From 432838f5ec88f44f7083cbed845d51498c37fec0 Mon Sep 17 00:00:00 2001 From: Rui Lopes Date: Fri, 26 Apr 2024 21:08:08 +0100 Subject: [PATCH] configure the kubernetes-hello workload to use the eks pod identity authentication --- README.md | 28 +++++++++++++++++++++ config.tm.hcl | 2 +- stacks/ecr/_inputs.auto.tfvars | 2 +- stacks/eks-workloads/_inputs.auto.tfvars | 2 +- stacks/eks-workloads/kubernetes-hello.tf | 31 ++++++++++++++++++++++++ 5 files changed, 62 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 30d01a1..e9200dd 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ This will: * Use [Secret](https://kubernetes.io/docs/concepts/configuration/secret/). * Use [ServiceAccount](https://kubernetes.io/docs/concepts/security/service-accounts/). * Use [Service Account token volume projection (a JSON Web Token and OpenID Connect (OIDC) ID Token)](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for the `https://example.com` audience. + * Use [Pod Identity authentication](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to list the DNS Zones hosted in [Route 53](https://aws.amazon.com/route53/). * Demonstrate how to automatically deploy the [`otel-example` workload](stacks/eks-workloads/otel-example.tf). * Expose as a Kubernetes `Ingress` `Service`. * Use a sub-domain in the DNS Zone. @@ -301,6 +302,23 @@ while [ -z "$(dig +short "$kubernetes_hello_host")" ]; do sleep 5; done && dig " wget -qO- "$kubernetes_hello_url" ``` +**NB** If you do not see any DNS Zone being listed, most probably, the +race ([described in the Caveats section](#caveats)), was lost, and you need +to re-create the pods: + +```bash +# delete the pods and wait for them to be re-deployed. +kubectl delete pods -l app=kubernetes-hello +kubectl rollout status deployment kubernetes-hello +# check whether the required Pod Identity environment variables are listed. +# they should be, at least, the following: +# AWS_CONTAINER_CREDENTIALS_FULL_URI +# AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE +kubectl get pods -l app=kubernetes-hello -o yaml | grep -A 1 AWS_ +# re-access the service. this time, you should see a "AWS DNS Zones" section. +wget -qO- "$kubernetes_hello_url" +``` + Audit the `kubernetes-example` Ingress TLS implementation: ```bash @@ -469,6 +487,16 @@ GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh # Caveats +* When configuring the Pod Identity with terraform, there's a race between + creating the `aws_eks_pod_identity_association` and `kubernetes_deployment_v1` + (and any resource that (in)directly creates Pods) resources. The created pod + ends up not having the required environment variables that allow it to + actually have a Pod Identity. + * When the Pod does not have the `AWS_CONTAINER_CREDENTIALS_FULL_URI` and + `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` environment variables, you must + re-create the pod, and hope for the best. + * See [How EKS Pod Identity works](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-how-it-works.html). + * See https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity/issues/8 * After `terraform destroy`, the following resources will still remain in AWS: * KMS Kubernetes cluster encryption key. * It will be automatically deleted after 30 days (the default value diff --git a/config.tm.hcl b/config.tm.hcl index 0f8d4f4..a66e10d 100644 --- a/config.tm.hcl +++ b/config.tm.hcl @@ -29,7 +29,7 @@ globals { # see https://github.com/rgl/kubernetes-hello name = "docker.io/ruilopes/kubernetes-hello" # renovate: datasource=docker depName=ruilopes/kubernetes-hello - tag = "v0.0.0.202403171105-test" + tag = "v0.0.202404261745" } } } diff --git a/stacks/ecr/_inputs.auto.tfvars b/stacks/ecr/_inputs.auto.tfvars index 20dd98e..ae5e688 100644 --- a/stacks/ecr/_inputs.auto.tfvars +++ b/stacks/ecr/_inputs.auto.tfvars @@ -4,7 +4,7 @@ environment = "dev" images = { kubernetes-hello = { name = "docker.io/ruilopes/kubernetes-hello" - tag = "v0.0.0.202403171105-test" + tag = "v0.0.202404261745" } otel-example = { name = "ghcr.io/rgl/opentelemetry-dotnet-playground" diff --git a/stacks/eks-workloads/_inputs.auto.tfvars b/stacks/eks-workloads/_inputs.auto.tfvars index 7de5def..380aaef 100644 --- a/stacks/eks-workloads/_inputs.auto.tfvars +++ b/stacks/eks-workloads/_inputs.auto.tfvars @@ -8,7 +8,7 @@ region = "eu-west-1" source_images = { kubernetes-hello = { name = "docker.io/ruilopes/kubernetes-hello" - tag = "v0.0.0.202403171105-test" + tag = "v0.0.202404261745" } otel-example = { name = "ghcr.io/rgl/opentelemetry-dotnet-playground" diff --git a/stacks/eks-workloads/kubernetes-hello.tf b/stacks/eks-workloads/kubernetes-hello.tf index 27f0c48..f733b3d 100644 --- a/stacks/eks-workloads/kubernetes-hello.tf +++ b/stacks/eks-workloads/kubernetes-hello.tf @@ -43,6 +43,34 @@ resource "aws_route53_record" "kubernetes_hello_certificate_validation" { zone_id = data.aws_route53_zone.ingress.zone_id } +# see https://registry.terraform.io/modules/terraform-aws-modules/eks-pod-identity/aws +# see https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity +module "aws_eks_pod_identity_kubernetes_hello" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.2.0" + + name = "${data.aws_eks_cluster.eks.id}-${kubernetes_service_v1.kubernetes_hello.metadata[0].name}" + associations = { + kubernetes_hello = { + cluster_name = data.aws_eks_cluster.eks.id + namespace = "default" + service_account = kubernetes_service_v1.kubernetes_hello.metadata[0].name + } + } + attach_custom_policy = true + policy_statements = [ + { + sid = "Route53" + actions = [ + "route53:Get*", + "route53:List*", + "route53:TestDNSAnswer", + ] + resources = ["*"] + } + ] +} + # see https://kubernetes.io/docs/reference/access-authn-authz/rbac/ # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#role-v1-rbac-authorization-k8s-io # see https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_v1 @@ -322,4 +350,7 @@ resource "kubernetes_deployment_v1" "kubernetes_hello" { } } } + depends_on = [ + module.aws_eks_pod_identity_kubernetes_hello, + ] }