | false |
admissionControllerCert |
Manually set admission controller certificate. | Unset |
admissionControllerKey |
Manually set admission controller key. | Unset |
Specify each parameter using the --set key=value[,key=value] argument to helm install or provide a YAML file containing the values for the above parameters:
helm update -i pod-identity-webhook eks/aws-pod-identity-webhook --namespace kube-system --values values.yamlThere is 3 solutions supported by this chart.
To use Kubernetes CA, you just need to set generateAdmissionControllerCerts to false. And then, at initial installation, you need to approve the CSR as describe above.
For a fully automated certificate generation (certs expires in 10 years with this method):
generateAdmissionControllerCerts must be true. Then caBundle, admissionControllerCert, admissionControllerKey will be populated automatically.
For manual certificate, generateAdmissionControllerCerts must be false and then you must provide caBundle, admissionControllerCert, admissionControllerKey.
This chart has been created for eks-chart official Helm repository and for CNCF Helm official repo, which never got published.
helm/charts#17099 aws/eks-charts#28
we have adapted it to our needs.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent