Last active
April 15, 2023 23:15
-
-
Save d-nishi/a4e54dfc973ea047ec46c8deb5193f4e to your computer and use it in GitHub Desktop.
EKS RBAC - verbose index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import * as aws from "@pulumi/aws"; | |
| import * as awsx from "@pulumi/awsx"; | |
| import * as eks from "@pulumi/eks"; | |
| import * as k8s from "@pulumi/kubernetes"; | |
| /* | |
| * 1) Single step deployment three IAM Roles | |
| */ | |
| // Administrator AWS IAM clusterAdminRole with full access to all AWS resources | |
| const clusterAdminRole = new aws.iam.Role("clusterAdminRole", { | |
| assumeRolePolicy: `{ | |
| "Version": "2012-10-17", | |
| "Statement":[ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::153052954103:root" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| `, | |
| tags: { | |
| "clusterAccess": "admin-usr", | |
| }, | |
| }); | |
| // Administer Automation role for use in pipelines, e.g. gitlab CI, Teamcity, etc. | |
| const AutomationRole = new aws.iam.Role("AutomationRole", { | |
| assumeRolePolicy: `{ | |
| "Version": "2012-10-17", | |
| "Statement":[ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::153052954103:root" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| `, | |
| tags: { | |
| "clusterAccess": "automation-usr", | |
| }, | |
| }); | |
| // Administer Prod role for use in Prod environment | |
| const EnvProdRole = new aws.iam.Role("EnvProdRole", { | |
| assumeRolePolicy: `{ | |
| "Version": "2012-10-17", | |
| "Statement":[ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::153052954103:root" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| `, | |
| tags: { | |
| "clusterAccess": "prod-usr", | |
| }, | |
| }); | |
| /* | |
| * 2) Single step deployment of EKS cluster with the most important variables | |
| */ | |
| const vpc = new awsx.Network("vpc", {usePrivateSubnets: false }); | |
| const cluster = new eks.Cluster("eks-cluster", { | |
| vpcId : vpc.vpcId, | |
| subnetIds : vpc.publicSubnetIds, | |
| instanceType : "t2.micro", | |
| nodeRootVolumeSize: 200, | |
| desiredCapacity : 3, | |
| maxSize : 3, | |
| minSize : 2, | |
| deployDashboard : false, | |
| vpcCniOptions : { | |
| warmIpTarget : 4, | |
| }, | |
| roleMappings : [ | |
| // Provides full administrator cluster access to the k8s cluster | |
| { | |
| groups : ["system:masters"], | |
| roleArn : clusterAdminRole.arn, | |
| username : "admin-usr", | |
| }, | |
| // Map IAM role arn "AutomationRoleArn" to the k8s user with name "automation-usr", e.g. gitlab CI | |
| { | |
| groups : ["pulumi:automation-grp"], | |
| roleArn : AutomationRole.arn, | |
| username : "automation-usr", | |
| }, | |
| // Map IAM role arn "EnvProdRoleArn" to the k8s user with name "prod-usr" | |
| { | |
| groups : ["pulumi:prod-grp"], | |
| roleArn : EnvProdRole.arn, | |
| username : "prod-usr", | |
| }, | |
| ], | |
| }); | |
| export const clusterName = cluster.eksCluster.name; | |
| /* | |
| * 3) Single Step deployment of k8s RBAC configuration for user1, user2 and user3 per our example | |
| */ | |
| // Grant cluster admin access to all admins with k8s ClusterRole and ClusterRoleBinding | |
| new k8s.rbac.v1.ClusterRole("clusterAdminRole", { | |
| metadata: { | |
| name: "clusterAdminRole", | |
| }, | |
| rules: [{ | |
| apiGroups: ["*"], | |
| resources: ["*"], | |
| verbs: ["*"], | |
| }] | |
| }, {provider: cluster.provider}); | |
| new k8s.rbac.v1.ClusterRoleBinding("cluster-admin-binding", { | |
| metadata: { | |
| name: "cluster-admin-binding", | |
| }, | |
| subjects: [{ | |
| kind: "User", | |
| name: "pulumi:admin-usr", | |
| }], | |
| roleRef: { | |
| kind: "ClusterRole", | |
| name: "clusterAdminRole", | |
| apiGroup: "rbac.authorization.k8s.io", | |
| }, | |
| }, {provider: cluster.provider}); | |
| // User2 called automation-usr for users that have permissions to all k8s resources in the namespace automation | |
| new k8s.rbac.v1.Role("AutomationRole", { | |
| metadata: { | |
| name: "AutomationRole", | |
| }, | |
| rules: [{ | |
| apiGroups: ["*"], | |
| resources: ["*"], | |
| verbs: ["*"], | |
| }] | |
| }, {provider: cluster.provider}); | |
| new k8s.rbac.v1.RoleBinding("automation-binding", { | |
| metadata: { | |
| name: "automation-binding", | |
| }, | |
| subjects: [{ | |
| kind: "User", | |
| name: "pulumi:automation-usr", | |
| }], | |
| roleRef: { | |
| kind: "Role", | |
| name: "AutomationRole", | |
| apiGroup: "rbac.authorization.k8s.io", | |
| }, | |
| }, {provider: cluster.provider}); | |
| // User3 called prod-usr for users that have read access to all k8s resources in the namespace env-prod | |
| new k8s.rbac.v1.Role("EnvProdRole", { | |
| metadata: { | |
| name: "EnvProdRole", | |
| }, | |
| rules: [{ | |
| apiGroups: ["*"], | |
| resources: ["*"], | |
| verbs: ["get", "watch", "list"], | |
| }], | |
| }, {provider: cluster.provider}); | |
| new k8s.rbac.v1.RoleBinding("env-prod-binding", { | |
| metadata: { | |
| name: "env-prod-binding", | |
| }, | |
| subjects: [{ | |
| kind: "User", | |
| name: "pulumi:prod-usr", | |
| }], | |
| roleRef: { | |
| kind: "Role", | |
| name: "EnvProdRole", | |
| apiGroup: "rbac.authorization.k8s.io", | |
| }, | |
| }, {provider: cluster.provider}); | |
| export const kubeconfig = cluster.kubeconfig |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment