Skip to content

Commit

Permalink
update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
kkb0318 committed Jun 4, 2024
1 parent 0752807 commit 945f3d7
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 3 deletions.
78 changes: 75 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,29 @@ Before you begin, ensure you have the following:
- AWS user credentials with appropriate permissions.
- The permissions should allow irsa-manager to call the necessary AWS APIs. You can find all the APIs that irsa-manager calls in the internal/aws/aws.go interfaces.

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:CreateRole",
"iam:UpdateAssumeRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"sts:GetCallerIdentity",
"s3:*"
],
"Resource": "*"
}
]
}
```

## Setup

Follow these steps to set up IRSA on your non-EKS cluster:
Expand Down Expand Up @@ -52,6 +75,8 @@ kubectl create secret generic aws-secret -n irsa-manager-system \

3. Create an IRSASetup Custom Resource

![](docs/IRSASetup-cr.png)

Define and apply an IRSASetup custom resource according to your needs.

```yaml
Expand Down Expand Up @@ -133,9 +158,14 @@ For more details, refer to the [Kubernetes documentation](https://kubernetes.io/

## How To Use

You can set IRSA for the Kubernetes ServiceAccount.
You can set up IRSA for any Kubernetes ServiceAccount by configuring the necessary IAM roles and policies.
While you can use the provided IRSA custom resources, it is also possible to set up IRSA manually by configuring the `iamRole`, `iamPolicies`, and `ServiceAccount` directly.

The following example shows that irsa-manager sets the `irsa1-sa` ServiceAccount in the kube-system and default namespaces with the AmazonS3FullAccess policy:
### Using IRSA Custom Resources

![](docs/IRSA-cr.png)

The following example shows how irsa-manager sets up the `irsa1-sa` ServiceAccount in the `kube-system` and `default` namespaces with the AmazonS3FullAccess policy using IRSA custom resources:

```yaml
apiVersion: irsa-manager.kkb0318.github.io/v1alpha1
Expand All @@ -156,7 +186,49 @@ spec:
- AmazonS3FullAccess
```

For more details, please see the API Reference.
This configuration simplifies the setup process by combining the creation of the IAM role, policies, and service account into a single custom resource.

### Manual setup

Alternatively, you can configure IRSA manually without using the IRSA custom resources by following these steps:

- Create the IAM Role:
- Manually create an IAM role in AWS with the necessary trust policy to allow the Kubernetes service account to assume the role.

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/s3-<region>.amazonaws.com/<S3 bucket name>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"s3-<region>.amazonaws.com/<S3 bucket name>:sub": "system:serviceaccount:<namespace>:<name>"
}
}
}
]
}
```

- Attach IAM Policies:
- Attach the required IAM policies (e.g., AmazonS3FullAccess) to the IAM role.
- Annotate the Kubernetes ServiceAccount:
- Annotate the Kubernetes service account with the ARN of the IAM role.

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: <name>
namespace: <namespace>
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role name>
```

## Verification

Expand Down
Binary file added docs/IRSA-cr.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/IRSASetup-cr.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 945f3d7

Please sign in to comment.