search

inlets / inlets-operator

Get public TCP LoadBalancers for local Kubernetes clusters
https://docs.inlets.dev/reference/inlets-operator
MIT License
1.35k stars 98 forks source link

Documentation for EC2 provider #54

Closed retgits closed 4 years ago

retgits commented 4 years ago

Current Behaviour

Currently, there is no documentation on how to use the EC2 provider. While I think I figured out most of it, there are still a few things that I'm not sure on. Documentating this for other people will help them get up to speed with using Inlets faster.

Possible Solution

If I got everything right (which I assume, because I was able to complete the tutorial), you can start inlets-operator with the following parameters if you want to use the EC2 provider:

./inlets-operator \
 --kubeconfig /Users/lstigter/.kube/config \
 --provider ec2 \
 --region us-west-2 \
 --zone us-west-2a \
 --access-key $AWS_ACCESS_KEY_ID \
 --secret-key $AWS_SECRET_KEY \
 --license $LICENSE

For my trial, I used an account that had all privileges but considering the implications of that I want to have the least-privileged capabilities it needs to create the AWS resources. Would that be something like

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:region::image/ami-9e1670f7",
        "arn:aws:ec2:region::image/ami-45cf5c3c",
        "arn:aws:ec2:region:account:instance/*",
        "arn:aws:ec2:region:account:volume/*",
        "arn:aws:ec2:region:account:key-pair/*",
        "arn:aws:ec2:region:account:security-group/*",
        "arn:aws:ec2:region:account:subnet/*",
        "arn:aws:ec2:region:account:network-interface/*"
      ]
    }
   ]
}
Waterdrips commented 4 years ago

looks like the Helm chart doesn't support --secret-key-file, which is required for ec2 and Scaleway.

I can add support for that to the chart. In terms of documentation, there doesn't appear to be any for EC2 provider in this repo, Ill draw some up when amending the chart.

Thanks for the feedback @retgits In terms of least-privilege, I would have to have a play about, the tricky thing would be the AMIs as they differ by region.

Waterdrips commented 4 years ago

/assign: me

retgits commented 4 years ago

If there is anything I can help out with, do let me know 😄

alexellis commented 4 years ago

@Waterdrips do you have an update on this? It seems fairly important to me, where would you rate it on urgency?

alexellis commented 4 years ago

@retgits a PR would be nice, if you can get to it sooner.

Waterdrips commented 4 years ago

@alexellis @retgits this must have slipped through the net - ill do it now.