diff --git a/README.md b/README.md index 663ac2c..e264ce3 100644 --- a/README.md +++ b/README.md @@ -12,12 +12,9 @@ Check out the [getting_started.md](docs/getting_started.md) guide for installing You’ll need an [EKS](https://aws.amazon.com/eks/) cluster to run against. ### Running on the EKS cluster -1. Make sure that you have configured an [IAM role for the service account](#IAM-Role-for-Service-Account) `kyverno-aws-adapter-sa` in your desired namespace (configured in `values.yaml`) and specified the role's ARN in the `roleArn` field inside `values.yaml` file. -2. Install the Helm Chart. Follow instructions given [here](/charts/kyverno-aws-adapter#installation). -3. Check the `status` field of the `-config` custom resource in the namespace specified in `values.yaml`. For instance, if the cluster name is `eks-test` and namespace is `kyverno-aws-adapter`, then: - ```sh - kubectl get awsacfg eks-test-config -n kyverno-aws-adapter -o yaml - ``` +1. Make sure that you have configured an [IAM role for the service account](#IAM-Role-for-Service-Account) to be used by the Kyverno AWS Adapter. + +2. Install the Helm Chart and verify that the Adapter works as expected. Follow instructions given [here](/charts/kyverno-aws-adapter#installation) ## IAM Role for Service Account This adapter utilizes the ARN of a user-defined IAM Role associated with any policy that has `Full: List, Read` permissions for the `EKS` service, including the following: diff --git a/charts/kyverno-aws-adapter/README.md b/charts/kyverno-aws-adapter/README.md index aa4bab6..7204d2e 100644 --- a/charts/kyverno-aws-adapter/README.md +++ b/charts/kyverno-aws-adapter/README.md @@ -14,7 +14,7 @@ You’ll need an [EKS](https://aws.amazon.com/eks/) cluster to run against. ### Running on the EKS cluster -1. Make sure that you have configured an [IAM role for the service account](#IAM-Role-for-Service-Account) `kyverno-aws-adapter-sa` in your desired namespace (configured in `values.yaml`) and specified the role's ARN in the `roleArn` field inside `values.yaml` file. +1. Make sure that you have configured an [IAM role for the service account](#IAM-Role-for-Service-Account) to be used by the Adapter, through the `roleArn` parameter of the Helm install command that follows. 2. Add the Kyverno AWS Adapter Helm repository. ```console @@ -22,12 +22,12 @@ You’ll need an [EKS](https://aws.amazon.com/eks/) cluster to run against. helm repo update kyverno-aws-adapter ``` -3. Install the Helm chart in an appropriate namespace, providing other parameters as described in the [Values](#values) section. +3. Install the Helm chart in an appropriate namespace, providing other parameters as described in the [Values](#values) section. Parameters `roleArn`, `eksCluster.name`, `eksCluster.region` are required. ```console helm install --namespace kyverno-aws-adapter --create-namespace kyverno-aws-adapter kyverno-aws-adapter/kyverno-aws-adapter ``` -4. Check the `status` field of the `awsacfg` custom resource created in the namespace specified in `values.yaml`. For instance if namespace is `kyverno-aws-adapter`, then: +4. Check the `status` field of the `awsacfg` custom resource created in the installation namespace. For instance: ```console kubectl get awsacfg -n kyverno-aws-adapter -o yaml ``` @@ -40,8 +40,8 @@ You’ll need an [EKS](https://aws.amazon.com/eks/) cluster to run against. | fullnameOverride | string | `nil` | Override the expanded name of the chart | | roleArn | string | `nil` | Role for accessing AWS API (REQUIRED) | | pollInterval | int | `30` | Interval at which the controller reconciles in minutes | -| eksCluster.name | string | `nil` | EKS cluster name | -| eksCluster.region | string | `nil` | EKS cluster region | +| eksCluster.name | string | `nil` | EKS cluster name (REQUIRED) | +| eksCluster.region | string | `nil` | EKS