Installs kiam to integrate AWS IAM with Kubernetes.
$ helm install stable/kiamThis chart bootstraps a kiam deployment on a Kubernetes cluster using the Helm package manager.
- Kubernetes 1.8+ with Beta APIs enabled
In order for the chart to configure kiam correctly during the installation process you should have created and installed TLS certificates and private keys as described here.
Tip: The
hostsfield in the kiam server certificate should include the value release-name-server:server-service-port, e.g.my-release-server:443
If you don't include the exact hostname used by the kiam agent to connect to the server, you'll see a warning (which is really an error) in the agent logs similar to the following, and your pods will fail to obtain credentials:
{"level":"warning","msg":"error finding role for pod: rpc error: code = Unavailable desc = there is no connection available","pod.ip":"100.120.0.2","time":"2018-05-24T04:11:25Z"}Define values agent.tlsFiles.ca, agent.tlsFiles.cert, agent.tlsFiles.key, server.tlsFiles.ca, server.tlsFiles.cert and agent.tlsFiles.key to be the base64-encoded contents (.e.g. using the base64 command) of the generated PEM files.
For example
agent:
tlsFiles:
key: LS0tL...
cert: LS0tL...
ca: LS0tL...
server:
tlsFiles:
key: LS0tL...
cert: LS0tL...
ca: LS0tL...To install the chart with the release name my-release:
$ helm install stable/kiam --name my-releaseThe command deploys kiam on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
To uninstall/delete the my-release deployment:
$ helm delete my-releaseThe command removes all the Kubernetes components associated with the chart and deletes the release.
The following table lists the configurable parameters of the kiam chart and their default values.
| Parameter | Description | Default |
|---|---|---|
agent.enabled |
If true, create agent | true |
agent.name |
Agent container name | agent |
agent.image.repository |
Agent image | quay.io/uswitch/kiam |
agent.image.tag |
Agent image tag | v2.8 |
agent.image.pullPolicy |
Agent image pull policy | IfNotPresent |
agent.dnsPolicy |
Agent pod DNS policy | ClusterFirstWithHostNet |
agent.extraArgs |
Additional agent container arguments | {} |
agent.extraEnv |
Additional agent container environment variables | {} |
agent.extraHostPathMounts |
Additional agent container hostPath mounts | [] |
agent.gatewayTimeoutCreation |
Agent's timeout when creating the kiam gateway | 50ms |
agent.host.ip |
IP address of host | $(HOST_IP) |
agent.host.iptables |
Add iptables rule | false |
agent.host.interface |
Agent's host interface for proxying AWS metadata | cali+ |
agent.host.port |
Agent's listening port | 8181 |
agent.log.jsonOutput |
Whether or not to output agent log in JSON format | true |
agent.log.level |
Agent log level (debug, info, warn or error) |
info |
agent.nodeSelector |
Node labels for agent pod assignment | {} |
agent.prometheus.port |
Agent Prometheus metrics port | 9620 |
agent.prometheus.scrape |
Whether or not Prometheus metrics for the agent should be scraped | true |
agent.prometheus.syncInterval |
Agent Prometheus synchronization interval | 5s |
agent.podAnnotations |
Annotations to be added to agent pods | {} |
agent.podLabels |
Labels to be added to agent pods | {} |
agent.resources |
Agent container resources | {} |
agent.tlsFiles.ca |
Base64 encoded string for the agent's CA certificate(s) | null |
agent.tlsFiles.cert |
Base64 encoded strings for the agent's certificate | null |
agent.tlsFiles.key |
Base64 encoded strings for the agent's private key | null |
agent.tolerations |
Tolerations to be applied to agent pods | [] |
agent.updateStrategy |
Strategy for agent DaemonSet updates (requires Kubernetes 1.6+) | OnDelete |
server.enabled |
If true, create server | true |
server.name |
Server container name | server |
server.gatewayTimeoutCreation |
Server's timeout when creating the kiam gateway | 50ms |
server.image.repository |
Server image | quay.io/uswitch/kiam |
server.image.tag |
Server image tag | v2.8 |
server.image.pullPolicy |
Server image pull policy | Always |
server.assumeRoleArn |
IAM role for the server to assume before processing requests | null |
server.cache.syncInterval |
Pod cache synchronization interval | 1m |
server.extraArgs |
Additional server container arguments | {} |
server.extraEnv |
Additional server container environment variables | {} |
server.extraHostPathMounts |
Additional server container hostPath mounts | [] |
server.log.jsonOutput |
Whether or not to output server log in JSON format | true |
server.log.level |
Server log level (debug, info, warn or error) |
info |
server.nodeSelector |
Node labels for server pod assignment | {} |
server.prometheus.port |
Server Prometheus metrics port | 9620 |
server.prometheus.scrape |
Whether or not Prometheus metrics for the server should be scraped | true |
server.prometheus.syncInterval |
Server Prometheus synchronization interval | 5s |
server.podAnnotations |
Annotations to be added to server pods | {} |
server.podLabels |
Labels to be added to server pods | {} |
server.probes.serverAddress |
Address that readyness and liveness probes will hit | localhost |
server.resources |
Server container resources | {} |
server.roleBaseArn |
Base ARN for IAM roles. If not specified use EC2 metadata service to detect ARN prefix | null |
server.sessionDuration |
Session duration for STS tokens generated by the server | 15m |
server.service.port |
Server service port | 443 |
server.service.targetPort |
Server service target port | 443 |
server.tlsFiles.ca |
Base64 encoded string for the server's CA certificate(s) | null |
server.tlsFiles.cert |
Base64 encoded strings for the server's certificate | null |
server.tlsFiles.key |
Base64 encoded strings for the server's private key | null |
server.tolerations |
Tolerations to be applied to server pods | [] |
server.updateStrategy |
Strategy for server DaemonSet updates (requires Kubernetes 1.6+) | OnDelete |
server.useHostNetwork |
If true, use hostNetwork on server to bypass agent iptable rules | false |
rbac.create |
If true, create & use RBAC resources |
true |
serviceAccounts.agent.create |
If true, create the agent service account | true |
serviceAccounts.agent.name |
Name of the agent service account to use or create | {{ kiam.agent.fullname }} |
serviceAccounts.server.create |
If true, create the server service account | true |
serviceAccounts.server.name |
Name of the server service account to use or create | {{ kiam.server.fullname }} |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm install stable/kiam --name my-release \
--set=extraArgs.base-role-arn=arn:aws:iam::0123456789:role/,extraArgs.default-role=kube2iam-default,host.iptables=true,host.interface=cbr0Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
$ helm install stable/kiam --name my-release -f values.yamlTip: You can use the default values.yaml