This kustomize setup will Deploy KIAM (agent, server, rbac, certificate & sample-app).
- Change directory into any environment directory, e.g.
tst
, or specify the directory when usingkustomize
e.g.kustomize build directory_here
- Run
kustomize build
to build theyaml
and either output into a file to apply later or pipe intokubectl
:- Output to a file:
kustomize build > kiam.yaml
- Pipe directly to
kubectl
:kustomize build | kubectl apply -f -
- Using
kubectl
's built inkustomize
:kubectl apply -k
- Please note that the version of
kustomize
that ships withkubectl
is likely to be behind the main release ofkustomize
and may not work
- Please note that the version of
- Output to a file:
- Check the operator is running with
kubectl -n kiam get pods,certificate,secret,issuer
-
Create the IAM role called
kiam-server
-
Enable
Trust Relationship
between the newly created role and role attached to Kubernetes cluster workers nodes.- Go to the newly created role in AWS console and Select
Trust relationships
tab - Click on
Edit trust relationship
- Add the following content to the policy:
{ "Sid": "", "Effect": "Allow", "Principal": { "AWS": "<ARN_SERVER_MASTER_IAM_ROLE>" }, "Action": "sts:AssumeRole" }
- Go to the newly created role in AWS console and Select
-
Add inline policy to the
kiam-server
role{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "*" } ] }
-
Create the IAM role (let's call it
app-role-*
) with appropriate access to AWS resources. -
Enable
Trust Relationship
between the newly created role and role attached to Kiam server role.- Go to the newly created role in AWS console and Select
Trust relationships
tab - Click on
Edit trust relationship
- Add the following content to the policy:
{ "Sid": "", "Effect": "Allow", "Principal": { "AWS": "<ARN_KIAM-SERVER_IAM_ROLE>" }, "Action": "sts:AssumeRole" }
- Go to the newly created role in AWS console and Select
-
Enable Assume Role for Master Pool IAM roles. Add the following content as inline policy to Master IAM roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "<ARN_KIAM-SERVER_IAM_ROLE>"
}
]
}
kubectl -n tst exec -it ssm-tst-* -- curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
app-role-*
kubectl -n tst exec -it ssm-tst-* -- curl http://169.254.169.254/latest/meta-data/iam/security-credentials/app-role-*
- Exec into the pod and run
kubectl exec -it -n tst ssm-tst-* /bin/bash
You should get app-role-*
as the response.
- Returns details about the IAM identity whose credentials are used to call the API.
aws sts get-caller-identity
- Get lists the value for a parameter.
export AWS_DEFAULT_REGION="eu-central-1"
aws ssm get-parameter --name "kiam-ssm-tst"