Skip to content

Commit

Permalink
create-irsa-role-for-ebs-driver (#212)
Browse files Browse the repository at this point in the history
* create-irsa-role-for-ebs-driver

* create-irsa-role-for-ebs-driver

* fix-tests

* fix-tests2

* fix3
  • Loading branch information
calvix authored Nov 2, 2023
1 parent 4a57d84 commit ab813fd
Show file tree
Hide file tree
Showing 6 changed files with 307 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added

- Add tags from `AWSCluster.Spec.AdditionalTags` and `AWSManagedControlPlane.Spec.AdditionalTags` to all created resources.
- Add IRSA role for EBS CSI driver.

## [0.11.0] - 2023-11-01

Expand Down
1 change: 1 addition & 0 deletions controllers/awsmachinetemplate_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,7 @@ var _ = Describe("AWSMachineTemplateReconciler", func() {
externalDnsRoleInfo,
certManagerRoleInfo,
ALBControllerRoleInfo,
ebsCsiDriverRoleInfo,
}

expectedIAMTags := []*iam.Tag{
Expand Down
160 changes: 160 additions & 0 deletions controllers/common_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -374,3 +374,163 @@ var ALBControllerRoleInfo = RoleInfo{

ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ALBController-Role",
}

var ebsCsiDriverRoleInfo = RoleInfo{
ExpectedName: "test-cluster-ebs-csi-driver-role",

ExpectedAssumeRolePolicyDocument: `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::012345678901:oidc-provider/irsa.test.gaws.gigantic.io"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"irsa.test.gaws.gigantic.io:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
}
}
}
]
}
`,

ExpectedPolicyName: "control-plane-test-cluster-policy",
ExpectedPolicyDocument: `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
}
]
}`,

ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ebs-csi-driver",
}
135 changes: 135 additions & 0 deletions pkg/iam/ebs_csi_driver_template.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
package iam

const EBSCSIDriverPolicyTemplate = `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
}
]
}`
7 changes: 5 additions & 2 deletions pkg/iam/iam.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ const (
IRSARole = "irsa-role"
CertManagerRole = "cert-manager-role"
ALBConrollerRole = "ALBController-Role"
EBSCSIDriverRole = "ebs-csi-driver-role"

IAMControllerOwnedTag = "capi-iam-controller/owned"
ClusterIDTag = "sigs.k8s.io/cluster-api-provider-aws/cluster/%s"
Expand Down Expand Up @@ -156,7 +157,7 @@ func (s *IAMService) ReconcileKiamRole() error {
func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
s.log.Info("reconciling IAM roles for IRSA")

for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole} {
for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole} {
var params Route53RoleParams
params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
if err != nil {
Expand Down Expand Up @@ -667,7 +668,9 @@ func getServiceAccount(role string) (string, error) {
return "external-dns", nil
} else if role == ALBConrollerRole {
return "aws-load-balancer-controller", nil
} else if role == EBSCSIDriverRole {
return "ebs-csi-controller-sa", nil
}

return "", fmt.Errorf("Cannot get service account for specified role - %s", role)
return "", fmt.Errorf("cannot get service account for specified role - %s", role)
}
5 changes: 5 additions & 0 deletions pkg/iam/template.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ func getInlinePolicyTemplate(roleType string) string {
return route53RolePolicyTemplateForCertManager
case ALBConrollerRole:
return ALBControllerPolicyTemplate
case EBSCSIDriverRole:
return EBSCSIDriverPolicyTemplate
default:
return ""
}
Expand All @@ -76,6 +78,9 @@ func getTrustPolicyTemplate(roleType string) string {
return trustIdentityPolicyKIAMAndIRSA
case ALBConrollerRole:
return trustIdentityPolicyKIAMAndIRSA
case EBSCSIDriverRole:
return trustIdentityPolicyKIAMAndIRSA

default:
return ""
}
Expand Down

0 comments on commit ab813fd

Please sign in to comment.