Skip to content

Latest commit

 

History

History
90 lines (79 loc) · 2.5 KB

File metadata and controls

90 lines (79 loc) · 2.5 KB

Webhook Configuration with HELM chart

Prerequisites

  • Container images for token-injector-webhook, token-injector tool and certificator tool (see separate repository) should be built and uploaded to the Container Registry accessible from GKE cluster.
  • Export AWS credentials into environment variables
export AWS_ACCESS_KEY_ID="aws-access-key-id"
export AWS_SECRET_ACCESS_KEY="aws-secret-access-key"
export AWS_REGION="us-east-1"
  • Login to gcp
gcloud auth application-default login

Remove (or comment) unused configuration file

rm terraform/webhook.tf

Deploy Terraform code

cd terraform
terraform init
terraform plan
terraform apply

Configure kubectl command line access by running the following command

gcloud container clusters get-credentials ${GKE_CLUSTER_NAME} --region ${GCP_REGION} --project ${PROJECT_ID}

For example:

gcloud container clusters get-credentials regional-cluster-test --region us-west1 --project ylebi-rnd

Deploy HELM chart

cd ../helm-chart
helm upgrade --install admission-webhook-v1 . --values values.yaml --set apiserverCABundle=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}') --namespace webhook

Testing

  • Create a k8s Pod configuration as shown below:
cat > test-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: "application-namespace"
  labels:
    admission.token-injector/enabled: "true"
spec:
  serviceAccountName: "aws-reader-sa"
  containers:
  - name: test-pod
    image: mikesir87/aws-cli
    command: ["tail", "-f", "/dev/null"]
EOF
  • Apply pod configuration from YAML file:
kubectl apply -f test-pod.yaml
  • Connect to the running k8s Pod:
kubectl exec -it test-pod -n application-namespace -- bash
  • Run the following command in the Pod shell to check the AWS assumed role:
aws sts get-caller-identity

The output should look similar to the below:

{
    "UserId": "AROAXXPBSFGLKUDFGHT7Q:token-injector-webhook-luwkompqhfewtygb",
    "Account": "531438381462",
    "Arn": "arn:aws:sts::531438381462:assumed-role/gke-reader-role/token-injector-webhook-luwkompqhfewtygb"
}