Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding outline of addon authorizations
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| from fluentm import Actor, Boundary, Process, DataFlow, HTTP, SIGV4, TLS, Unknown, SIGV4, JWS, Internal | ||
| from fluentm import report | ||
|
|
||
|
|
||
| # 1. Create an IAM OIDC provider for your cluster | ||
| # 2. Create an IAM role and attach an IAM policy to it with the permissions that your service accounts need | ||
| # 2.a. recommend creating separate roles for each unique collection of permissions | ||
| # 3. Associate an IAM role with a service account | ||
|
|
||
| scenes = { | ||
| "Create an IAM OIDC provider for cluster":[ | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("IAM API").inBoundary(Boundary("IAM CP").inBoundary("AWS SVCs")), | ||
| TLS(SIGV4("Create OIDC provider")), | ||
| response=TLS("OIDC URL") | ||
This comment has been minimized.
Sorry, something went wrong. |
||
| ) | ||
| ], | ||
| "Create an IAM policy & role to allow CPI addon to manage VPC":[ | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("IAM API"), | ||
| TLS(SIGV4("Create Policy")), | ||
| response = TLS("Policy ARN") | ||
| ), | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("IAM API"), | ||
| TLS(SIGV4("Create Role,\nTrusted Entity: Web Identity,\nIdentity Provider: OIDC URL,\nAttach Policy: Policy ARN")), | ||
This comment has been minimized.
Sorry, something went wrong. 
SaranBalaji90
|
||
| response=TLS("Role ARN") | ||
| ) | ||
| ], | ||
| "Associate IAM role to a cluster service account":[ | ||
This comment has been minimized.
Sorry, something went wrong. |
||
| DataFlow( | ||
| Actor("User"), | ||
| Process("Kube API").inBoundary(Boundary("Kubernetes Control Plane").inBoundary(Boundary("Single Tenant VPC"))), | ||
| TLS(SIGV4("Annotate service account $acct with Role ARN")) | ||
| ) | ||
| ], | ||
| "Deploy Addon":[ | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("EKS API").inBoundary(Boundary("EKS CP").inBoundary(Boundary("AWS SVCs"))), | ||
| TLS(SIGV4("Create add-on CNI,\nCluster: $clusterID")) | ||
| ), | ||
| DataFlow( | ||
| Process("EKS API"), | ||
| Process("Kube API"), | ||
| TLS("Create deployment CNI addon\nRole: Role ARN") | ||
| ), | ||
| DataFlow( | ||
| Process("Kube API"), | ||
| Process("aws-iam-authenticator").inBoundary("Kubernetes Control Plane"), | ||
| TLS("Get sts token") | ||
| ), | ||
| DataFlow( | ||
| Process("aws-iam-authenticator"), | ||
| Process("IAM API"), | ||
| TLS("STS Assume Role,\n with web identity"), | ||
| response=TLS("JWT STS Token") | ||
| ), | ||
| DataFlow( | ||
| Process("aws-iam-authenticator"), | ||
| Process("Kube API"), | ||
| TLS("JWT STS Token") | ||
| ), | ||
| DataFlow( | ||
| Process("Kube API"), | ||
| Process("CNI Pod").inBoundary(Boundary("Kubernetes Data Plane").inBoundary("Customer Account")), | ||
| TLS("Launch Pod,\nsvcacct $acct,\nRole ARN,\nJWT STS Token") | ||
| ) | ||
| ], | ||
| "CNI configures VPC":[ | ||
| DataFlow( | ||
| Process("CNI Pod"), | ||
| Process("VPC API").inBoundary(Boundary("VPC CP").inBoundary(Boundary("AWS SVCs"))), | ||
| TLS("Update VPC configuration,\nSTS token") | ||
| ) | ||
| ] | ||
| } | ||
|
|
||
| if __name__ == "__main__": | ||
| report(scenes, outputDir="examples/aws-eks-add-on-permissions", dfdLabels=True) | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| digraph all { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_IAM CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="IAM CP" line=dotted] | ||
| "IAM API" | ||
| } | ||
| } | ||
| subgraph "cluster_Single Tenant VPC" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Single Tenant VPC" line=dotted] | ||
| subgraph "cluster_Kubernetes Control Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Control Plane" line=dotted] | ||
| "Kube API" | ||
| "aws-iam-authenticator" | ||
| } | ||
| } | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_EKS CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="EKS CP" line=dotted] | ||
| "EKS API" | ||
| } | ||
| } | ||
| subgraph "cluster_Customer Account" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Customer Account" line=dotted] | ||
| subgraph "cluster_Kubernetes Data Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Data Plane" line=dotted] | ||
| "CNI Pod" | ||
| } | ||
| } | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_VPC CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="VPC CP" line=dotted] | ||
