-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #13 from hyakuhei/EKSAddon
Eks addon
- Loading branch information
Showing
21 changed files
with
661 additions
and
40 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| from fluentm import Actor, Boundary, Process, DataFlow, HTTP, SIGV4, TLS, Unknown, SIGV4, JWS, Internal | ||
| from fluentm import report | ||
|
|
||
|
|
||
| # 1. Create an IAM OIDC provider for your cluster | ||
| # 2. Create an IAM role and attach an IAM policy to it with the permissions that your service accounts need | ||
| # 2.a. recommend creating separate roles for each unique collection of permissions | ||
| # 3. Associate an IAM role with a service account | ||
|
|
||
| scenes = { | ||
| "Create an IAM OIDC provider for cluster":[ | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("EKS").inBoundary("AWS SVCs"), | ||
| TLS(SIGV4("Create OIDC endpoint")), | ||
| response="OIDC provider URL" | ||
| ), | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("IAM").inBoundary("AWS SVCs"), | ||
| TLS(SIGV4("Add OIDC provider,\n OIDC provider URL")) | ||
| ) | ||
| ], | ||
| "Create an IAM policy & role to allow CPI addon to manage VPC":[ | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("IAM"), | ||
| TLS(SIGV4("Create Policy")), | ||
| response = TLS("Policy ARN") | ||
| ), | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("IAM"), | ||
| TLS(SIGV4("Create Role,\nTrusted Entity: Web Identity,\nIdentity Provider: OIDC URL,\nAttach Policy: Policy ARN")), | ||
| response=TLS("Role ARN") | ||
| ) | ||
| ], | ||
| "Associate IAM role to a cluster service account":[ | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("Kube API").inBoundary(Boundary("Kubernetes Control Plane").inBoundary(Boundary("Single Tenant VPC"))), | ||
| TLS(SIGV4("Annotate service account $acct with Role ARN")) | ||
| ) | ||
| ], | ||
| "Deploy Addon":[ | ||
| DataFlow( | ||
| Actor("User"), | ||
| Process("EKS"), | ||
| TLS(SIGV4("Create add-on CNI,\nCluster: $clusterID")) | ||
| ), | ||
| DataFlow( | ||
| Process("EKS"), | ||
| Process("Kube API"), | ||
| TLS("Deployment Spec: CNI addon\nRole: Role ARN") | ||
| ), | ||
| DataFlow( | ||
| Process("Kube API"), | ||
| Process("eks-pod-identity-webhook").inBoundary(Boundary("Kubernetes Control Plane")), | ||
| TLS("Pod Spec"), | ||
| response=TLS("Mutated Pod Spec,\nAdd projected token to spec") | ||
| ), | ||
| DataFlow( | ||
| Process("Kube API"), | ||
| Process("Kubelet").inBoundary(Boundary("Kubernetes Data Plane").inBoundary(Boundary("Customer Account"))), | ||
| TLS("Launch Pod,\nPod Spec") | ||
| ), | ||
| DataFlow( | ||
| Process("Kubelet"), | ||
| Process("CNI Pod").inBoundary(Boundary("Kubernetes Data Plane")), | ||
| TLS("Launch Pod,\nsvcacct $acct,\nRole ARN,\nJWT STS Token") | ||
| ), | ||
| ], | ||
| "CNI configures VPC":[ | ||
| DataFlow( | ||
| Process("CNI Pod"), | ||
| Process("VPC").inBoundary(Boundary("AWS SVCs")), | ||
| TLS("Update VPC configuration,\nSTS token,\nOperates as Role ARN") | ||
| ), | ||
| ] | ||
| } | ||
|
|
||
| if __name__ == "__main__": | ||
| report(scenes, outputDir="examples/aws-eks-add-on-permissions", dfdLabels=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| digraph all { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| EKS | ||
| IAM | ||
| VPC | ||
| } | ||
| subgraph "cluster_Single Tenant VPC" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Single Tenant VPC" line=dotted] | ||
| subgraph "cluster_Kubernetes Control Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Control Plane" line=dotted] | ||
| "Kube API" | ||
| "eks-pod-identity-webhook" | ||
| } | ||
| } | ||
| subgraph "cluster_Customer Account" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Customer Account" line=dotted] | ||
| subgraph "cluster_Kubernetes Data Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Data Plane" line=dotted] | ||
| Kubelet | ||
| "CNI Pod" | ||
| } | ||
| } | ||
| User -> EKS [dir=both] | ||
| User -> IAM [dir=both] | ||
| User -> "Kube API" [dir=forward] | ||
| EKS -> "Kube API" [dir=forward] | ||
| "Kube API" -> "eks-pod-identity-webhook" [dir=both] | ||
| "Kube API" -> Kubelet [dir=forward] | ||
| Kubelet -> "CNI Pod" [dir=forward] | ||
| "CNI Pod" -> VPC [dir=forward] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 13 additions & 0 deletions
13
