Skip to content

vegito11/AWSAuthSync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
hacks
hacks
 
 
manifests
manifests
 
 
pkg
pkg
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Readme.md
Readme.md
 
 
controller-gen
controller-gen
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Info

  • Using this operator, we can effectively maintain the aws-auth configmap without having to manually update it.

  • After creation of AWSAuthMap (CR) object. According to the entries specified in our AWSAuthMap Object, our controller will update the aws-auth configmap.

How to Run Code

1) To Update/Generate the clientset/informer code run codegenerator.

hacks/codegenerator.sh
  • It will create the clientset,informers,listers inside client folder
  • Also the CRD Manifest is created inside manifests folder

2) Create CRD by applying the manifests

kubectl apply -f manifests/vegito11.io_awsauthmaps.yaml

3) To test without deploying controller

go run main.go 
## on another terminal create new CRD and obsever the logs
kubectl apply -f manifests/aws-auth-cm.yaml
kubectl get AWSAuthMap
kg cm aws-auth-test -n kube-system -o yaml
kubectl apply -f manifests/devs_map.yaml
kg cm aws-auth-test -n kube-system -o yaml

4) To deploy controller on k8s cluster.

  1. create docker image and push it (update the image repo accordingly).

    docker build -t vegito/awsauthsyncer:0.0.1 .

  2. Now create CRD and aws-auth-test cm on cluster

    kubectl apply -f manifests/aws-auth-cm.yaml
kubectl apply -f manifests/vegito11.io_awsauthmaps.yaml
kubectl get AWSAuthMap

  3. Now deploy the Controller with necessary role and binding

    kubectl apply -f manifests/templates

Examples

  1. To see the CRD it register in cluser
❯ kubectl api-resources | grep aws
awsauthmaps                       awth         vegito11.io/v1beta                     true         AWSAuthMap
  1. Create new Object using CRD and verify that configmap is updated
# 1) before creating object 
> kubectl cm aws-auth-test -n kube-system -o yaml

> kubectl apply -f manifests/devs_map.yaml

# 2) after creating object 
> kubectl cm aws-auth-test -n kube-system -o yaml
  1. Delete the CR and verify that entries has been removed from aws-auth-test
> kubectl delete awth devauth 
> kubectl cm aws-auth-test -n kube-system -o yaml
  1. List the object
> kubectl get AWSAuthMap

# Using shortname
> kubectl get awth 
NAME     ROLE                USER   AGE
qaauth   aws::/role/qarole          49m
  1. To see hidden columns
❯ kubectl get awth -o wide
NAME      ROLE                  USER                AGE   ALLUSER
devauth   aws::/role/testrole   aws::/user/devops   6s    [{"groups":["devops"],"userarn":"aws::/user/devops","username":"devops"}]
qaauth    aws::/role/qarole                         52m

Limitation and Improvement

  1. Whenever an existing CR object is updated. The aws-auth map will retain any entries that are deleted from our CR object.

  2. Because it hasn't been thoroughly tested and was created only for learning purposes, we should implement it in production right now.

  3. We can have admission webhook which can verify the Userarn/Rolearn , So that we can prevent the common typos from happening

  4. We can have the Mutating webhook to set the username/group by parsing Userarn/Rolearn

Referense

About

This repo contain raw CRD and controller

Topics

kubernetes golang helm

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Languages