refactor patterns/namespaced-admin

aws-ia · Sep 21, 2023 · 9e599c5 · 9e599c5
1 parent b348e6e
commit 9e599c5
Show file tree

Hide file tree

Showing 7 changed files with 122 additions and 104 deletions.
diff --git a/patterns/cluster-admin/README.md b/patterns/cluster-admin/README.md
@@ -2,7 +2,7 @@
 
 This example shows how to create a team with Cluster Admin privileges for the specified identities (`users/role`). For this to work, the created team will be tied to the `system:masters` Kubernetes RBAC group, that will give them the *super-user* permissions, as defined in the `cluster-admin` Kubernetes clusterRole.
 
-- [RBAC Authorization for User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+- RBAC Authorization for User-facing roles [documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
 
 ## Areas of Interest
 

diff --git a/patterns/cluster-admin/main.tf b/patterns/cluster-admin/main.tf
@@ -19,7 +19,7 @@ data "aws_caller_identity" "current" {}
 
 locals {
   region = "us-west-2"
-  name   = "ex-teams-${basename(path.cwd)}"
+  name   = basename(path.cwd)
 
   vpc_cidr = "10.0.0.0/16"
   azs      = slice(data.aws_availability_zones.available.names, 0, 3)

diff --git a/patterns/namespaced-admin/README.md b/patterns/namespaced-admin/README.md
@@ -1,17 +1,32 @@
-# Amazon EKS Blueprints Teams - Complete
+# Amazon EKS Blueprints Teams - Namespaced Admin
 
-Configuration in this directory creates:
+This example shows how to create a team with Admin privileges on Namespaces the specified identities (`users/role`). For this to work, the created team will be tied to the `admin` Kubernetes Role in all Namespaces, this will give them permissions to manage resources inside the Namespaces, however it will **not** provide access to cluster-wide resources, for example manage Namespaces, Nodes, ClusterRoles, ClusterRoleBindings, and others.
+
+- RBAC Authorization for User-facing roles [documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+- Namespaced vs. non-Namespaced objects [documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#not-all-objects-are-in-a-namespace)
+
+## Areas of Interest
+
+- `teams.tf` contains a sample configuration of the `teams` module, in this case providing namespaced `admin` privileges, and *read-only* access to Namespaces and Nodes for the specified identities.
+
+https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/namespaced-admin/teams.tf#L5-L31
 
-- An EKS cluster (required to support module/tests)
-- An administrative team
-- A red team which demonstrates creating one team per module definition
-- Blue teams which demonstrates creating multiple teams per module definition
+- `eks.tf` holds the EKS Cluster configuration and the setup of the `aws-auth` configMap, providing the EKS authentication model for the identities and RBAC authorization created by the `teams` module.
+
+https://github.com/aws-ia/terraform-aws-eks-blueprints-teams/blob/main/patterns/namespaced-admin/eks.tf#L28-L33
+
+## Deploy
+
+Configuration in this directory creates:
 
-## Usage
+- A VPC (required to support module/eks)
+- An EKS cluster (required to support module/teams)
+- A team with `admin` privileges inside Namespaces, but with read-only access to Namespaces and Nodes
 
