Merge pull request #782 from SecOpsLimited/aws-iam-authenticator-init

Adds aws-iam-authenticator initialisation and instructions

Author: jetstack-bot

docs/examples/aws-iam-authenticator.rst

@@ -0,0 +1,136 @@
+AWS IAM Authenticator
+---------------------
+
+`AWS IAM Authenticator <https://github.com/kubernetes-sigs/aws-iam-authenticator>`_ is a daemon that lets you authenticate to the 
+Kubernetes RBAC system via Amazon Web Services - Identity and Access Management users and roles
+
+You can initialise the cluster to use this with the following configuration snippet in tarmak.yaml:
+
+.. code-block:: yaml
+
+    ...
+    kubernetes:
+      apiServer:
+        amazon:
+          awsIAMAuthenticatorInit: true
+    ...
+
+You can configure the IAM authenticator server with the following config map and daemonset, 
+replacing ``000000000000`` with your AWS account ID and ``your-tarmak-cluster`` with your cluster name, 
+including the ``-cluster`` suffix in a single cluster environment:
+
+.. code-block:: yaml
+
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      namespace: kube-system
+      name: aws-iam-authenticator
+      labels:
+        k8s-app: aws-iam-authenticator
+    data:
+      config.yaml: |
+        # a unique-per-cluster identifier to prevent replay attacks
+        # (good choices are a random token or a domain name that will be unique to your cluster)
+        clusterID: your-tarmak-cluster
+        server:
+          mapRoles:
+          # statically map arn:aws:iam::<your account id>:role/KubernetesAdmin to a cluster admin
+          - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
+            username: kubernetes-admin
+            groups:
+            - system:masters
+    ---
+    apiVersion: extensions/v1beta1
+    kind: DaemonSet
+    metadata:
+      namespace: kube-system
+      name: aws-iam-authenticator
+      labels:
+        k8s-app: aws-iam-authenticator
+    spec:
+      updateStrategy:
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            scheduler.alpha.kubernetes.io/critical-pod: ""
+          labels:
+            k8s-app: aws-iam-authenticator
+        spec:
+          # run on the host network (don't depend on CNI)
+          hostNetwork: true
+          # run on each master node
+          nodeSelector:
+            node-role.kubernetes.io/master: ""
+          tolerations:
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/master
+          - key: CriticalAddonsOnly
+            operator: Exists
+          containers:
+          - name: aws-iam-authenticator
+            image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.4.0-scratch
+            args:
+            - server
+            - --config=/etc/aws-iam-authenticator/config.yaml
+            - --state-dir=/var/aws-iam-authenticator
+            - --generate-kubeconfig=/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml
+            - --kubeconfig-pregenerated=true
+            resources:
+              requests:
+                memory: 20Mi
+                cpu: 10m
+              limits:
+                memory: 20Mi
+                cpu: 100m
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: config
+          mountPath: /etc/aws-iam-authenticator/
+        - name: state
+          mountPath: /var/aws-iam-authenticator/
+      securityContext:
+        fsGroup: 0
+        runAsUser: 0
+      volumes:
+      - name: config
+        configMap:
+          name: aws-iam-authenticator
+      - name: state
+        hostPath:
+          path: /var/aws-iam-authenticator/
+
+You can then authenticate to the cluster with e.g. the following, as long as aws-iam-authenticator is 
+downloaded and on your path:
+
+.. code-block:: yaml
+
+    apiVersion: v1
+    clusters:
+    - cluster:
+        certificate-authority-data: <snip - get these from ~/.tarmak/your-cluster/kubeconfig>
+        server: https://api.your-cluster.somedomain.io ##see above
+      name: your-cluster
+    contexts:
+    - context:
+        cluster: your-cluster
+        namespace: default
+        user: your-cluster
+      name: your-cluster
+    users:
+    - name: your-cluster
+      user:
+        exec:
+          apiVersion: client.authentication.k8s.io/v1alpha1
+          args:
+          - token
+          - -i
+          - your-cluster ##change me
+          - -r
+          - arn:aws:iam::000000000000:role/KubernetesAdmin  ##change me
+          command: aws-iam-authenticator-aws
+          env:
+          - name: AWS_PROFILE
+            value: your_profile ##change or remove me

