mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-06-12 22:47:57 +00:00
Vincent Schwarzer
3c6b1480b8
Rewrote AWS Terraform deployment for AWS Kargo. It supports now multiple Availability Zones, AWS Loadbalancer for Kubernetes API, Bastion Host, ... For more information see README
139 lines
2.9 KiB
Terraform
139 lines
2.9 KiB
Terraform
#Add AWS Roles for Kubernetes
|
|
|
|
resource "aws_iam_role" "kube-master" {
|
|
name = "kubernetes-${var.aws_cluster_name}-master"
|
|
assume_role_policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "ec2.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_role" "kube-worker" {
|
|
name = "kubernetes-${var.aws_cluster_name}-node"
|
|
assume_role_policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "ec2.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
#Add AWS Policies for Kubernetes
|
|
|
|
resource "aws_iam_role_policy" "kube-master" {
|
|
name = "kubernetes-${var.aws_cluster_name}-master"
|
|
role = "${aws_iam_role.kube-master.id}"
|
|
policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["ec2:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["elasticloadbalancing:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["route53:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "s3:*",
|
|
"Resource": [
|
|
"arn:aws:s3:::kubernetes-*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "kube-worker" {
|
|
name = "kubernetes-${var.aws_cluster_name}-node"
|
|
role = "${aws_iam_role.kube-worker.id}"
|
|
policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "s3:*",
|
|
"Resource": [
|
|
"arn:aws:s3:::kubernetes-*"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "ec2:Describe*",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "ec2:AttachVolume",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "ec2:DetachVolume",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": ["route53:*"],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ecr:GetAuthorizationToken",
|
|
"ecr:BatchCheckLayerAvailability",
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"ecr:GetRepositoryPolicy",
|
|
"ecr:DescribeRepositories",
|
|
"ecr:ListImages",
|
|
"ecr:BatchGetImage"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
|
|
#Create AWS Instance Profiles
|
|
|
|
resource "aws_iam_instance_profile" "kube-master" {
|
|
name = "kube_${var.aws_cluster_name}_master_profile"
|
|
roles = ["${aws_iam_role.kube-master.name}"]
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "kube-worker" {
|
|
name = "kube_${var.aws_cluster_name}_node_profile"
|
|
roles = ["${aws_iam_role.kube-worker.name}"]
|
|
}
|