-To run this example you need to execute:
+To run this pattern you need to execute:
 
 ```bash
+$ cd patterns/cluster-admin
 $ terraform init
 $ terraform plan
 $ terraform apply

diff --git a/patterns/namespaced-admin/eks.tf b/patterns/namespaced-admin/eks.tf
@@ -0,0 +1,64 @@
+################################################################################
+# Supporting Resources
+################################################################################
+# EKS Cluster
+################################################################################
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 19.13"
+
+  cluster_name                   = local.name
+  cluster_version                = "1.27"
+  cluster_endpoint_public_access = true
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  eks_managed_node_groups = {
+    initial = {
+      instance_types = ["m5.large"]
+
+      min_size     = 1
+      max_size     = 5
+      desired_size = 2
+    }
+  }
+
+  manage_aws_auth_configmap = true
+  aws_auth_roles = flatten(
+    [
+      module.operations_team.aws_auth_configmap_role,
+    ]
+  )
+
+  tags = local.tags
+}
+
+################################################################################
+# VPC
+################################################################################
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}
diff --git a/patterns/namespaced-admin/main.tf b/patterns/namespaced-admin/main.tf
@@ -19,9 +19,9 @@ data "aws_caller_identity" "current" {}
 
 locals {
   region = "us-west-2"
-  name   = "teams-${basename(path.cwd)}"
+  name   = basename(path.cwd)
 
-  vpc_cidr = "10.1.0.0/16"
+  vpc_cidr = "10.0.0.0/16"
   azs      = slice(data.aws_availability_zones.available.names, 0, 3)
 
   tags = {
@@ -30,94 +30,3 @@ locals {
     Repository = "https://github.com/aws-ia/terraform-aws-eks-blueprints-teams"
   }
 }
-
-################################################################################
-# EKS Multi-Tenancy Module
-################################################################################
-
-module "operations_team" {
-  source = "../.."
-
-  name = "operations-team"
-
-  users             = [data.aws_caller_identity.current.arn]
-  cluster_arn       = module.eks.cluster_arn
-  oidc_provider_arn = module.eks.oidc_provider_arn
-
-  labels = {
-    team = "ops"
-  }
-
-  annotations = {
-    team = "ops"
-  }
-
-  cluster_role_name     = "ops-team"
-  cluster_role_ref_name = "admin"
-  role_ref = {
-    kind = "ClusterRole"
-    name = "admin"
-  }
-
-  tags = local.tags
-}
-
-################################################################################
-# Supporting Resources
-################################################################################
-
-module "eks" {
-  source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.13"
-
-  cluster_name                   = local.name
-  cluster_version                = "1.27"
-  cluster_endpoint_public_access = true
-
-  vpc_id     = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnets
-
-  eks_managed_node_groups = {
-    initial = {
-      instance_types = ["m5.large"]
-
-      min_size     = 1
-      max_size     = 5
-      desired_size = 2
-    }
-  }
-
-  manage_aws_auth_configmap = true
-  aws_auth_roles = flatten(
-    [
-      module.operations_team.aws_auth_configmap_role,
-    ]
-  )
-
-  tags = local.tags
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
-
-  name = local.name
-  cidr = local.vpc_cidr
-
-  azs             = local.azs
-  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
-  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
-
-  enable_nat_gateway = true
-  single_nat_gateway = true
-
-  public_subnet_tags = {
-    "kubernetes.io/role/elb" = 1
-  }
-
-  private_subnet_tags = {
-    "kubernetes.io/role/internal-elb" = 1
-  }
-
-  tags = local.tags
-}
diff --git a/patterns/namespaced-admin/teams.tf b/patterns/namespaced-admin/teams.tf
@@ -0,0 +1,30 @@
+################################################################################
+# EKS Teams Module - Namespaced Admin
+################################################################################
+
+module "operations_team" {
+  source = "../.."
+
+  name = "operations-team"
+
+  users             = [data.aws_caller_identity.current.arn]
+  cluster_arn       = module.eks.cluster_arn
+  oidc_provider_arn = module.eks.oidc_provider_arn
+
+  labels = {
+    team = "ops"
+  }
+
+  annotations = {
+    team = "ops"
+  }
+
+  cluster_role_name     = "ops-team"
+  cluster_role_ref_name = "admin"
+  role_ref = {
+    kind = "ClusterRole"
+    name = "admin"
+  }
+
+  tags = local.tags
+}
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
@@ -19,7 +19,7 @@ data "aws_caller_identity" "current" {}
 
 locals {
   region = "us-west-2"
-  name   = "ex-teams-${basename(path.cwd)}"
+  name   = "teams-${basename(path.cwd)}"
 
   vpc_cidr = "10.0.0.0/16"
   azs      = slice(data.aws_availability_zones.available.names, 0, 3)