Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: update multi-tenacy docs #1

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 78 additions & 6 deletions docs/book/src/topics/multitenancy.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ Starting from v0.6.5, single controller multi-tenancy is supported that allows u
For details, see the [multi-tenancy proposal](https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/docs/proposal/20200506-single-controller-multitenancy.md).


For multi-tenancy support, a reference field (`identityRef`) is added to `AWSCluster`, which describes the identity to be used when reconciling the cluster.
For multi-tenancy support, a reference field (`identityRef`) is added to `AWSCluster`, which informs the controller of which identity to be used when reconciling the cluster.
If the identity provided exists in a different AWS account, this is the mechanism which informs the controller to provision a cluster in a different account.


```yaml
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
Expand Down Expand Up @@ -112,10 +114,13 @@ stringData:
The assumed role could be used by the AWSClusters that is in the `allowedNamespaces`.

Example:
Below, an `AWSClusterRoleIdentity` instance, which will be used by AWSCluster "test", is created.
Below, an `AWSClusterRoleIdentity` instance, which will be used by `AWSCluster` "test", is created.
This role will be assumed by the source identity at runtime. Source identity can be of any identity type.
Role is assumed in the beginning once and after, whenever the assumed role's credentials are expired.

This snippet illustrates the connection between `AWSCluster`and the `AWSClusterRoleIdentity`, however this is not a working example.
Please view a full example below.

```yaml
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
Expand All @@ -135,12 +140,11 @@ metadata:
name: "test-account-role"
spec:
allowedNamespaces:
list: # allows only "test" namespace to use this identity
"test"
- "test" # allows only "test" namespace to use this identity
roleARN: "arn:aws:iam::123456789:role/CAPARole"
sourceIdentityRef:
kind: AWSClusterStaticIdentity
name: test-account-creds
kind: AWSClusterControllerIdentity # use the singleton for root auth
name: default
```

Nested role assumption is also supported.
Expand Down Expand Up @@ -175,6 +179,74 @@ spec:
name: multi-tenancy-role
```

### Examples

This is a deployable example which uses the `AWSClusterRoleIdentity` "test-account-role" to assume into the `arn:aws:iam::123456789:role/CAPARole` role in the target account.
This example assumes that the `CAPARole` has already been configured in the target account.

Finally, we inform the `Cluster` to use our `AWSCluster`type to provision a cluster in the target account specified by the `identityRef` section.

**Note**

By default the `AutoControllerIdentityCreator=true` feature gate is set to `true` [here](https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/412d310654c6b05f1b4bc3d319f6957a07c009c2/feature/feature.go?rgh-link-date=2022-03-23T14%3A57%3A46Z#L81).
If this is not enabled for your cluster, you will need to enable the flag, or create your own default `AWSClusterControllerIdentity`.

```yaml
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSClusterControllerIdentity
metadata:
name: "default"
spec:
allowedNamespaces:{} # matches all namespaces
```

```yaml
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSClusterRoleIdentity
metadata:
name: "test-account-role"
spec:
allowedNamespaces: {} # matches all namespaces
roleARN: "arn:aws:iam::123456789:role/CAPARole"
sourceIdentityRef:
kind: AWSClusterControllerIdentity # use the singleton for root auth
name: default
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSCluster
metadata:
name: "test-multi-tenant-workload"
spec:
region: "eu-west-1"
identityRef:
kind: AWSClusterRoleIdentity
name: test-account-role
---
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: "test-multi-tenant-workload"
spec:
infrastructureRef:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSCluster
name: "test-multi-tenant-workload"
```
davidblum marked this conversation as resolved.
Show resolved Hide resolved

More specific examples can be referenced from the existing [templates](../../../../templates/) directory.

In order to use the [EC2 template](../../../../templates/cluster-template.yaml) with identity type, you can add the `identityRef` section to `kind: AWSCluster` spec section in the template. If you do not, CAPA will automatically add the default identity provider (which is usually your local account credentials).

Similarly, to use the [EKS template](../../../../templates/cluster-template-eks.yaml) with identity type, you can add the `identityRef` section to `kind: AWSManagedControlPlane` spec section in the template. If you do not, CAPA will automatically add the default identity provider (which is usually your local account credentials).

#### Permissions

There are multiple AWS assume role permissions that need to be configured in order for the assume role to work
- The Primary role in the management account must be allowed to assume role into the target role account
- This is traditionally the controller role, but the operator can configure it to be any role
- The target account role must be configured to allow the management role to assume into it
- The target account role must have adequate permissions for cluster-api to build both EC2 and EKS based clusters

## Secure Access to Identities
`allowedNamespaces` field is used to grant access to the namespaces to use Identities.
Only AWSClusters that are created in one of the Identity's allowed namespaces can use that Identity.
Expand Down