kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add service account tags to IAM Roles

This commit is contained in:
Peter Rifel 2021-12-29 10:15:32 -08:00
parent 57fd9722b5
commit f79a126bd2
No known key found for this signature in database
GPG Key ID: BC6469E5B16DB2B6
3 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/model/awsmodel/iam.go
View File

@ -202,15 +202,19 @@ func (b *IAMModelBuilder) buildIAMRole(role iam.Subject, iamName string, c *fi.M
Lifecycle: b.Lifecycle,
RolePolicyDocument: rolePolicy,
Tags: b.CloudTags(iamName, false),
}
if isServiceAccount {
// e.g. kube-system-dns-controller
iamRole.ExportWithID = fi.String(roleKey)
sa, ok := role.ServiceAccount()
if ok {
iamRole.Tags = b.CloudTagsForServiceAccount(iamName, sa)
}
} else {
// e.g. nodes
iamRole.ExportWithID = fi.String(roleKey + "s")
iamRole.Tags = b.CloudTags(iamName, false)
}
if b.Cluster.Spec.IAM != nil && b.Cluster.Spec.IAM.PermissionsBoundary != nil {

8
pkg/model/context.go
View File

@ -21,6 +21,7 @@ import (
"net"
"strings"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/apis/kops/model"
"k8s.io/kops/pkg/apis/kops/util"
@ -189,6 +190,13 @@ func (b *KopsModelContext) CloudTagsForInstanceGroup(ig *kops.InstanceGroup) (ma
return labels, nil
}
func (b *KopsModelContext) CloudTagsForServiceAccount(name string, sa types.NamespacedName) map[string]string {
tags := b.CloudTags(name, false)
tags[awstasks.CloudTagServiceAccountName] = sa.Name
tags[awstasks.CloudTagServiceAccountNamespace] = sa.Namespace
return tags
}
// CloudTags computes the tags to apply to a normal cloud resource with the specified name
func (b *KopsModelContext) CloudTags(name string, shared bool) map[string]string {
tags := make(map[string]string)

6
upup/pkg/fi/cloudup/awstasks/iamrole.go
View File

@ -34,6 +34,12 @@ import (
"k8s.io/kops/upup/pkg/fi/cloudup/terraformWriter"
)
// CloudTagServiceAccountName is a tag that defines the service account's name
const CloudTagServiceAccountName = "service-account.kops.k8s.io/name"
// CloudTagServiceAccountNamespace is a tag that defines the service account's namespace
const CloudTagServiceAccountNamespace = "service-account.kops.k8s.io/namespace"
// +kops:fitask
type IAMRole struct {
ID *string