Kube2IAM

Dependencies

None

Install

Enable Assumed Roles

Important

By default, the kops manifest that ships with Geodesic is configured to permit nodes to assume roles. So you can continue to next step

All Kubernetes nodes instance profile should have permissions to assume role.

To do this, kops manifest should define following additionalPolicies. By default, we include this in the manifest.yaml that ships with geodesic.

manifest.yaml

apiVersion: kops/v1alpha2
kind: Cluster
metadata:
  name: us-west-2.staging.example.com
spec:
  additionalPolicies:
      nodes: |
        [
          {
            "Sid": "assumeClusterRole",
            "Action": [
              "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": ["*"]
          }
        ]

Follow the instructions to apply changes to the kops cluster

Kops Integration

Now to leverage IAM Roles with your kops cluster, you’ll need to install kube2iam. There are a number of ways to go about this, but we recommend to use our Master Helmfile that ships with Geodesic.

Install with Master Helmfile