user-configurable IAM roles for ServiceAccounts

[olemarkus]

This PR allows users to configure IRSA for their own workloads. It is the kOps equivalent of https://eksctl.io/usage/iamserviceaccounts/#usage-with-config-files

/cc @justinsb @rifelpet

[olemarkus]

/retest

[rifelpet]

I don't see the OIDC provider being created in the integration test's terraform output. any idea why that is?

[rifelpet]

nit, might be worth validating the policy arn:

kops/pkg/apis/kops/validation/instancegroup.go

Lines 267 to 271 in b03b50f

	parsedARN, err := arn.Parse(instanceProfileARN)
	if err != nil || !strings.HasPrefix(parsedARN.Resource, "instance-profile/") {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("profile"), instanceProfileARN,
	"Instance Group IAM Instance Profile must be a valid aws arn such as arn:aws:iam::123456789012:instance-profile/KopsExampleRole"))
	}

[olemarkus]

PublicJWKS feature flag isn't set on this particular test, so no OIDC config is created.

[rifelpet]

The iam roles' assume role policies reference arn:aws:iam::123456789012:oidc-provider/api.internal.minimal.example.com if that's not being created in kubernetes.tf nor specified anywhere in the cluster spec then where did it come from? Is this even a valid configuration?

[olemarkus]

Not really. Those two flags would almost always be used together.

It depends a bit what we want here. My idea was to add an enable flag on this struct, and that would mean provision OIDC (i.e PublicJWKS). Having this enabled, would also use IRSA on all kops addons that supports it (i.e UseServiceAccountIAM).

Question is if we want to force that? Or do we want users to enable IRSA, but not for the kops addons? Do we want users to enable IRSA individually on all addons?

[rifelpet]

Hm for migration purposes I could see the benefit of being able to migrate individual addons to IRSA. It'd be safer to migrate one at a time rather than be forced to do them all at once. I do like the idea of an enable field here that would supplement PublicJWKS. Perhaps we update the integration test to use both feature flags, and (potentially in a followup PR) add api validation to ensure PublicJWKS is enabled if UseServiceAccountIAM is enabled? And if we want to relax that restriction down the road (eg. to allow specifying an existing OIDC provider ARN in the cluster spec) then we can do that.

[olemarkus]

/retest

[rifelpet]

Does Cluster API or any of the relevant Cluster API providers support similar functionality? If so we could consider modeling our design off of theirs to reduce friction when adopting Cluster API support.

[rifelpet]

A summary of the discussion from office hours:

• Move inlinePolicy and iamPolicyARNs to an aws substruct
• Rename serviceAccountMappings to something indicating these are mappings to external permissions (cloud providers, etc.) serviceAccountExternalMappings was proposed.
• We need to investigate if multiple fields are supported as a merge key for patch operations since an element in the serviceAccountMappings list would be keyed by name + namespace

As an aside, I think if we move iamPolicyARNs to an aws substruct we could probably drop the iam prefix from the field name, to be more consistent with inlinePolicy and because the presence of the aws field provides sufficient context that these policy ARNs are for AWS IAM policies.

[olemarkus]

Amended according to our discussions today.

Note that right now, one can configure this without enabling AWS OIDC provider. Once that is configurable, we may want to add validation for that. Easy thing that can be done in a follow-up.

[olemarkus]

/test pull-kops-e2e-cni-amazonvpc

[johngmyers]

Why use the word "mappings" for these? That word appears to be overly uninformative as to what is being provisioned. What is being provisioned is something more like "permissions" or "roles". They're the out-of-cluster analogue of Role and/or RoleBinding.

[johngmyers]

Okay, at least that word isn't exposed through the API.

[johngmyers]

Would be good to not require the feature flag. Not blocking.

[johngmyers]

Could use comments on these.

[johngmyers]

These changes are technically out of scope of this PR. Not blocking.

[johngmyers]

Do we have code to delete the relevant AWS objects when items are removed from this list?

[olemarkus]

No, as usual, kOps is quite bad at this. I am wondering if we need a more generic solution that. Maybe we can tag all RenderAWS-created resources with kops.k8s.io/task=taskname and then at the end of cloudup, remove all resources that match tasks that wasn't created.

I think we need to look at that separately.

[johngmyers]

We might consider handling aws == nil to save overlooking when someone adds a second external system.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johngmyers

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [johngmyers]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment