Add support for IRSA in he api

cmd/kops/integration_test.go

@@ -387,6 +387,20 @@ func TestAPIServerNodes(t *testing.T) {
 	newIntegrationTest("minimal.example.com", "apiservernodes").runTestCloudformation(t)
 }
 
+// TestPublicIRSA runs a simple configuration, but with some additional IAM roles for ServiceAccounts
+func TestIRSA(t *testing.T) {
+	featureflag.ParseFlags("+UseServiceAccountIAM")
+	unsetFeatureFlags := func() {
+		featureflag.ParseFlags("-UseServiceAccountIAM")
+	}
+	defer unsetFeatureFlags()
+	newIntegrationTest("minimal.example.com", "irsa").
+		withServiceAccountRole("dns-controller.kube-system", true).
+		withServiceAccountRole("myserviceaccount.default", false).
+		withServiceAccountRole("myotherserviceaccount.myapp", true).
+		runTestTerraformAWS(t)
+}
+
 func (i *integrationTest) runTest(t *testing.T, h *testutils.IntegrationTestHarness, expectedDataFilenames []string, tfFileName string, expectedTfFileName string, phase *cloudup.Phase) {
 	ctx := context.Background()
 
@@ -580,7 +594,6 @@ func (i *integrationTest) runTestTerraformAWS(t *testing.T) {
 			}
 		}
 	}
-
 	expectedFilenames = append(expectedFilenames, i.expectServiceAccountRolePolicies...)
 
 	i.runTest(t, h, expectedFilenames, tfFileName, tfFileName, nil)

k8s/crds/kops.k8s.io_clusters.yaml

@@ -1145,6 +1145,26 @@ spec:
                 required:
                 - legacy
                 type: object
+              iamRolesForServiceAccounts:
+                description: IAMRolesForServiceAccount defines the IRSA configuration.
+                properties:
+                  serviceAccounts:
+                    items:
+                      properties:
+                        iamPolicyARN:
+                          type: string
+                        inlinePolicy:
+                          type: string
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      required:
+                      - name
+                      - namespace
+                      type: object
+                    type: array
+                type: object
               isolateMasters:
                 description: 'IsolateMasters determines whether we should lock down
                   masters so that they are not on the pod network. true is the kube-up

pkg/apis/kops/cluster.go

@@ -205,6 +205,21 @@ type ClusterSpec struct {
 	RollingUpdate *RollingUpdate `json:"rollingUpdate,omitempty"`
 	// ClusterAutoscaler defines the cluster autoscaler configuration.
 	ClusterAutoscaler *ClusterAutoscalerConfig `json:"clusterAutoscaler,omitempty"`
+
+	// IAMRolesForServiceAccount defines the IRSA configuration.
+	IAMRolesForServiceAccounts *IAMRolesForServiceAccountsConfig `json:"iamRolesForServiceAccounts,omitempty"`
+}
+
+// InstanceRoleForServiceAccountConfig defines the IRSA configuration.
+type IAMRolesForServiceAccountsConfig struct {
+	ServiceAccounts []ServiceAccountMapping `json:"serviceAccounts,omitempty"`
+}
+
+type ServiceAccountMapping struct {
+	Name         string `json:"name"`
+	Namespace    string `json:"namespace"`
+	IAMPolicyARN string `json:"iamPolicyARN,omitempty"`
+	InlinePolicy string `json:"inlinePolicy,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization

pkg/apis/kops/v1alpha2/cluster.go

@@ -204,6 +204,21 @@ type ClusterSpec struct {
 	RollingUpdate *RollingUpdate `json:"rollingUpdate,omitempty"`
 	// ClusterAutoscaler defines the cluaster autoscaler configuration.
 	ClusterAutoscaler *ClusterAutoscalerConfig `json:"clusterAutoscaler,omitempty"`
+
+	// IAMRolesForServiceAccount defines the IRSA configuration.
+	IAMRolesForServiceAccounts *IAMRolesForServiceAccountsConfig `json:"iamRolesForServiceAccounts,omitempty"`
+}
+
+// IAMRoleForServiceAccountConfig defines the IRSA configuration.
+type IAMRolesForServiceAccountsConfig struct {
+	ServiceAccounts []ServiceAccountMapping `json:"serviceAccounts,omitempty"`
+}
+
+type ServiceAccountMapping struct {
+	Name         string `json:"name"`
+	Namespace    string `json:"namespace"`
+	IAMPolicyARN string `json:"iamPolicyARN,omitempty"`
+	InlinePolicy string `json:"inlinePolicy,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization

pkg/apis/kops/validation/legacy.go

@@ -400,6 +400,34 @@ func ValidateCluster(c *kops.Cluster, strict bool) field.ErrorList {
 		}
 	}
 
+	if c.Spec.IAMRolesForServiceAccounts != nil {
+		allErrs = append(allErrs, validateIRSA(c.Spec.IAMRolesForServiceAccounts, fieldSpec.Child("iamRolesForServiceAccounts"))...)
+	}
+	return allErrs
+}
+
+func validateIRSA(irsa *kops.IAMRolesForServiceAccountsConfig, spec *field.Path) (allErrs field.ErrorList) {
+	if !featureflag.UseServiceAccountIAM.Enabled() {
+		allErrs = append(allErrs, field.Forbidden(spec, "IAM roles for ServiceAccounts requires UseServiceAccountIAM feature flag to be enabled"))
+	}
+
+	sas := make(map[string]string)
+	for _, sa := range irsa.ServiceAccounts {
+		p := spec.Child("serviceAccounts")
+		key := fmt.Sprintf("%s/%s", sa.Namespace, sa.Name)
+		_, duplicate := sas[key]
+		if duplicate {
+			allErrs = append(allErrs, field.Duplicate(p, key))
+		}
+		sas[key] = ""
+
+		if sa.IAMPolicyARN == "" && sa.InlinePolicy == "" {
+			allErrs = append(allErrs, field.Required(p, "inlinePolicy or iamPolicyARN must be set"))
+		}
+		if sa.IAMPolicyARN != "" && sa.InlinePolicy != "" {
+			allErrs = append(allErrs, field.Forbidden(p, "cannot set both inlinePolicy and iamPolicyARN"))
+		}
+	}
 	return allErrs
 }