Skip to content

v0.8.0
Compare
Choose a tag to compare
@cloudpossebot cloudpossebot released this 30 Apr 14:03
0.8.0
debd970
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Allow using a ServiceAccount in any Kubernetes namespace. Allow scoping IAM role to an entire Kubernetes namespace @aknysh (#14)

what

  • Allow using a ServiceAccount in any Kubernetes namespace
  • Allow scoping IAM role to an entire Kubernetes namespace

why

  • Allow using a ServiceAccount in any Kubernetes namespace (wildcard service_account_namespace). Useful for unlimited preview environments where we deploy each pull request into a separate Kubernetes namespace
  • Allow scoping IAM role to a Kubernetes namespace (wildcard service_account_name). Provides the ability to scope the role to an entire namespace (use the namespace as a boundary) to allow any ServiceAccount in the namespace to assume the role

related

  • Closes #6

references

notes

  # If both var.service_account_namespace and var.service_account_name are provided,
  # then the role ARM will have one of the following formats:
  # 1. if var.service_account_namespace != var.service_account_name: arn:aws:iam::<account_number>:role/<namespace>-<environment>-<stage>-<optional_name>-<service_account_name>@<service_account_namespace>
  # 2. if var.service_account_namespace == var.service_account_name: arn:aws:iam::<account_number>:role/<namespace>-<environment>-<stage>-<optional_name>-<service_account_name>

  # 3. If var.service_account_namespace == "" and var.service_account_name is provided,
  # then the role ARM will have format arn:aws:iam::<account_number>:role/<namespace>-<environment>-<stage>-<optional_name>-<service_account_name>@all,
  # and the policy will use a wildcard for the namespace in the test condition to allow ServiceAccounts in any Kubernetes namespace to assume the role (useful for unlimited preview environments)

  # 4. If var.service_account_name == "" and var.service_account_namespace is provided,
  # then the role ARM will have format arn:aws:iam::<account_number>:role/<namespace>-<environment>-<stage>-<optional_name>-all@<service_account_namespace>,
  # and the policy will use a wildcard for the service account name in the test condition to allow any ServiceAccount in the given namespace to assume the role.
  # For more details, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html#iam-role-configuration

  # 5. If both var.service_account_name == "" and var.service_account_namespace == "",
  # then the role ARM will have format arn:aws:iam::<account_number>:role/<namespace>-<environment>-<stage>-<optional_name>-all@all,
  # and the policy will use wildcards for both the namespace and the service account name in the test condition to allow all ServiceAccounts
  # in all Kubernetes namespaces to assume the IAM role (not recommended).
Assets 2
Loading