vmware-tanzu
/
velero
mirror of https://github.com/vmware-tanzu/velero.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Documentation on using ark with kube2iam 

This PR updates the documentation & example deployment template to show how `ark` can be ran utilizing [https://github.com/jtblin/kube2iam](Kube2iam) for AWS IAM permissions, rather than using access key & secret key.

Signed-off-by: Dominik Deren <dominik.deren@live.com>
pull/402/head
Dominik Deren 2018-03-23 15:17:26 -07:00
parent 2e08fd40a7
commit 1db966bf3c
7 changed files with 261 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
docs/aws-config.md
View File

@ -141,10 +141,6 @@ Specify the following values in the example files:
* Replace `<YOUR_BUCKET>` and `<YOUR_REGION>`. See the [Config definition][6] for details.
* In `examples/common/10-deployment.yaml`:
* Make sure that `spec.template.spec.containers[*].env.name` is "AWS_SHARED_CREDENTIALS_FILE".
* (Optional) If you run the nginx example, in file `examples/nginx-app/with-pv.yaml`:
* Replace `<YOUR_STORAGE_CLASS_NAME>` with `gp2`. This is AWS's default `StorageClass` name.
@ -155,9 +151,123 @@ In the root of your Ark directory, run:
```bash
kubectl apply -f examples/aws/00-ark-config.yaml
kubectl apply -f examples/common/10-deployment.yaml
kubectl apply -f examples/aws/10-deployment.yaml
```
## ALTERNATIVE: Setup permissions using kube2iam
[Kube2iam](https://github.com/jtblin/kube2iam) is a Kubernetes application that allows managing AWS IAM permissions for pod via annotations rather than operating on API keys.
> This path assumes you have `kube2iam` already running in your Kubernetes cluster. If that is not the case, please install it first, following the docs here: https://github.com/jtblin/kube2iam
It can be set up for Ark by creating a role that will have required permissions, and later by adding the permissions annotation on the ark deployment to define which role it should use internally.
1. Create a Trust Policy document to allow the role being used for EC2 management & assume kube2iam role:
```bash
cat > heptio-ark-trust-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_CREATED_WHEN_INITIALIZING_KUBE2IAM>"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
```
2. Create the IAM role:
```bash
aws iam create-role --role-name heptio-ark --assume-role-policy-document file://./heptio-ark-trust-policy.json
```
3. Attach policies to give `heptio-ark` the necessary permissions:
```bash
BUCKET=<YOUR_BUCKET>
cat > heptio-ark-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::${BUCKET}/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${BUCKET}"
]
}
]
}
EOF
aws iam put-role-policy \
--role-name heptio-ark \
--policy-name heptio-ark-policy \
--policy-document file://./heptio-ark-policy.json
```
4. Update AWS_ACCOUNT_ID & HEPTIO_ARK_ROLE_NAME in the file `examples/common/10-deployment-kube2iam.yaml`:
```
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
namespace: heptio-ark-server
name: ark
spec:
replicas: 1
template:
metadata:
labels:
component: ark
annotations:
iam.amazonaws.com/role: arn:aws:iam::<AWS_ACCOUNT_ID>:role/heptio-ark
...
```
5. Run Ark deployment using the file `examples/aws/10-deployment-kube2iam.yaml`.
[0]: namespace.md
[6]: config-definition.md#aws
[14]: http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

6
docs/gcp-config.md
View File

@ -84,10 +84,6 @@ Specify the following values in the example files:
* Replace `<YOUR_BUCKET>`. See the [Config definition][7] for details.
* In file `examples/common/10-deployment.yaml`:
* Change `spec.template.spec.containers[*].env.name` to "GOOGLE_APPLICATION_CREDENTIALS".
* (Optional) If you run the nginx example, in file `examples/nginx-app/with-pv.yaml`:
* Replace `<YOUR_STORAGE_CLASS_NAME>` with `standard`. This is GCP's default `StorageClass` name.
@ -98,7 +94,7 @@ In the root of your Ark directory, run:
```bash
kubectl apply -f examples/gcp/00-ark-config.yaml
kubectl apply -f examples/common/10-deployment.yaml
kubectl apply -f examples/gcp/10-deployment.yaml
```
[0]: namespace.md

2
docs/ibm-config.md
View File

@ -69,7 +69,7 @@ In the root of your Ark directory, run:
```bash
kubectl apply -f examples/ibm/00-ark-config.yaml
kubectl apply -f examples/common/10-deployment.yaml
kubectl apply -f examples/ibm/10-deployment.yaml
```
[0]: namespace.md

44
examples/aws/10-deployment-kube2iam.yaml Normal file
View File

@ -0,0 +1,44 @@
# Copyright 2018 the Heptio Ark contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
namespace: heptio-ark-server
name: ark
spec:
replicas: 1
template:
metadata:
labels:
component: ark
annotations:
iam.amazonaws.com/role: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<HEPTIO_ARK_ROLE_NAME>
spec:
restartPolicy: Always
serviceAccountName: ark
containers:
- name: ark
image: gcr.io/heptio-images/ark:latest
command:
- /ark
args:
- server
volumeMounts:
- name: plugins
mountPath: /plugins
volumes:
- name: plugins
emptyDir: {}

0
examples/common/10-deployment.yaml → examples/aws/10-deployment.yaml
View File

50
examples/gcp/10-deployment.yaml Normal file
View File

@ -0,0 +1,50 @@
# Copyright 2018 the Heptio Ark contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
namespace: heptio-ark-server
name: ark
spec:
replicas: 1
template:
metadata:
labels:
component: ark
spec:
restartPolicy: Always
serviceAccountName: ark
containers:
- name: ark
image: gcr.io/heptio-images/ark:latest
command:
- /ark
args:
- server
volumeMounts:
- name: cloud-credentials
mountPath: /credentials
- name: plugins
mountPath: /plugins
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /credentials/cloud
volumes:
- name: cloud-credentials
secret:
secretName: cloud-credentials
- name: plugins
emptyDir: {}

50
examples/ibm/10-deployment.yaml Normal file
View File

@ -0,0 +1,50 @@
# Copyright 2018 the Heptio Ark contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
namespace: heptio-ark-server
name: ark
spec:
replicas: 1
template:
metadata:
labels:
component: ark
spec:
restartPolicy: Always
serviceAccountName: ark
containers:
- name: ark
image: gcr.io/heptio-images/ark:latest
command:
- /ark
args:
- server
volumeMounts:
- name: cloud-credentials
mountPath: /credentials
- name: plugins
mountPath: /plugins
env:
- name: AWS_SHARED_CREDENTIALS_FILE
value: /credentials/cloud
volumes:
- name: cloud-credentials
secret:
secretName: cloud-credentials
- name: plugins
emptyDir: {}