Skip to content
/ iam-manager Public

AWS IAM role management for K8s cluster using kube builder "Operator" framework

License

Apache-2.0 license
42 stars 22 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

keikoproj/iam-manager

10 Branches20 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

dependabot[bot]dependabot[bot]
Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#228)
Jul 10, 2024
43d3f06 · Jul 10, 2024

History

291 Commits
.github
.github
Jun 21, 2024
api/v1alpha1
api/v1alpha1
Jan 30, 2024
cmd
cmd
Jan 30, 2024
config
config
Jan 30, 2024
docs
docs
Apr 13, 2022
hack
hack
May 19, 2021
internal
internal
Mar 29, 2024
pkg
pkg
Jun 15, 2023
.gitignore
.gitignore
Jan 30, 2024
Dockerfile
Dockerfile
Jan 30, 2024
LICENSE
LICENSE
Dec 17, 2019
Makefile
Makefile
Jan 30, 2024
PROJECT
PROJECT
Jan 30, 2024
README.md
README.md
Jun 1, 2020
codecov.yml
codecov.yml
Feb 9, 2020
go.mod
go.mod
Jul 10, 2024
go.sum
go.sum
Jul 10, 2024

Repository files navigation

iam-manager

Maintenance PR slack

version Build Status codecov Go Report Card

AWS IAM role management for K8s namespaces inside cluster using k8s CRD Operator.

Security:

Security will be a main concern when we design a solution to create/update/delete IAM roles inside a cluster independently. iam-manager uses AWS IAM Permission Boundary concept along with other solutions to secure the implementation. Please check AWS Security for more details.

Supported Features

Following features are supported by IAM Manager

IAM Roles Management
IAM Role for Service Accounts (IRSA)
AWS Service-Linked Roles
Default Trust Policy for All Roles
Maximum Number of Roles per Namespace
Attaching Managed IAM Policies for All Roles
Multiple Trust policies

iam-manager config-map

This document provide explanation on configmap variables.

Additional Info

iam-manager is built using kubebuilder project and like any other kubebuilder project iam-manager also uses cert-manager to manage the SSL certs for webhooks.

Usage:

Following is the sample Iamrole spec.

apiVersion: iammanager.keikoproj.io/v1alpha1
kind: Iamrole
metadata:
  name: iam-manager-iamrole
spec:
  # Add fields here
  PolicyDocument:
    Statement:
      -
        Effect: "Allow"
        Action:
          - "s3:Get*"
        Resource:
          - "arn:aws:s3:::intu-oim*"
        Sid: "AllowS3Access"
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      -
        Effect: "Allow"
        Action: "sts:AssumeRole"
        Principal:
          AWS:
            - "arn:aws:iam::XXXXXXXXXXX:role/20190504-k8s-kiam-role"

To submit, kubectl apply -f iam_role.yaml --ns namespace1

Installation:

Simplest way to install iam-manager along with the role required for it to do the job is to run install.sh command.

Update the allowed policies in allowed_policies.txt and config map properties config_map as per your environment before you run install.sh.

Note: You must be cluster admin and have exported KUBECONFIG and also has Administrator access to underlying AWS account and have the credentials exported.

example:

export KUBECONFIG=/Users/myhome/.kube/admin@eks-dev2-k8s  
export AWS_PROFILE=admin_123456789012_account
./install.sh [cluster_name] [aws_region] [aws_profile]
./install.sh eks-dev2-k8s us-west-2 aws_profile

To enable web hook or/and also update your installation of iam-manager to work with kiam please check Installation for detailed instructions.

❤ Contributing ❤

Please see CONTRIBUTING.md.

Developer Guide

Please see DEVELOPER.md.

About

AWS IAM role management for K8s cluster using kube builder "Operator" framework

Topics

kubernetes aws security iam crd-controller kubebuilder iam-roles irsa iam-manager

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

42 stars

Watchers

15 watching

Forks

22 forks
Report repository

Releases 19

v0.20.0 Latest
Mar 29, 2024
+ 18 releases

Packages

No packages published

Contributors 14

Languages