Add support for IRSA in he api

Apply suggestions from code review Co-authored-by: John Gardiner Myers <[email protected]>
kubernetes · Apr 30, 2021 · 3df5506 · 3df5506
1 parent 7a63ed8
commit 3df5506
Show file tree

Hide file tree

Showing 33 changed files with 2,306 additions and 18 deletions.
diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go
@@ -405,6 +405,19 @@ func TestNTHQueueProcessor(t *testing.T) {
 	newIntegrationTest("nthsqsresources.example.com", "nth_sqs_resources").runTestCloudformation(t)
 }
 
+// TestCustomIRSA runs a simple configuration, but with some additional IAM roles for ServiceAccounts
+func TestCustomIRSA(t *testing.T) {
+	featureflag.ParseFlags("+PublicJWKS")
+	unsetFeatureFlags := func() {
+		featureflag.ParseFlags("-PublicJWKS")
+	}
+	defer unsetFeatureFlags()
+	newIntegrationTest("minimal.example.com", "irsa").
+		withServiceAccountRole("myserviceaccount.default", false).
+		withServiceAccountRole("myotherserviceaccount.myapp", true).
+		runTestTerraformAWS(t)
+}
+
 func (i *integrationTest) runTest(t *testing.T, h *testutils.IntegrationTestHarness, expectedDataFilenames []string, tfFileName string, expectedTfFileName string, phase *cloudup.Phase) {
 	ctx := context.Background()
 
@@ -606,7 +619,6 @@ func (i *integrationTest) runTestTerraformAWS(t *testing.T) {
 			}...)
 		}
 	}
-
 	expectedFilenames = append(expectedFilenames, i.expectServiceAccountRolePolicies...)
 
 	i.runTest(t, h, expectedFilenames, tfFileName, tfFileName, nil)

diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -1158,9 +1158,55 @@ spec:
                     type: boolean
                   permissionsBoundary:
                     type: string
+                  serviceAccountMappings:
+                    description: ServiceAccountMappings defines the relatinship between
+                      Kubernetes ServiceAccounts and IAM roles.
+                    items:
+                      description: ServiceAccountMapping defines the relationship
+                        between a Kubernetes ServiceAccount and an IAM Role.
+                      properties:
+                        iamPolicyARNs:
+                          items:
+                            type: string
+                          type: array
+                        inlinePolicy:
+                          type: string
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      required:
+                      - name
+                      - namespace
+                      type: object
+                    type: array
                 required:
                 - legacy
                 type: object
+              iamRolesForServiceAccounts:
+                description: IAMRolesForServiceAccount defines the IRSA configuration.
+                properties:
+                  serviceAccounts:
+                    items:
+                      description: ServiceAccountMapping defines the relationship
+                        between a Kubernetes ServiceAccount and an IAM Role.
+                      properties:
+                        iamPolicyARNs:
+                          items:
+                            type: string
+                          type: array
+                        inlinePolicy:
+                          type: string
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      required:
+                      - name
+                      - namespace
+                      type: object
+                    type: array
+                type: object
               isolateMasters:
                 description: 'IsolateMasters determines whether we should lock down
                   masters so that they are not on the pod network. true is the kube-up

diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -207,6 +207,22 @@ type ClusterSpec struct {
 	ClusterAutoscaler *ClusterAutoscalerConfig `json:"clusterAutoscaler,omitempty"`
 	// WarmPool defines the default warm pool settings for instance groups (AWS only).
 	WarmPool *WarmPoolSpec `json:"warmPool,omitempty"`
+
+	// IAMRolesForServiceAccount defines the IRSA configuration.
+	IAMRolesForServiceAccounts *IAMRolesForServiceAccountsConfig `json:"iamRolesForServiceAccounts,omitempty"`
+}
+
+// InstanceRoleForServiceAccountConfig defines the IRSA configuration.
+type IAMRolesForServiceAccountsConfig struct {
+	ServiceAccounts []ServiceAccountMapping `json:"serviceAccounts,omitempty"`
+}
+
+// ServiceAccountMapping defines the relationship between a Kubernetes ServiceAccount and an IAM Role.
+type ServiceAccountMapping struct {
+	Name          string   `json:"name"`
+	Namespace     string   `json:"namespace"`
+	IAMPolicyARNs []string `json:"iamPolicyARNs,omitempty"`
+	InlinePolicy  string   `json:"inlinePolicy,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization
@@ -271,6 +287,8 @@ type IAMSpec struct {
 	Legacy                 bool    `json:"legacy"`
 	AllowContainerRegistry bool    `json:"allowContainerRegistry,omitempty"`
 	PermissionsBoundary    *string `json:"permissionsBoundary,omitempty"`
+	// ServiceAccountMappings defines the relatinship between Kubernetes ServiceAccounts and IAM roles.
+	ServiceAccountMappings []ServiceAccountMapping `json:"serviceAccountMappings,omitempty"`
 }
 
 // HookSpec is a definition hook

diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
@@ -206,6 +206,22 @@ type ClusterSpec struct {
 	ClusterAutoscaler *ClusterAutoscalerConfig `json:"clusterAutoscaler,omitempty"`
 	// WarmPool defines the default warm pool settings for instance groups (AWS only).
 	WarmPool *WarmPoolSpec `json:"warmPool,omitempty"`
+
+	// IAMRolesForServiceAccount defines the IRSA configuration.
+	IAMRolesForServiceAccounts *IAMRolesForServiceAccountsConfig `json:"iamRolesForServiceAccounts,omitempty"`
+}
+
+// IAMRoleForServiceAccountConfig defines the IRSA configuration.
+type IAMRolesForServiceAccountsConfig struct {
+	ServiceAccounts []ServiceAccountMapping `json:"serviceAccounts,omitempty"`
+}
+
+// ServiceAccountMapping defines the relationship between a Kubernetes ServiceAccount and an IAM Role.
+type ServiceAccountMapping struct {
+	Name          string   `json:"name"`
+	Namespace     string   `json:"namespace"`
+	IAMPolicyARNs []string `json:"iamPolicyARNs,omitempty"`
+	InlinePolicy  string   `json:"inlinePolicy,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization
@@ -269,6 +285,8 @@ type IAMSpec struct {
 	Legacy                 bool    `json:"legacy"`
 	AllowContainerRegistry bool    `json:"allowContainerRegistry,omitempty"`
 	PermissionsBoundary    *string `json:"permissionsBoundary,omitempty"`
+	// ServiceAccountMappings defines the relatinship between Kubernetes ServiceAccounts and IAM roles.
+	ServiceAccountMappings []ServiceAccountMapping `json:"serviceAccountMappings,omitempty"`
 }
 
 // HookSpec is a definition hook

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go