search

keikoproj / iam-manager

AWS IAM role management for K8s cluster using kube builder "Operator" framework
Apache License 2.0
42 stars 22 forks source link
aws crd-controller iam iam-manager iam-roles irsa kubebuilder kubernetes security

readme

iam-manager

Maintenance PR slack

version Build Status codecov Go Report Card

AWS IAM role management for K8s namespaces inside cluster using k8s CRD Operator.

Security:

Security will be a main concern when we design a solution to create/update/delete IAM roles inside a cluster independently. iam-manager uses AWS IAM Permission Boundary concept along with other solutions to secure the implementation. Please check AWS Security for more details.

Supported Features

Following features are supported by IAM Manager

IAM Roles Management
IAM Role for Service Accounts (IRSA)
AWS Service-Linked Roles
Default Trust Policy for All Roles
Maximum Number of Roles per Namespace
Attaching Managed IAM Policies for All Roles
Multiple Trust policies

iam-manager config-map

This document provide explanation on configmap variables.

Additional Info

iam-manager is built using kubebuilder project and like any other kubebuilder project iam-manager also uses cert-manager to manage the SSL certs for webhooks.

Usage:

Following is the sample Iamrole spec. 

apiVersion: iammanager.keikoproj.io/v1alpha1
kind: Iamrole
metadata:
  name: iam-manager-iamrole
spec:
  # Add fields here
  PolicyDocument:
    Statement:
      -
        Effect: "Allow"
        Action:
          - "s3:Get*"
        Resource:
          - "arn:aws:s3:::intu-oim*"
        Sid: "AllowS3Access"
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      -
        Effect: "Allow"
        Action: "sts:AssumeRole"
        Principal:
          AWS:
            - "arn:aws:iam::XXXXXXXXXXX:role/20190504-k8s-kiam-role"

To submit, kubectl apply -f iam_role.yaml --ns namespace1

Installation:

Simplest way to install iam-manager along with the role required for it to do the job is to run install.sh command.

Update the allowed policies in allowed_policies.txt and config map properties config_map as per your environment before you run install.sh.

Note: You must be cluster admin and have exported KUBECONFIG and also has Administrator access to underlying AWS account and have the credentials exported.

example:

export KUBECONFIG=/Users/myhome/.kube/admin@eks-dev2-k8s  
export AWS_PROFILE=admin_123456789012_account
./install.sh [cluster_name] [aws_region] [aws_profile]
./install.sh eks-dev2-k8s us-west-2 aws_profile

To enable web hook or/and also update your installation of iam-manager to work with kiam please check Installation for detailed instructions.

❤ Contributing ❤

Please see CONTRIBUTING.md.

Developer Guide

Please see DEVELOPER.md.