amcginlay · February 10, 2022 14:26
diff --git a/eks-irsa.sh b/eks-irsa.sh
 # https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

 # requires https://github.com/itaysk/kubectl-neat

 # set up variables
 cluster=dev
 namespace=irsa

 mkdir -p ~/environment/${namespace}/

 export AWS_DEFAULT_REGION=$(curl --silent http://169.254.169.254/latest/meta-data/placement/region)

 # create the namespace for IAM Roles Service Accounts (IRSA)
 kubectl create namespace ${namespace}

 # OPTIONAL --> our cluster may already have been created "withOIDC: true" in the eksctl cluster config
 # register our clusters OIDC endpoint as an identity provider
 eksctl utils associate-iam-oidc-provider --cluster ${cluster} --approve

 # use eksctl to build our IAM role (with S3 read access) and corresponding RBA service account
 eksctl create iamserviceaccount \
  --name s3-serviceaccount \
  --namespace ${namespace} \
  --cluster ${cluster} \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
  --approve

 # see what's been done
 eksctl get iamserviceaccount --cluster ${cluster} --name s3-serviceaccount
 kubectl get sa s3-serviceaccount -n ${namespace} -o yaml

 # build an nginx manifest and specify our service account
 kubectl create deployment nginx --image nginx -n ${namespace} -o yaml --dry-run=client | kubectl neat > ~/environment/${namespace}/deployment.yaml
 echo "      serviceAccountName: s3-serviceaccount" >> ~/environment/${namespace}/deployment.yaml

 # take a look at what we done
 cat ~/environment/${namespace}/deployment.yaml

 # deploy it
 kubectl apply -f ~/environment/${namespace}/deployment.yaml

 # see what the mutating webhook has been up to inside our PodSpec
 pod=$(kubectl get pod -l app=nginx -n ${namespace} -o name | head -1)
 kubectl get -n ${namespace} ${pod} -o json | jq '.spec.volumes[]'
 kubectl get -n ${namespace} ${pod} -o json | jq '.spec.containers[].volumeMounts[]'
 kubectl get -n ${namespace} ${pod} -o json | jq '.spec.containers[].env[]'

 # install the AWS CLI inside the container
 kubectl exec -it -n ${namespace} ${pod} -- /bin/bash -c \
  "apt update && apt install unzip less -y && \
   curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && \
   unzip awscliv2.zip && \
   ./aws/install"

 # check we have assumed our role inside the container
 kubectl exec -it -n ${namespace} ${pod} -- aws sts get-caller-identity

 # call out to S3
 kubectl exec -it -n ${namespace} ${pod} -- aws s3 ls

 # tidy up
 kubectl delete namespace ${namespace}
 eksctl delete iamserviceaccount \
  --name s3-serviceaccount \
  --namespace ${namespace} \
  --cluster ${cluster}
	# https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

	# requires https://github.com/itaysk/kubectl-neat

	# set up variables
	cluster=dev
	namespace=irsa

	mkdir -p ~/environment/${namespace}/

	export AWS_DEFAULT_REGION=$(curl --silent http://169.254.169.254/latest/meta-data/placement/region)

	# create the namespace for IAM Roles Service Accounts (IRSA)
	kubectl create namespace ${namespace}

	# OPTIONAL --> our cluster may already have been created "withOIDC: true" in the eksctl cluster config
	# register our clusters OIDC endpoint as an identity provider
	eksctl utils associate-iam-oidc-provider --cluster ${cluster} --approve

	# use eksctl to build our IAM role (with S3 read access) and corresponding RBA service account
	eksctl create iamserviceaccount \
	--name s3-serviceaccount \
	--namespace ${namespace} \
	--cluster ${cluster} \
	--attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
	--approve

	# see what's been done
	eksctl get iamserviceaccount --cluster ${cluster} --name s3-serviceaccount
	kubectl get sa s3-serviceaccount -n ${namespace} -o yaml

	# build an nginx manifest and specify our service account
	kubectl create deployment nginx --image nginx -n ${namespace} -o yaml --dry-run=client \| kubectl neat > ~/environment/${namespace}/deployment.yaml
	echo " serviceAccountName: s3-serviceaccount" >> ~/environment/${namespace}/deployment.yaml

	# take a look at what we done
	cat ~/environment/${namespace}/deployment.yaml

	# deploy it
	kubectl apply -f ~/environment/${namespace}/deployment.yaml

	# see what the mutating webhook has been up to inside our PodSpec
	pod=$(kubectl get pod -l app=nginx -n ${namespace} -o name \| head -1)
	kubectl get -n ${namespace} ${pod} -o json \| jq '.spec.volumes[]'
	kubectl get -n ${namespace} ${pod} -o json \| jq '.spec.containers[].volumeMounts[]'
	kubectl get -n ${namespace} ${pod} -o json \| jq '.spec.containers[].env[]'

	# install the AWS CLI inside the container
	kubectl exec -it -n ${namespace} ${pod} -- /bin/bash -c \
	"apt update && apt install unzip less -y && \
	curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && \
	unzip awscliv2.zip && \
	./aws/install"

	# check we have assumed our role inside the container
	kubectl exec -it -n ${namespace} ${pod} -- aws sts get-caller-identity

	# call out to S3
	kubectl exec -it -n ${namespace} ${pod} -- aws s3 ls

	# tidy up
	kubectl delete namespace ${namespace}
	eksctl delete iamserviceaccount \
	--name s3-serviceaccount \
	--namespace ${namespace} \
	--cluster ${cluster}
No results found