Skip to content

Commit

Permalink
configure the kubernetes-hello workload to use the eks pod identity a…
Browse files Browse the repository at this point in the history
…uthentication
  • Loading branch information
rgl committed Apr 26, 2024
1 parent fdcd941 commit 432838f
Show file tree
Hide file tree
Showing 5 changed files with 62 additions and 3 deletions.
28 changes: 28 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ This will:
* Use [Secret](https://kubernetes.io/docs/concepts/configuration/secret/).
* Use [ServiceAccount](https://kubernetes.io/docs/concepts/security/service-accounts/).
* Use [Service Account token volume projection (a JSON Web Token and OpenID Connect (OIDC) ID Token)](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for the `https://example.com` audience.
* Use [Pod Identity authentication](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to list the DNS Zones hosted in [Route 53](https://aws.amazon.com/route53/).
* Demonstrate how to automatically deploy the [`otel-example` workload](stacks/eks-workloads/otel-example.tf).
* Expose as a Kubernetes `Ingress` `Service`.
* Use a sub-domain in the DNS Zone.
Expand Down Expand Up @@ -301,6 +302,23 @@ while [ -z "$(dig +short "$kubernetes_hello_host")" ]; do sleep 5; done && dig "
wget -qO- "$kubernetes_hello_url"
```

**NB** If you do not see any DNS Zone being listed, most probably, the
race ([described in the Caveats section](#caveats)), was lost, and you need
to re-create the pods:

```bash
# delete the pods and wait for them to be re-deployed.
kubectl delete pods -l app=kubernetes-hello
kubectl rollout status deployment kubernetes-hello
# check whether the required Pod Identity environment variables are listed.
# they should be, at least, the following:
# AWS_CONTAINER_CREDENTIALS_FULL_URI
# AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
kubectl get pods -l app=kubernetes-hello -o yaml | grep -A 1 AWS_
# re-access the service. this time, you should see a "AWS DNS Zones" section.
wget -qO- "$kubernetes_hello_url"
```

Audit the `kubernetes-example` Ingress TLS implementation:

```bash
Expand Down Expand Up @@ -469,6 +487,16 @@ GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh

# Caveats

* When configuring the Pod Identity with terraform, there's a race between
creating the `aws_eks_pod_identity_association` and `kubernetes_deployment_v1`
(and any resource that (in)directly creates Pods) resources. The created pod
ends up not having the required environment variables that allow it to
actually have a Pod Identity.
* When the Pod does not have the `AWS_CONTAINER_CREDENTIALS_FULL_URI` and
`AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` environment variables, you must
re-create the pod, and hope for the best.
* See [How EKS Pod Identity works](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-how-it-works.html).
* See https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity/issues/8
* After `terraform destroy`, the following resources will still remain in AWS:
* KMS Kubernetes cluster encryption key.
* It will be automatically deleted after 30 days (the default value
Expand Down
2 changes: 1 addition & 1 deletion config.tm.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ globals {
# see https://github.com/rgl/kubernetes-hello
name = "docker.io/ruilopes/kubernetes-hello"
# renovate: datasource=docker depName=ruilopes/kubernetes-hello
tag = "v0.0.0.202403171105-test"
tag = "v0.0.202404261745"
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion stacks/ecr/_inputs.auto.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ environment = "dev"
images = {
kubernetes-hello = {
name = "docker.io/ruilopes/kubernetes-hello"
tag = "v0.0.0.202403171105-test"
tag = "v0.0.202404261745"
}
otel-example = {
name = "ghcr.io/rgl/opentelemetry-dotnet-playground"
Expand Down
2 changes: 1 addition & 1 deletion stacks/eks-workloads/_inputs.auto.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ region = "eu-west-1"
source_images = {
kubernetes-hello = {
name = "docker.io/ruilopes/kubernetes-hello"
tag = "v0.0.0.202403171105-test"
tag = "v0.0.202404261745"
}
otel-example = {
name = "ghcr.io/rgl/opentelemetry-dotnet-playground"
Expand Down
31 changes: 31 additions & 0 deletions stacks/eks-workloads/kubernetes-hello.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,34 @@ resource "aws_route53_record" "kubernetes_hello_certificate_validation" {
zone_id = data.aws_route53_zone.ingress.zone_id
}

# see https://registry.terraform.io/modules/terraform-aws-modules/eks-pod-identity/aws
# see https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity
module "aws_eks_pod_identity_kubernetes_hello" {
source = "terraform-aws-modules/eks-pod-identity/aws"
version = "1.2.0"

name = "${data.aws_eks_cluster.eks.id}-${kubernetes_service_v1.kubernetes_hello.metadata[0].name}"
associations = {
kubernetes_hello = {
cluster_name = data.aws_eks_cluster.eks.id
namespace = "default"
service_account = kubernetes_service_v1.kubernetes_hello.metadata[0].name
}
}
attach_custom_policy = true
policy_statements = [
{
sid = "Route53"
actions = [
"route53:Get*",
"route53:List*",
"route53:TestDNSAnswer",
]
resources = ["*"]
}
]
}

# see https://kubernetes.io/docs/reference/access-authn-authz/rbac/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#role-v1-rbac-authorization-k8s-io
# see https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_v1
Expand Down Expand Up @@ -322,4 +350,7 @@ resource "kubernetes_deployment_v1" "kubernetes_hello" {
}
}
}
depends_on = [
module.aws_eks_pod_identity_kubernetes_hello,
]
}

0 comments on commit 432838f

Please sign in to comment.