Kyverno AWS Adapter is a Kubernetes controller for the AWSAdapterConfig CRD. As of now, it observes the realtime state of an EKS cluster and reconciles it with the currently stored state, but can be further expanded to other AWS services later on by extending the current API with the help of AWS SDK for Go v2.
Check out the getting_started.md guide for installing the Nirmata Kyverno Adapter for AWS.
You’ll need an EKS cluster to run against.
-
Make sure that you have configured an IAM role for the service account to be used by the Kyverno AWS Adapter.
-
Install the Helm Chart and verify that the Adapter works as expected. Follow instructions given here
This adapter utilizes the ARN of a user-defined IAM Role associated with any policy that has Full: List, Read permissions for the EKS service, including the following:
| Permission |
|---|
| ListAddons |
| ListClusters |
| ListFargateProfiles |
| ListIdentityProviderConfigs |
| ListNodeGroups |
| ListUpdates |
| AccessKubernetesApi |
| DescribeAddon |
| DescribeAddonVersions |
| DescribeCluster |
| DescribeFargateProfile |
| DescribeIdentityProviderConfig |
| DescribeNodegroup |
| DescribeUpdate |
| ListTagsForResource |
You can specify the Role's ARN through the roleArn setting in the Helm chart.
Please ensure that the trust relationship policy for your IAM role resembles the following format:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account_id>:oidc-provider/oidc.eks.<region>.amazonaws.com/id/<oidc_provider_id>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.<region>.amazonaws.com/id/<oidc_provider_id>:aud": "sts.amazonaws.com",
"oidc.eks.<region>.amazonaws.com/id/<oidc_provider_id>:sub": "system:serviceaccount:$namespace:<service_account>"
}
}
}
]
}For detailed instructions on how to configure the IAM role for service account, check out the official AWS documentation on IAM roles for service accounts.