| "VPC API" | ||
| } | ||
| } | ||
| User -> "IAM API" [dir=both] | ||
| User -> "Kube API" [dir=forward] | ||
| User -> "EKS API" [dir=forward] | ||
| "EKS API" -> "Kube API" [dir=forward] | ||
| "Kube API" -> "aws-iam-authenticator" [dir=both] | ||
| "aws-iam-authenticator" -> "IAM API" [dir=both] | ||
| "Kube API" -> "CNI Pod" [dir=forward] | ||
| "CNI Pod" -> "VPC API" [dir=forward] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| digraph "Associate IAM role to a cluster service account" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_Single Tenant VPC" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Single Tenant VPC" line=dotted] | ||
| subgraph "cluster_Kubernetes Control Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Control Plane" line=dotted] | ||
| "Kube API" | ||
| } | ||
| } | ||
| User -> "Kube API" [label="(1) Annotate service account $acct with Role ARN"] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| digraph "CNI configures VPC" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| subgraph "cluster_Customer Account" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Customer Account" line=dotted] | ||
| subgraph "cluster_Kubernetes Data Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Data Plane" line=dotted] | ||
| "CNI Pod" | ||
| } | ||
| } | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_VPC CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="VPC CP" line=dotted] | ||
| "VPC API" | ||
| } | ||
| } | ||
| "CNI Pod" -> "VPC API" [label="(1) Update VPC configuration"] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| digraph "Create an IAM OIDC provider for cluster" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_IAM CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="IAM CP" line=dotted] | ||
| "IAM API" | ||
| } | ||
| } | ||
| User -> "IAM API" [label="(1) Create OIDC provider"] | ||
| "IAM API" -> User [label="(2) OIDC URL"] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| digraph "Create an IAM policy & role to allow CPI addon to manage VPC" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_IAM CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="IAM CP" line=dotted] | ||
| "IAM API" | ||
| } | ||
| } | ||
| User -> "IAM API" [label="(1) Create Policy"] | ||
| "IAM API" -> User [label="(2) Policy ARN"] | ||
| User -> "IAM API" [label="(3) Create Role, | ||
| Trusted Entity: Web Identity, | ||
| Identity Provider: OIDC URL, | ||
| Attach Policy: Policy ARN"] | ||
| "IAM API" -> User [label="(4) Role ARN"] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| digraph "Deploy Addon" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_EKS CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="EKS CP" line=dotted] | ||
| "EKS API" | ||
| } | ||
| } | ||
| subgraph "cluster_Single Tenant VPC" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Single Tenant VPC" line=dotted] | ||
| subgraph "cluster_Kubernetes Control Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Control Plane" line=dotted] | ||
| "Kube API" | ||
| "aws-iam-authenticator" | ||
| } | ||
| } | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| subgraph "cluster_IAM CP" { | ||
| graph [color=red fontname=Arial fontsize=12 label="IAM CP" line=dotted] | ||
| "IAM API" | ||
| } | ||
| } | ||
| subgraph "cluster_Customer Account" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Customer Account" line=dotted] | ||
| subgraph "cluster_Kubernetes Data Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Data Plane" line=dotted] | ||
| "CNI Pod" | ||
| } | ||
| } | ||
| User -> "EKS API" [label="(1) Create add-on CNI, | ||
| Cluster: $clusterID"] | ||
| "EKS API" -> "Kube API" [label="(2) Create deployment CNI addon | ||
| Role: Role ARN"] | ||
| "Kube API" -> "aws-iam-authenticator" [label="(3) Get sts token"] | ||
| "aws-iam-authenticator" -> "IAM API" [label="(4) STS Assume Role, | ||
| with web identity"] | ||
| "IAM API" -> "aws-iam-authenticator" [label="(5) JWT STS Token"] | ||
| "aws-iam-authenticator" -> "Kube API" [label="(6) JWT STS Token"] | ||
| "Kube API" -> "CNI Pod" [label="(7) Launch Pod, | ||
| svcacct $acct, | ||
| Role ARN, | ||
| JWT STS Token"] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.
Minor but first talk to EKS and get the OIDC endpoint and then create the provider with IAM