iam-manager

module

v0.20.0 Latest Latest Go to latest Published: Mar 29, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/keikoproj/iam-manager

Links

Open Source Insights

README ¶

iam-manager

AWS IAM role management for K8s namespaces inside cluster using k8s CRD Operator.

Security:

Security will be a main concern when we design a solution to create/update/delete IAM roles inside a cluster independently. iam-manager uses AWS IAM Permission Boundary concept along with other solutions to secure the implementation. Please check AWS Security for more details.

Supported Features

Following features are supported by IAM Manager

IAM Roles Management
IAM Role for Service Accounts (IRSA)
AWS Service-Linked Roles
Default Trust Policy for All Roles
Maximum Number of Roles per Namespace
Attaching Managed IAM Policies for All Roles
Multiple Trust policies

iam-manager config-map

This document provide explanation on configmap variables.

Additional Info

iam-manager is built using kubebuilder project and like any other kubebuilder project iam-manager also uses cert-manager to manage the SSL certs for webhooks.

Usage:

Following is the sample Iamrole spec.

apiVersion: iammanager.keikoproj.io/v1alpha1
kind: Iamrole
metadata:
  name: iam-manager-iamrole
spec:
  # Add fields here
  PolicyDocument:
    Statement:
      -
        Effect: "Allow"
        Action:
          - "s3:Get*"
        Resource:
          - "arn:aws:s3:::intu-oim*"
        Sid: "AllowS3Access"
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      -
        Effect: "Allow"
        Action: "sts:AssumeRole"
        Principal:
          AWS:
            - "arn:aws:iam::XXXXXXXXXXX:role/20190504-k8s-kiam-role"

To submit, kubectl apply -f iam_role.yaml --ns namespace1

Installation:

Simplest way to install iam-manager along with the role required for it to do the job is to run install.sh command.

Update the allowed policies in allowed_policies.txt and config map properties config_map as per your environment before you run install.sh.

Note: You must be cluster admin and have exported KUBECONFIG and also has Administrator access to underlying AWS account and have the credentials exported.

example:

export KUBECONFIG=/Users/myhome/.kube/admin@eks-dev2-k8s  
export AWS_PROFILE=admin_123456789012_account
./install.sh [cluster_name] [aws_region] [aws_profile]
./install.sh eks-dev2-k8s us-west-2 aws_profile

To enable web hook or/and also update your installation of iam-manager to work with kiam please check Installation for detailed instructions.

❤ Contributing ❤

Please see CONTRIBUTING.md.

Developer Guide

Please see DEVELOPER.md.

Directories ¶

Path	Synopsis
api
v1alpha1 Package v1alpha1 contains API Schema definitions for the iammanager v1alpha1 API group +kubebuilder:object:generate=true +groupName=iammanager.keikoproj.io	Package v1alpha1 contains API Schema definitions for the iammanager v1alpha1 API group +kubebuilder:object:generate=true +groupName=iammanager.keikoproj.io
cmd
internal
config
controllers
utils
pkg
awsapi
k8s
logging
validation

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL