diff --git a/patterns/cluster-admin/teams.tf b/patterns/cluster-admin/teams.tf index 3646411..0e0af40 100644 --- a/patterns/cluster-admin/teams.tf +++ b/patterns/cluster-admin/teams.tf @@ -1,5 +1,5 @@ ################################################################################ -# EKS Multi-Tenancy Module +# EKS Blueprints Teams Module - Cluster Admin ################################################################################ module "admin_team" { diff --git a/patterns/development-team/README.md b/patterns/development-team/README.md index 523f7cd..e3bf9dc 100644 --- a/patterns/development-team/README.md +++ b/patterns/development-team/README.md @@ -1,17 +1,35 @@ -# Amazon EKS Blueprints Teams - Complete +# Amazon EKS Blueprints Teams - Namespaced Admin -Configuration in this directory creates: +This example shows how to create a team with privileges restricted to the Namespaces it owns, allowing to specify fine grained permissions and resource access through the definition of Role's Resources, Verbs and API Groups using Kubernetes constructs, and also define LimitRanges, ResourceQuotas, amd NetworkPolicies. In this example, teams will have *read-only* access to list Namespaces and Nodes. + +- RBAC Authorization [documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) +- Namespaced vs. non-Namespaced objects [documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#not-all-objects-are-in-a-namespace) +- Resource Quotas [documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/) +- Limit Ranges [documentation](https://kubernetes.io/docs/concepts/policy/limit-range/) +- Network Policy [documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) + +## Areas of Interest + +- `teams.tf` contains a sample configuration of the `teams` module, in this case providing restricted access to specific Namespaces, and *read-only* access to list Namespaces and Nodes for the specified identities. + +https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/development-team/teams.tf#L5-L123 -- An EKS cluster (required to support module/tests) -- An administrative team -- A red team which demonstrates creating one team per module definition -- Blue teams which demonstrates creating multiple teams per module definition +- `eks.tf` holds the EKS Cluster configuration and the setup of the `aws-auth` configMap, providing the EKS authentication model for the identities and RBAC authorization created by the `teams` module. + +https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/development-team/eks.tf#L28-L33 + +## Deploy + +Configuration in this directory creates: -## Usage +- A VPC (required to support module/eks) +- An EKS cluster (required to support module/teams) +- A team with `admin` privileges inside Namespaces, but with read-only access to Namespaces and Nodes -To run this example you need to execute: +To run this pattern you need to execute: ```bash +$ cd patterns/cluster-admin $ terraform init $ terraform plan $ terraform apply diff --git a/patterns/development-team/eks.tf b/patterns/development-team/eks.tf new file mode 100644 index 0000000..9bedc22 --- /dev/null +++ b/patterns/development-team/eks.tf @@ -0,0 +1,64 @@ +################################################################################ +# Supporting Resources +################################################################################ +# EKS Cluster +################################################################################ + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.name + cluster_version = "1.27" + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + eks_managed_node_groups = { + initial = { + instance_types = ["m5.large"] + + min_size = 1 + max_size = 5 + desired_size = 2 + } + } + + manage_aws_auth_configmap = true + aws_auth_roles = flatten( + [ + module.development_team.aws_auth_configmap_role, + ] + ) + + tags = local.tags +} + +################################################################################ +# VPC +################################################################################ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + + enable_nat_gateway = true + single_nat_gateway = true + + public_subnet_tags = { + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} diff --git a/patterns/development-team/main.tf b/patterns/development-team/main.tf index 284c5a5..72990d2 100644 --- a/patterns/development-team/main.tf +++ b/patterns/development-team/main.tf @@ -19,7 +19,7 @@ data "aws_caller_identity" "current" {} locals { region = "us-west-2" - name = "ex-teams-${basename(path.cwd)}" + name = basename(path.cwd) vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) @@ -30,187 +30,3 @@ locals { Repository = "https://github.com/aws-ia/terraform-aws-eks-blueprints-teams" } } - -################################################################################ -# EKS Development Teams Module -################################################################################ - -module "development_team" { - source = "../.." - - name = "development-team" - - users = [data.aws_caller_identity.current.arn] - cluster_arn = module.eks.cluster_arn - oidc_provider_arn = module.eks.oidc_provider_arn - - labels = { - team = "dev" - } - - annotations = { - team = "dev" - } - - namespaces = { - default = { - # Provides access to an existing namespace - create = false - } - app = { - - labels = { - projectName = "project-app", - } - - resource_quota = { - hard = { - "requests.cpu" = "1000m", - "requests.memory" = "4Gi", - "limits.cpu" = "2000m", - "limits.memory" = "8Gi", - "pods" = "10", - "secrets" = "10", - "services" = "10" - } - } - - limit_range = { - limit = [ - { - type = "Pod" - max = { - cpu = "200m" - memory = "1Gi" - } - }, - { - type = "PersistentVolumeClaim" - min = { - storage = "24M" - } - }, - { - type = "Container" - default = { - cpu = "50m" - memory = "24Mi" - } - } - ] - } - - network_policy = { - pod_selector = { - match_expressions = [{ - key = "name" - operator = "In" - values = ["webfront", "api"] - }] - } - - ingress = [{ - ports = [ - { - port = "http" - protocol = "TCP" - }, - { - port = "53" - protocol = "TCP" - }, - { - port = "53" - protocol = "UDP" - } - ] - - from = [ - { - namespace_selector = { - match_labels = { - name = "default" - } - } - }, - { - ip_block = { - cidr = "10.0.0.0/8" - except = [ - "10.0.0.0/24", - "10.0.1.0/24", - ] - } - } - ] - }] - - egress = [] # single empty rule to allow all egress traffic - - policy_types = ["Ingress", "Egress"] - } - } - } - - tags = local.tags -} - -################################################################################ -# Supporting Resources -################################################################################ - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" - - cluster_name = local.name - cluster_version = "1.27" - cluster_endpoint_public_access = true - - vpc_id = module.vpc.vpc_id - subnet_ids = module.vpc.private_subnets - - eks_managed_node_groups = { - initial = { - instance_types = ["m5.large"] - - min_size = 1 - max_size = 5 - desired_size = 2 - } - } - - manage_aws_auth_configmap = true - aws_auth_roles = flatten( - [ - module.development_team.aws_auth_configmap_role, - ] - ) - - tags = local.tags -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 5.0" - - name = local.name - cidr = local.vpc_cidr - - azs = local.azs - private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] - public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] - - enable_nat_gateway = true - single_nat_gateway = true - - public_subnet_tags = { - "kubernetes.io/role/elb" = 1 - } - - private_subnet_tags = { - "kubernetes.io/role/internal-elb" = 1 - } - - tags = local.tags -} diff --git a/patterns/development-team/teams.tf b/patterns/development-team/teams.tf new file mode 100644 index 0000000..a57499b --- /dev/null +++ b/patterns/development-team/teams.tf @@ -0,0 +1,123 @@ +################################################################################ +# EKS Blueprints Teams Module - Development Team +################################################################################ + +module "development_team" { + source = "../.." + + name = "development-team" + + users = [data.aws_caller_identity.current.arn] + cluster_arn = module.eks.cluster_arn + oidc_provider_arn = module.eks.oidc_provider_arn + + labels = { + team = "dev" + } + + annotations = { + team = "dev" + } + + namespaces = { + default = { + # Provides access to an existing namespace + create = false + } + app = { + + labels = { + projectName = "project-app", + } + + resource_quota = { + hard = { + "requests.cpu" = "1000m", + "requests.memory" = "4Gi", + "limits.cpu" = "2000m", + "limits.memory" = "8Gi", + "pods" = "10", + "secrets" = "10", + "services" = "10" + } + } + + limit_range = { + limit = [ + { + type = "Pod" + max = { + cpu = "200m" + memory = "1Gi" + } + }, + { + type = "PersistentVolumeClaim" + min = { + storage = "24M" + } + }, + { + type = "Container" + default = { + cpu = "50m" + memory = "24Mi" + } + } + ] + } + + network_policy = { + pod_selector = { + match_expressions = [{ + key = "name" + operator = "In" + values = ["webfront", "api"] + }] + } + + ingress = [{ + ports = [ + { + port = "http" + protocol = "TCP" + }, + { + port = "53" + protocol = "TCP" + }, + { + port = "53" + protocol = "UDP" + } + ] + + from = [ + { + namespace_selector = { + match_labels = { + name = "default" + } + } + }, + { + ip_block = { + cidr = "10.0.0.0/8" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + ] + }] + + egress = [] # single empty rule to allow all egress traffic + + policy_types = ["Ingress", "Egress"] + } + } + } + + tags = local.tags +} diff --git a/patterns/namespaced-admin/teams.tf b/patterns/namespaced-admin/teams.tf index 6d30560..0f2992f 100644 --- a/patterns/namespaced-admin/teams.tf +++ b/patterns/namespaced-admin/teams.tf @@ -1,5 +1,5 @@ ################################################################################ -# EKS Teams Module - Namespaced Admin +# EKS Blueprints Teams Module - Namespaced Admin ################################################################################ module "operations_team" {