Configure separate IAM roles for master & minion, create roles automatically

cluster/aws/config-default.sh

@@ -26,7 +26,8 @@ NUM_MINIONS=${NUM_MINIONS:-4}
 
 INSTANCE_PREFIX="${KUBE_AWS_INSTANCE_PREFIX:-kubernetes}"
 AWS_SSH_KEY=${AWS_SSH_KEY:-$HOME/.ssh/kube_aws_rsa}
-IAM_PROFILE="kubernetes"
+IAM_PROFILE_MASTER="kubernetes-master"
+IAM_PROFILE_MINION="kubernetes-minion"
 
 LOG="/dev/null"
 

cluster/aws/config-test.sh

@@ -22,7 +22,8 @@ NUM_MINIONS=${NUM_MINIONS:-2}
 
 INSTANCE_PREFIX="${KUBE_AWS_INSTANCE_PREFIX:-e2e-test-${USER}}"
 AWS_SSH_KEY=${AWS_SSH_KEY:-$HOME/.ssh/kube_aws_rsa}
-IAM_PROFILE="kubernetes"
+IAM_PROFILE_MASTER="kubernetes-master"
+IAM_PROFILE_MINION="kubernetes-minion"
 
 LOG="/dev/null"
 

cluster/aws/templates/iam/kubernetes-master-policy.json

@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["ec2:*"],
+      "Resource": ["*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:*",
+      "Resource": [
+        "arn:aws:s3:::kubernetes-*"
+      ]
+    }
+  ]
+}

cluster/aws/templates/iam/kubernetes-master-role.json

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": { "Service": "ec2.amazonaws.com"},
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

cluster/aws/templates/iam/kubernetes-minion-policy.json

@@ -0,0 +1,12 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:*",
+      "Resource": [
+        "arn:aws:s3:::kubernetes-*"
+      ]
+    }
+  ]
+}

cluster/aws/templates/iam/kubernetes-minion-role.json

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": { "Service": "ec2.amazonaws.com"},
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

cluster/aws/util.sh

@@ -282,12 +282,45 @@ function add-tag {
   exit 1
 }
 
+# Creates the IAM profile, based on configuration files in templates/iam
+function create-iam-profile {
+  local key=$1
+
+  local conf_dir=file://${KUBE_ROOT}/cluster/aws/templates/iam
+
+  echo "Creating IAM role: ${key}"
+  aws iam create-role --role-name ${key} --assume-role-policy-document ${conf_dir}/${key}-role.json > $LOG
+
+  echo "Creating IAM role-policy: ${key}"
+  aws iam put-role-policy --role-name ${key} --policy-name ${key} --policy-document ${conf_dir}/${key}-policy.json > $LOG
+
+  echo "Creating IAM instance-policy: ${key}"
+  aws iam create-instance-profile --instance-profile-name ${key} > $LOG
+
+  echo "Adding IAM role to instance-policy: ${key}"
+  aws iam add-role-to-instance-profile --instance-profile-name ${key} --role-name ${key} > $LOG
+}
+
+# Creates the IAM roles (if they do not already exist)
+function ensure-iam-profiles {
+  aws iam get-instance-profile --instance-profile-name ${IAM_PROFILE_MASTER} || {
+    echo "Creating master IAM profile: ${IAM_PROFILE_MASTER}"
+    create-iam-profile ${IAM_PROFILE_MASTER}
+  }
+  aws iam get-instance-profile --instance-profile-name ${IAM_PROFILE_MINION} || {
+    echo "Creating master IAM profile: ${IAM_PROFILE_MINION}"
+    create-iam-profile ${IAM_PROFILE_MINION}
+  }
+}
+
 function kube-up {
   find-release-tars
   upload-server-tars
 
   ensure-temp-dir
 
+  ensure-iam-profiles
+
   get-password
   python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \
     -b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD"
@@ -300,11 +333,6 @@ function kube-up {
 
   detect-image
 
-  aws iam get-instance-profile --instance-profile-name ${IAM_PROFILE} || {
-        echo "You need to set up an IAM profile and role for kubernetes"
-        exit 1
-  }
-
   $AWS_CMD import-key-pair --key-name kubernetes --public-key-material file://$AWS_SSH_KEY.pub > $LOG 2>&1 || true
 
   VPC_ID=$($AWS_CMD describe-vpcs | get_vpc_id)
@@ -387,7 +415,7 @@ function kube-up {
   echo "Starting Master"
   master_id=$($AWS_CMD run-instances \
     --image-id $AWS_IMAGE \
-    --iam-instance-profile Name=$IAM_PROFILE \
+    --iam-instance-profile Name=$IAM_PROFILE_MASTER \
     --instance-type $MASTER_SIZE \
     --subnet-id $SUBNET_ID \
     --private-ip-address 172.20.0.9 \
@@ -460,7 +488,7 @@ function kube-up {
     ) > "${KUBE_TEMP}/minion-start-${i}.sh"
     minion_id=$($AWS_CMD run-instances \
       --image-id $AWS_IMAGE \
-      --iam-instance-profile Name=$IAM_PROFILE \
+      --iam-instance-profile Name=$IAM_PROFILE_MINION \
       --instance-type $MINION_SIZE \
       --subnet-id $SUBNET_ID \
       --private-ip-address 172.20.0.1${i} \

docs/getting-started-guides/aws.md

@@ -27,9 +27,11 @@ cluster/kube-up.sh
 
 The script above relies on AWS S3 to deploy the software to instances running in EC2.
 
-NOTE: The script will provision a new VPC and a 5 node k8s cluster in us-west-2 (Oregon). It'll also try to create a keypair called "kubernetes" as well as create or reuse an IAM role also called "kubernetes" so make sure one doesn't already exist prior to running the script in order to elminate a potential conflict.
+NOTE: The script will provision a new VPC and a 5 node k8s cluster in us-west-2 (Oregon). It'll also try to create or
+reuse a keypair called "kubernetes", and IAM profiles called "kubernetes-master" and "kubernetes-minion".  If these
+already exist, make sure you want them to be used here.
 
-Once the cluster is up, it will print the ip address of your cluster, this process takes ~5 minutes.
+Once the cluster is up, it will print the ip address of your cluster, this process takes about 5 to 10 minutes.
 
 ```
 export KUBERNETES_MASTER=https://<ip-address>