examples/aws-eks-add-on-permissions/Associate IAM role to a cluster service account-dfd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| digraph "Associate IAM role to a cluster service account" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_Single Tenant VPC" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Single Tenant VPC" line=dotted] | ||
| subgraph "cluster_Kubernetes Control Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Control Plane" line=dotted] | ||
| "Kube API" | ||
| } | ||
| } | ||
| User -> "Kube API" [label="(1) Annotate service account $acct with Role ARN"] | ||
| } |
Binary file added
BIN
+19.1 KB
...-eks-add-on-permissions/Associate IAM role to a cluster service account-dfd.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
18 changes: 18 additions & 0 deletions
18
examples/aws-eks-add-on-permissions/CNI configures VPC-dfd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| digraph "CNI configures VPC" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| subgraph "cluster_Customer Account" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Customer Account" line=dotted] | ||
| subgraph "cluster_Kubernetes Data Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Data Plane" line=dotted] | ||
| "CNI Pod" | ||
| } | ||
| } | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| VPC | ||
| } | ||
| "CNI Pod" -> VPC [label="(1) Update VPC configuration, | ||
| STS token, | ||
| Operates as Role ARN"] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
14 changes: 14 additions & 0 deletions
14
examples/aws-eks-add-on-permissions/Create an IAM OIDC provider for cluster-dfd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| digraph "Create an IAM OIDC provider for cluster" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| EKS | ||
| IAM | ||
| } | ||
| User -> EKS [label="(1) Create OIDC endpoint"] | ||
| EKS -> User [label="(2) OIDC provider URL"] | ||
| User -> IAM [label="(3) Add OIDC provider, | ||
| OIDC provider URL"] | ||
| } |
Binary file added
BIN
+29.7 KB
...ples/aws-eks-add-on-permissions/Create an IAM OIDC provider for cluster-dfd.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
16 changes: 16 additions & 0 deletions
16
...s-eks-add-on-permissions/Create an IAM policy & role to allow CPI addon to manage VPC-dfd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| digraph "Create an IAM policy & role to allow CPI addon to manage VPC" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| IAM | ||
| } | ||
| User -> IAM [label="(1) Create Policy"] | ||
| IAM -> User [label="(2) Policy ARN"] | ||
| User -> IAM [label="(3) Create Role, | ||
| Trusted Entity: Web Identity, | ||
| Identity Provider: OIDC URL, | ||
| Attach Policy: Policy ARN"] | ||
| IAM -> User [label="(4) Role ARN"] | ||
| } |
Binary file added
BIN
+32.2 KB
...ermissions/Create an IAM policy & role to allow CPI addon to manage VPC-dfd.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| digraph "Deploy Addon" { | ||
| color=blue rankdir=LR | ||
| node [fontname=Arial fontsize=14] | ||
| User | ||
| subgraph "cluster_AWS SVCs" { | ||
| graph [color=red fontname=Arial fontsize=12 label="AWS SVCs" line=dotted] | ||
| EKS | ||
| } | ||
| subgraph "cluster_Single Tenant VPC" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Single Tenant VPC" line=dotted] | ||
| subgraph "cluster_Kubernetes Control Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Control Plane" line=dotted] | ||
| "Kube API" | ||
| "eks-pod-identity-webhook" | ||
| } | ||
| } | ||
| subgraph "cluster_Customer Account" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Customer Account" line=dotted] | ||
| subgraph "cluster_Kubernetes Data Plane" { | ||
| graph [color=red fontname=Arial fontsize=12 label="Kubernetes Data Plane" line=dotted] | ||
| Kubelet | ||
| "CNI Pod" | ||
| } | ||
| } | ||
| User -> EKS [label="(1) Create add-on CNI, | ||
| Cluster: $clusterID"] | ||
| EKS -> "Kube API" [label="(2) Deployment Spec: CNI addon | ||
| Role: Role ARN"] | ||
| "Kube API" -> "eks-pod-identity-webhook" [label="(3) Pod Spec"] | ||
| "eks-pod-identity-webhook" -> "Kube API" [label="(4) Mutated Pod Spec, | ||
| Add projected token to spec"] | ||
| "Kube API" -> Kubelet [label="(5) Launch Pod, | ||
| Pod Spec"] | ||
| Kubelet -> "CNI Pod" [label="(6) Launch Pod, | ||
| svcacct $acct, | ||
| Role ARN, | ||
| JWT STS Token"] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.