Closed Insidexa closed 7 months ago
Is anyone interested in merging this?? probably amazon will stop supporting the metadata api v1 sooner than we think...
@Insidexa will you solve conflicts?
@SCLogo yes, ~1w estimated time
guys, I don't know, do we need to update IAM tests with regions ? because regions load from the AWS API
thanks @Insidexa I fixed the unit tests for regions. The PR is now merged, gonna let it soak on master
for a bit before releasing as 'latest. I created a dev release as jtblin/kube2iam-amd64:dev
, could people try it and verify everything works fine pls?
Hi @jtblin ,
i wanted to test it, but it seems this dev image is arm64 only, just like the 0.11.2 release.
@atze234 that should be fixed with jtblin/kube2iam:dev now which supports arm64
and amd64
.
Hi @jtblin, sorry for the delay. I've tested with 0.11.2 and :dev. Both versions are working with imdsv2 for me. Thank you
hi @atze234 , currently im try to install kube2iam 0.11.2 or latest in mi eks cluster , but I get several errors, could you tell me if my deployment is okay, I use it as a daemonset
Daemonset:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube2iam
namespace: kube-system
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube2iam
rules:
- apiGroups: [""]
resources: ["namespaces","pods"]
verbs: ["get","watch","list"]
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube2iam
subjects:
- kind: ServiceAccount
name: kube2iam
namespace: kube-system
roleRef:
kind: ClusterRole
name: kube2iam
apiGroup: rbac.authorization.k8s.io
kind: List
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube2iam
namespace: kube-system
labels:
app: kube2iam
spec:
selector:
matchLabels:
name: kube2iam
template:
metadata:
labels:
name: kube2iam
spec:
serviceAccountName: kube2iam
hostNetwork: true
containers:
- image: jtblin/kube2iam:0.11.2
imagePullPolicy: Always
name: kube2iam
args:
- "--app-port=8181"
- "--base-role-arn=arn:aws:iam::XXXXXXXX:role/kube2iamdemo"
- "--iptables=true"
- "--host-ip=$(HOST_IP)"
- "--host-interface=eni+"
- "--verbose"
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
ports:
- containerPort: 8181
hostPort: 8181
name: http
securityContext:
privileged: true
and this is mi role kube2iamdemo in AWS:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-node-role" }, "Action": "sts:AssumeRole" } ] }
any help or suggestion?
Hi @jsebastianmal , and what errors did you get there?
Hi @atze234 , this is my errors in my kube2iam
kubectl logs kube2iam-kdmlw | grep Error
time="2024-01-03T16:07:32Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.remote=10.160.7.103
time="2024-01-03T16:08:04Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.remote=10.160.7.13
time="2024-01-03T16:08:39Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.remote=10.160.7.103
time="2024-01-03T16:09:10Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.remote=10.160.7.13
time="2024-01-03T16:10:00Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-customers" req.remote=10.160.7.103
time="2024-01-03T16:10:39Z" level=error msg="Error assuming role operation error EC2: DescribeRegions, failed to resolve service endpoint, an AWS region is required, but was not found" ns.name=alfa-digital-dev pod.iam.role="arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.method=GET req.path="/latest/meta-data/iam/security-credentials/arn:aws:iam::XXXXXXXX:role/alfa-dev-eks-alfa-digital-dev-integrations" req.remote=10.160.7.13
this is an example to my IAM ROLE
alfa-dev-eks-alfa-digital-dev-integrations
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXX:role/alfa-dev-eks-node-role",
"arn:aws:iam::XXXXXXXXX:role/alfa-dev-eks-external-secrets-role"
]
},
"Action": "sts:AssumeRole"
}
}
]
}
My app already set AWS Region
src/main/resources/application.yml
aws:
region: us-east-2
sqs:
and this is mi app logs:
11:16:10.670 [main] ERROR c.a.s.j.AmazonSQSMessagingClientWrapper -
AmazonClientException: getQueueUrl.
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@43d65a81: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@5aa781f2: Internal Server Error (Service: null; Status Code: 500; Error Code: null; Request ID: null; Proxy: null)]
Hi @atze234 , i found a bad config in my iam role , when i adjust this with the correctly policy in our Iam Node Group, kube2iam with IMDSV2 and my apps works fine.
Thanks for your support. ;)
What this PR does / why we need it:
Which issue this PR fixes
(optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged)Special notes:
Checklist chart
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]