docs/generated/reference/output/api-docs.html

@@ -919,7 +919,11 @@ <h2 id="clusterkubernetesapiserver-v1alpha1">ClusterKubernetesAPIServer v1alpha1
 </tr>
 <tr>
 <td><code>amazon</code><br /> <em><a href="#clusterkubernetesapiserveramazon-v1alpha1">ClusterKubernetesAPIServerAmazon</a></em></td>
-<td>AWS specifc options</td>
+<td>AWS specific options</td>
+</tr>
+<tr>
+<td><code>authTokenWebhookFile</code><br /> <em>string</em></td>
+<td></td>
 </tr>
 <tr>
 <td><code>disableAdmissionControllers</code><br /> <em>string array</em></td>
@@ -976,6 +980,10 @@ <h2 id="clusterkubernetesapiserveramazon-v1alpha1">ClusterKubernetesAPIServerAma
 </thead>
 <tbody>
 <tr>
+<td><code>awsIAMAuthenticatorInit</code><br /> <em>boolean</em></td>
+<td></td>
+</tr>
+<tr>
 <td><code>internalELBAccessLogs</code><br /> <em><a href="#clusterkubernetesapiserveramazonaccesslogs-v1alpha1">ClusterKubernetesAPIServerAmazonAccessLogs</a></em></td>
 <td></td>
 </tr>

docs/spelling_wordlist.txt

@@ -6,13 +6,18 @@ amoungst
 ansible
 api
 apiserver
+Appscode
 attestor
 auth
+authenticator
+Authenticator
+authorisation
 authorization
 authz
 autoscale
 autoscaler
 autoscaling
+aws
 backend
 backends
 calico
@@ -24,13 +29,18 @@ Config
 configmap
 cryptographic
 ctrl
+customise
+customised
+customisation
+daemonset
 doesn
 EBS
 ec
 ecdsa
 Elasticsearch
 env
 etcd
+favour
 fluentbit
 Gi
 gid
@@ -45,6 +55,9 @@ heptio
 hostname
 iam
 init
+initialise
+Initialise
+initialised
 initialize
 initializers
 io
@@ -57,6 +70,8 @@ kubeconfig
 kubectl
 kubelet
 kubernetes
+licence
+license
 lifecycle
 localhost
 login
@@ -66,6 +81,7 @@ macOS
 masterless
 millicores
 minio
+modelling
 multi
 nameservers
 namespace
@@ -75,6 +91,9 @@ nistp
 offline
 oneshot
 ons
+optimise
+optimised
+optimisation
 overprovisioning
 pki
 plugable
@@ -85,18 +104,25 @@ postgresql
 preempted
 prepended
 prometheus
+realise
+realised
+recognise
+recognised
 refactoring
 ReplicaSet
 rolename
 runtime
 setup
 sha
 stateful
+standardised
 stdin
 subcommand
 subdomain
 subtree
 subtrees
+summarises
+synchronised
 systemd
 tarmak
 templating
@@ -105,11 +131,14 @@ testability
 Todo
 toolkit
 ttl
+tunnelling
 typha
 ubuntu
 uid
 unsealer
 username
 velero
+webhook
+Webhook
 wrt
 yaml

docs/user-guide.rst

@@ -458,6 +458,24 @@ The following `tarmak.yaml` snippet shows how to enable encrypted EBS.
         ebsEncrypted: true
     ...
 
+IAM Authentication
+~~~~~~~~~~~~~~~~~~
+
+Tarmak supports authentication using aws-iam-authenticator. You can enable this using the following
+snippet, although this doesn't deploy the authenticator to the cluster - this will need configuring
+for your environment using the instructions on `github <https://github.com/kubernetes-sigs/aws-iam-authenticator>`_.
+Effectively, the snippet below performs steps 2 and 3 of these instructions for you.
+
+.. code-block:: yaml
+
+    kubernetes:
+      apiServer:
+        amazon:
+          awsIAMAuthenticatorInit: true
+    ...
+
+See the examples section for yaml files to configure the authenticator daemon set, config map and kubeconfig.
+
 OIDC Authentication
 ~~~~~~~~~~~~~~~~~~~
 
@@ -640,6 +658,21 @@ This can be used together with `Secure public endpoints <user-guide.html#secure-
     apiServer:
       public: true
 
+Authenticator Token Webhook file
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can configure an authentication token webhook for the apiserver - this is the path to the file
+containing said configuration. There is a *default* value for this if using the aws-iam-authenticator, 
+but if you are customising this component, or using an alternative webhook authentication system (e.g.
+Appscode Guard) you can set / override it here as appropriate. The file must exist for the apiserver
+to start up.
+
+.. code-block:: yaml
+
+  kubernetes:
+    apiServer:
+      authTokenWebhookFile: /etc/kubernetes/shiny-new-authenticator/kubeconfig.yaml
+
 Secure public endpoints
 ~~~~~~~~~~~~~~~~~~~~~~~
 

docs/vault-setup-config.rst

@@ -45,7 +45,7 @@ Init Tokens
 Tokens are used as the main authentication method in Vault and provide a
 mapping to one or more policies. On first boot, each instance generates their
 own unique token via a given token - the init token. These init-tokens are role
-dependant meaning the same init-token is shared with instances only with the
+dependent meaning the same init-token is shared with instances only with the
 same role. Once generated, the init token is erased by all instances in favour
 of their own new unique token making the init token no longer accessible on any
 instance. Unlike the init-tokens, generated tokens are short lived and so need
@@ -64,7 +64,7 @@ requirements of the policy - if successful, returns a signed certificate.
 Instances can only obtain certificates from CSRs because of the permissions
 that its unique token provides. Upon receiving, the instance will store the
 signed certificate locally to be shared with its relevant services and start or
-restart all services which are dependant.
+restart all services which are dependent.
 
 Expiration of Tokens and Certificates
 -------------------------------------

pkg/apis/cluster/v1alpha1/cluster.go

@@ -152,9 +152,11 @@ type ClusterKubernetesAPIServer struct {
 	// OIDC
 	OIDC *ClusterKubernetesAPIServerOIDC `json:"oidc,omitempty"`
 
-	// AWS specifc options
+	// AWS specific options
 	Amazon *ClusterKubernetesAPIServerAmazon `json:"amazon,omitempty"`
 
+	AuthTokenWebhookFile string `json:"authTokenWebhookFile,omitempty"`
+
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
 }
 
@@ -194,8 +196,9 @@ type ClusterKubernetesAPIServerOIDC struct {
 }
 
 type ClusterKubernetesAPIServerAmazon struct {
-	PublicELBAccessLogs   *ClusterKubernetesAPIServerAmazonAccessLogs `json:"publicELBAccessLogs,omitempty"`
-	InternalELBAccessLogs *ClusterKubernetesAPIServerAmazonAccessLogs `json:"internalELBAccessLogs,omitempty"`
+	PublicELBAccessLogs     *ClusterKubernetesAPIServerAmazonAccessLogs `json:"publicELBAccessLogs,omitempty"`
+	InternalELBAccessLogs   *ClusterKubernetesAPIServerAmazonAccessLogs `json:"internalELBAccessLogs,omitempty"`
+	AwsIAMAuthenticatorInit bool                                        `json:"awsIAMAuthenticatorInit,omitempty"`
 }
 
 type ClusterKubernetesAPIServerAmazonAccessLogs struct {

pkg/puppet/puppet.go

@@ -165,6 +165,14 @@ func kubernetesClusterConfig(conf *clusterv1alpha1.ClusterKubernetes, hieraData
 		}
 	}
 
+	if conf.APIServer != nil && conf.APIServer.AuthTokenWebhookFile != "" {
+		hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes::apiserver::auth_token_webhook_file: "%s"`, conf.APIServer.AuthTokenWebhookFile))
+	}
+
+	if conf.APIServer != nil && conf.APIServer.Amazon != nil && conf.APIServer.Amazon.AwsIAMAuthenticatorInit {
+		hieraData.variables = append(hieraData.variables, "kubernetes::apiserver::aws_iam_authenticator_init: true")
+	}
+
 	if conf.PodSecurityPolicy != nil {
 		if conf.PodSecurityPolicy.Enabled {
 			hieraData.variables = append(hieraData.variables, fmt.Sprintf(`tarmak::kubernetes_pod_security_policy: true`))