cluster region (REQUIRED) | | rbac.create | bool | `true` | Enable RBAC resources creation | | rbac.serviceAccount.name | string | `nil` | Service account name, you MUST provide one when `rbac.create` is set to `false` | | image.repository | string | `"ghcr.io/nirmata/kyverno-aws-adapter"` | Image repository | @@ -71,8 +71,6 @@ This adapter utilizes the ARN of a user-defined IAM Role associated with any pol | DescribeUpdate | | ListTagsForResource | -You can specify the Role's ARN in the `roleArn` field inside the Helm chart's `values.yaml` file. - Please ensure that the trust relationship policy for your IAM role resembles the following format: ```json { diff --git a/charts/kyverno-aws-adapter/README.md.gotmpl b/charts/kyverno-aws-adapter/README.md.gotmpl index 83550b0..1077cb6 100644 --- a/charts/kyverno-aws-adapter/README.md.gotmpl +++ b/charts/kyverno-aws-adapter/README.md.gotmpl @@ -14,7 +14,7 @@ You’ll need an [EKS](https://aws.amazon.com/eks/) cluster to run against. ### Running on the EKS cluster -1. Make sure that you have configured an [IAM role for the service account](#IAM-Role-for-Service-Account) `kyverno-aws-adapter-sa` in your desired namespace (configured in `values.yaml`) and specified the role's ARN in the `roleArn` field inside `values.yaml` file. +1. Make sure that you have configured an [IAM role for the service account](#IAM-Role-for-Service-Account) to be used by the Adapter, through the `roleArn` parameter of the Helm install command that follows. 2. Add the Kyverno AWS Adapter Helm repository. ```console @@ -22,12 +22,12 @@ You’ll need an [EKS](https://aws.amazon.com/eks/) cluster to run against. helm repo update kyverno-aws-adapter ``` -3. Install the Helm chart in an appropriate namespace, providing other parameters as described in the [Values](#values) section. +3. Install the Helm chart in an appropriate namespace, providing other parameters as described in the [Values](#values) section. Parameters `roleArn`, `eksCluster.name`, `eksCluster.region` are required. ```console helm install --namespace kyverno-aws-adapter --create-namespace kyverno-aws-adapter kyverno-aws-adapter/kyverno-aws-adapter ``` -4. Check the `status` field of the `awsacfg` custom resource created in the namespace specified in `values.yaml`. For instance if namespace is `kyverno-aws-adapter`, then: +4. Check the `status` field of the `awsacfg` custom resource created in the installation namespace. For instance: ```console kubectl get awsacfg -n kyverno-aws-adapter -o yaml ``` @@ -56,8 +56,6 @@ This adapter utilizes the ARN of a user-defined IAM Role associated with any pol | DescribeUpdate | | ListTagsForResource | -You can specify the Role's ARN in the `roleArn` field inside the Helm chart's `values.yaml` file. - Please ensure that the trust relationship policy for your IAM role resembles the following format: ```json { diff --git a/charts/kyverno-aws-adapter/templates/rbac.yaml b/charts/kyverno-aws-adapter/templates/rbac.yaml index ac73174..5d48057 100644 --- a/charts/kyverno-aws-adapter/templates/rbac.yaml +++ b/charts/kyverno-aws-adapter/templates/rbac.yaml @@ -45,9 +45,7 @@ metadata: labels: {{- include "kyverno-aws-adapter.labels" . | nindent 4 }} annotations: - {{- if .Values.roleArn }} - eks.amazonaws.com/role-arn: {{ .Values.roleArn }} - {{- end }} + eks.amazonaws.com/role-arn: {{ required "Role ARN is required" .Values.roleArn }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/kyverno-aws-adapter/values.yaml b/charts/kyverno-aws-adapter/values.yaml index 178679a..a2540ae 100644 --- a/charts/kyverno-aws-adapter/values.yaml +++ b/charts/kyverno-aws-adapter/values.yaml @@ -15,9 +15,9 @@ roleArn: pollInterval: 30 eksCluster: - # -- EKS cluster name + # -- EKS cluster name (REQUIRED) name: - # -- EKS cluster region + # -- EKS cluster region (REQUIRED) region: rbac: