Working with KIAM Roles in Kubernetes.

  1. Working K8 Cluster
  2. Cert-manager Installed already.
  3. Master nodes IAM Role
  4. Worker nodes IAM Role
  5. helm (v3.0.0)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:XXXX:role/masters.cluster.com"

},
"Action": "sts:AssumeRole"
}
]
}
server:
log:
level: info
assumeRoleArn : "arn:aws:iam::XXXX:role/kiam_server"
gatewayTimeoutCreation: "1s"
nodeSelector:
kubernetes.io/role: "master"
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
extraHostPathMounts:
- name: ssl-certs
mountPath: /etc/ssl/certs
readOnly: true
hostPath: /etc/ssl/certs

agent:
log:
level: info
gatewayTimeoutCreation: "1s"
host:
iptables : true
nodeSelector:
kubernetes.io/role: "node"
extraHostPathMounts:
- name: ssl-certs
mountPath: /etc/ssl/certs
readOnly: true
hostPath: /etc/ssl/certs
helm install stable/kiam -f values.yaml -n kube-system
kubectl get daemonsets --all-namespaces -l app=kiamNAMESPACE     NAME          DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR               AGE
kube-system kiam-agent 2 2 2 2 2 kubernetes.io/role=node 24d
kube-system kiam-server 3 3 3 3 3 kubernetes.io/role=master 24d
apiVersion: v1
kind: Namespace
metadata:
name: default
annotations:
iam.amazonaws.com/permitted: ".*"
kubectl apply -f namespace.default.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: aws-iam-tester
labels:
app: aws-iam-tester
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: aws-iam-tester
template:
metadata:
labels:
app: aws-iam-tester
annotations:
iam.amazonaws.com/role: TEST_ROLE_NAME
spec:
nodeSelector:
kubernetes.io/role: node
nodeName: NEW_NODE_NAME
tolerations:
- key: kiam
value: kiam
effect: NoSchedule
containers:
- name: aws-iam-tester
image: garland/aws-cli-docker:latest
imagePullPolicy: Always
command:
- /bin/sleep
args:
- "3600"
env:
- name: AWS_DEFAULT_REGION
value: us-east-1
kubectl exec -it POD_NAME /bin/sh
aws sts get-caller-identity #inside pod shell.
{
"UserId": "AROA4UWMH6F32FKRFWPR3:kiam-kiam",
"Account": "XXXX",
"Arn": "arn:aws:sts::XXXX:assumed-role/TEST_ROLE_NAME/kiam-kiam"
}

--

--

--

Software Engineer , Build Everything required.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sreedhar Bukya

Sreedhar Bukya

Software Engineer , Build Everything required.

More from Medium

How to setup Horizontal Pod Autoscaling(HPA) on AWS EKS

Tracking Down “Invisible” OOM Kills in Kubernetes

Using Dynamic Blocks in Terraform

I deployed my static website with Kubernetes on Azure … because why not !