🔀 Move @soulshake's scripts and commands to prepare-eks directory

2026-02-14 09:39:56 +00:00 · 2021-03-28 12:59:54 +02:00
parent b23aacdce0
commit b9ea938157
3 changed files with 89 additions and 133 deletions
--- a/bin/sa-can-read-s3.sh
+++ b/bin/sa-can-read-s3.sh
@@ -1,133 +0,0 @@
 #!/usr/bin/env bash
 # I would like to demonstrate access to AWS resource (e.g. S3 bucket) from a pod. Idea:
 # create a bucket, put two objects in it (one public, one private), then … I suppose I
 # need to create a role with access to the private object, associate the role to a service
 # account in k8s, find an image with the aws CLI (or some s3 client) in it … ?
 set -euo pipefail
 emit_describe_cluster_policy() {
    # Not used right now, but this permission is required in order to run `aws eks update-kubeconfig`:
    echo '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "eks:DescribeCluster"
            ],
            "Resource": "'"arn:aws:eks:${REGION}:${ACCOUNT_ID}:cluster/${CLUSTER_NAME}"'",
            "Effect": "Allow"
        }
    ]
 }'
 }
 create_describe_cluster_policy() {
    aws iam create-policy \
        --policy-name ${DESCRIBE_CLUSTER_POLICY_NAME} \
        --description "Policy allowing to describe ${CLUSTER_NAME}" \
        --policy-document "$(emit_describe_cluster_policy)"
    # to attach:
    # aws iam attach-user-policy --user-name "${user_name}" --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${DESCRIBE_CLUSTER_POLICY_NAME}"
 }
 emit_service_account_role_trust_policy() {
    local oidc_provider_arn key_prefix
    oidc_provider_arn="$(aws iam list-open-id-connect-providers | jq -r '.OpenIDConnectProviderList[0].Arn')"
    key_prefix="$(echo "${oidc_provider_arn}" | cut -f2- -d '/')"
    echo '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "'"${oidc_provider_arn}"'"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
            "'"${key_prefix}:sub"'": "system:serviceaccount:default:default"
        }
      }
    }
  ]
 }'
 }
 associate_oidc_provider() {
    local issuer_url
    issuer_url="$(aws eks describe-cluster --name "${CLUSTER_NAME}" --query "cluster.identity.oidc.issuer" --output text)"
    if ! aws iam list-open-id-connect-providers | grep "${issuer_url}"; then
        eksctl utils associate-iam-oidc-provider --cluster "${CLUSTER_NAME}" --approve
    else
        echo "OIDC provider already associated"
    fi
 }
 create_role() {
    if ! _="$(aws iam get-role --role-name "${ROLE_NAME}")"; then
        aws iam create-role --role-name "${ROLE_NAME}" --description "Role for service account" --assume-role-policy-document "$(emit_service_account_role_trust_policy)"
    else
        echo "Role ${ROLE_NAME} already exists"
    fi
 }
 annotate_serviceaccount() {
    kubectl annotate serviceaccounts default -n default "role-arn=arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}" --overwrite
 }
 checkit() {
    echo "Will try to read s3://"${BUCKET_NAME}"/top-sekret.txt"
    kubectl run --image amazon/aws-cli --attach --restart=Never --rm --wait=true can-we-read-s3 -- s3 cp s3://"${BUCKET_NAME}"/top-sekret.txt -
 }
 update_kubeconfig() {
    aws eks update-kubeconfig --name "${CLUSTER_NAME}"
 }
 teardown() {
    # see also 'can-describe-cluster' policy, if created via create_describe_cluster_policy
    aws iam detach-role-policy --policy-arn "${S3_POLICY_ARN}" --role-name "${ROLE_NAME}"
    aws iam delete-role "${ROLE_NAME}"
    # for username in users; do ...
    # aws iam detach-user-policy --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${DESCRIBE_CLUSTER_POLICY_NAME}" --user-name "${username}"
    aws iam delete-policy --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${DESCRIBE_CLUSTER_POLICY_NAME}"
 }
 create_and_populate_bucket() {
    if ! _="$(aws s3api get-bucket-acl --bucket "${BUCKET_NAME}")"; then
        aws s3api create-bucket --region "${REGION}" --bucket "${BUCKET_NAME}" --create-bucket-configuration "LocationConstraint=${REGION}"
    else
        echo "Bucket ${BUCKET_NAME} already exists."
    fi
    f="$(mktemp)"
    echo "THE UNICORN IS IN THE GARDEN!!" >"${f}"
    aws s3api put-object --bucket "${BUCKET_NAME}" --key top-sekret.txt --body "${f}"
 }
 ACCOUNT_ID="$(aws sts get-caller-identity | jq -r .Account)"
 S3_POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
 CLUSTER_NAME=floral-mongoose-1616851817
 DESCRIBE_CLUSTER_POLICY_NAME=can-describe-cluster
 ROLE_NAME=service-account-role
 REGION=eu-north-1
 BUCKET_NAME=wooga-booga-pants
 export KUBECONFIG=myconfig
 main() {
    if [ -n "${1:-}" ]; then
        echo "An argument was provided, running that: $1"
        "${1}"
    else
        echo "ACCOUNT_ID: $ACCOUNT_ID"
        associate_oidc_provider
        create_role
        aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${S3_POLICY_ARN}"
        annotate_serviceaccount
        checkit
    fi
 }
 main "$@"
--- a/prepare-eks/70_oidc.sh
+++ b/prepare-eks/70_oidc.sh
@@ -0,0 +1,46 @@
 #!/bin/sh
 # Note: if cluster was created without OIDC provider attached,
 # you need to run the following command. It is idempotent.
 #eksctl utils associate-iam-oidc-provider --cluster cluster-name-12341234 --approve
 if [ "$1" ]; then
    CLUSTER="$1"
 else
    echo "Please indicate cluster to use. Available clusters:"
    aws eks list-clusters --output table
    exit 1
 fi
 ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
 OIDC=$(aws eks describe-cluster --name $CLUSTER --query cluster.identity.oidc.issuer --output text | cut -d/ -f3-)
 ROLE_NAME=s3-reader-container-training
 TRUST_POLICY=$(envsubst <<EOF
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${ACCOUNT}:oidc-provider/${OIDC}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
            "${OIDC}:sub": ["system:serviceaccount:container-training:*"]
        }
      }
    }
  ]
 }
 EOF
 )
 aws iam create-role \
    --role-name "$ROLE_NAME" \
    --assume-role-policy-document "$TRUST_POLICY"
 kubectl annotate serviceaccounts \
    --namespace container-training default \
    "eks.amazonaws.com/role-arn=arn:aws:iam::$ACCOUNT:role/$ROLE_NAME" \
    --overwrite
--- a/prepare-eks/80_s3_bucket.sh
+++ b/prepare-eks/80_s3_bucket.sh
@@ -0,0 +1,43 @@
 #!/bin/sh
 ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
 BUCKET=container.training
 ROLE_NAME=s3-reader-container-training
 POLICY_NAME=s3-reader-container-training
 POLICY_DOC=$(envsubst <<EOF
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject*"
      ],
      "Resource": [
        "arn:aws:s3:::$BUCKET",
        "arn:aws:s3:::$BUCKET/*"
      ]
    }
  ]
 }
 EOF
 )
 aws iam create-policy \
 --policy-name $POLICY_NAME \
 --policy-doc "$POLICY_DOC"
 aws s3 mb s3://container.training
 echo "this is a public object" \
 | aws s3 cp - s3://container.training/public.txt \
 --acl public-read
 echo "this is a private object" \
 | aws s3 cp - s3://container.training/private.txt \
 --acl private
 aws iam attach-role-policy \
    --role-name "$ROLE_NAME" \
    --policy-arn arn:aws:iam::$ACCOUNT:policy/$POLICY_NAME