diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 58a28ff83d2..e3fc9ab7ab3 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -26,7 +26,8 @@ NUM_MINIONS=${NUM_MINIONS:-4} INSTANCE_PREFIX="${KUBE_AWS_INSTANCE_PREFIX:-kubernetes}" AWS_SSH_KEY=${AWS_SSH_KEY:-$HOME/.ssh/kube_aws_rsa} -IAM_PROFILE="kubernetes" +IAM_PROFILE_MASTER="kubernetes-master" +IAM_PROFILE_MINION="kubernetes-minion" LOG="/dev/null" diff --git a/cluster/aws/config-test.sh b/cluster/aws/config-test.sh index 8ec46a98e50..4ebd70cd6fa 100755 --- a/cluster/aws/config-test.sh +++ b/cluster/aws/config-test.sh @@ -22,7 +22,8 @@ NUM_MINIONS=${NUM_MINIONS:-2} INSTANCE_PREFIX="${KUBE_AWS_INSTANCE_PREFIX:-e2e-test-${USER}}" AWS_SSH_KEY=${AWS_SSH_KEY:-$HOME/.ssh/kube_aws_rsa} -IAM_PROFILE="kubernetes" +IAM_PROFILE_MASTER="kubernetes-master" +IAM_PROFILE_MINION="kubernetes-minion" LOG="/dev/null" diff --git a/cluster/aws/templates/iam/kubernetes-master-policy.json b/cluster/aws/templates/iam/kubernetes-master-policy.json new file mode 100644 index 00000000000..205a5a6313d --- /dev/null +++ b/cluster/aws/templates/iam/kubernetes-master-policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["ec2:*"], + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::kubernetes-*" + ] + } + ] +} diff --git a/cluster/aws/templates/iam/kubernetes-master-role.json b/cluster/aws/templates/iam/kubernetes-master-role.json new file mode 100644 index 00000000000..66d5de1d5ae --- /dev/null +++ b/cluster/aws/templates/iam/kubernetes-master-role.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Service": "ec2.amazonaws.com"}, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/cluster/aws/templates/iam/kubernetes-minion-policy.json b/cluster/aws/templates/iam/kubernetes-minion-policy.json new file mode 100644 index 00000000000..635ff1f67e0 --- /dev/null +++ b/cluster/aws/templates/iam/kubernetes-minion-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::kubernetes-*" + ] + } + ] +} diff --git a/cluster/aws/templates/iam/kubernetes-minion-role.json b/cluster/aws/templates/iam/kubernetes-minion-role.json new file mode 100644 index 00000000000..66d5de1d5ae --- /dev/null +++ b/cluster/aws/templates/iam/kubernetes-minion-role.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Service": "ec2.amazonaws.com"}, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh index 8db8dae6d61..12433388e20 100644 --- a/cluster/aws/util.sh +++ b/cluster/aws/util.sh @@ -282,12 +282,45 @@ function add-tag { exit 1 } +# Creates the IAM profile, based on configuration files in templates/iam +function create-iam-profile { + local key=$1 + + local conf_dir=file://${KUBE_ROOT}/cluster/aws/templates/iam + + echo "Creating IAM role: ${key}" + aws iam create-role --role-name ${key} --assume-role-policy-document ${conf_dir}/${key}-role.json > $LOG + + echo "Creating IAM role-policy: ${key}" + aws iam put-role-policy --role-name ${key} --policy-name ${key} --policy-document ${conf_dir}/${key}-policy.json > $LOG + + echo "Creating IAM instance-policy: ${key}" + aws iam create-instance-profile --instance-profile-name ${key} > $LOG + + echo "Adding IAM role to instance-policy: ${key}" + aws iam add-role-to-instance-profile --instance-profile-name ${key} --role-name ${key} > $LOG +} + +# Creates the IAM roles (if they do not already exist) +function ensure-iam-profiles { + aws iam get-instance-profile --instance-profile-name ${IAM_PROFILE_MASTER} || { + echo "Creating master IAM profile: ${IAM_PROFILE_MASTER}" + create-iam-profile ${IAM_PROFILE_MASTER} + } + aws iam get-instance-profile --instance-profile-name ${IAM_PROFILE_MINION} || { + echo "Creating master IAM profile: ${IAM_PROFILE_MINION}" + create-iam-profile ${IAM_PROFILE_MINION} + } +} + function kube-up { find-release-tars upload-server-tars ensure-temp-dir + ensure-iam-profiles + get-password python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \ -b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD" @@ -300,11 +333,6 @@ function kube-up { detect-image - aws iam get-instance-profile --instance-profile-name ${IAM_PROFILE} || { - echo "You need to set up an IAM profile and role for kubernetes" - exit 1 - } - $AWS_CMD import-key-pair --key-name kubernetes --public-key-material file://$AWS_SSH_KEY.pub > $LOG 2>&1 || true VPC_ID=$($AWS_CMD describe-vpcs | get_vpc_id) @@ -387,7 +415,7 @@ function kube-up { echo "Starting Master" master_id=$($AWS_CMD run-instances \ --image-id $AWS_IMAGE \ - --iam-instance-profile Name=$IAM_PROFILE \ + --iam-instance-profile Name=$IAM_PROFILE_MASTER \ --instance-type $MASTER_SIZE \ --subnet-id $SUBNET_ID \ --private-ip-address 172.20.0.9 \ @@ -460,7 +488,7 @@ function kube-up { ) > "${KUBE_TEMP}/minion-start-${i}.sh" minion_id=$($AWS_CMD run-instances \ --image-id $AWS_IMAGE \ - --iam-instance-profile Name=$IAM_PROFILE \ + --iam-instance-profile Name=$IAM_PROFILE_MINION \ --instance-type $MINION_SIZE \ --subnet-id $SUBNET_ID \ --private-ip-address 172.20.0.1${i} \ diff --git a/docs/getting-started-guides/aws.md b/docs/getting-started-guides/aws.md index c30f5f8b8d4..912b5ea9bc5 100644 --- a/docs/getting-started-guides/aws.md +++ b/docs/getting-started-guides/aws.md @@ -27,9 +27,11 @@ cluster/kube-up.sh The script above relies on AWS S3 to deploy the software to instances running in EC2. -NOTE: The script will provision a new VPC and a 5 node k8s cluster in us-west-2 (Oregon). It'll also try to create a keypair called "kubernetes" as well as create or reuse an IAM role also called "kubernetes" so make sure one doesn't already exist prior to running the script in order to elminate a potential conflict. +NOTE: The script will provision a new VPC and a 5 node k8s cluster in us-west-2 (Oregon). It'll also try to create or +reuse a keypair called "kubernetes", and IAM profiles called "kubernetes-master" and "kubernetes-minion". If these +already exist, make sure you want them to be used here. -Once the cluster is up, it will print the ip address of your cluster, this process takes ~5 minutes. +Once the cluster is up, it will print the ip address of your cluster, this process takes about 5 to 10 minutes. ``` export KUBERNETES_MASTER=https://