Merge pull request openshift#51026 from pneedle-rh/osdocs-1594-add-pod-identity-webhook-content-rosa

OSDOCS-1594 - Adding pod identity webhook content for ROSA

Author: pneedle-rh

_topic_maps/_topic_map_rosa.yml

@@ -254,6 +254,13 @@ Topics:
 - Name: Managing security context constraints
   File: managing-security-context-constraints
 ---
+Name: Authentication and authorization
+Dir: authentication
+Distros: openshift-rosa
+Topics:
+- Name: Assuming an AWS IAM role for a service account
+  File: assuming-an-aws-iam-role-for-a-service-account
+---
 Name: Upgrading
 Dir: upgrading
 Distros: openshift-rosa

authentication/assuming-an-aws-iam-role-for-a-service-account.adoc

@@ -0,0 +1,41 @@
+:_content-type: ASSEMBLY
+[id="assuming-an-aws-iam-role-for-a-service-account"]
+= Assuming an AWS IAM role for a service account
+include::_attributes/common-attributes.adoc[]
+ifdef::openshift-rosa,openshift-dedicated[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+endif::openshift-rosa,openshift-dedicated[]
+:context: assuming-an-aws-iam-role-for-a-service-account
+
+toc::[]
+
+[role="_abstract"]
+ifdef::openshift-rosa[]
+{product-title} clusters that use the AWS Security Token Service (STS) include a pod identity webhook for use with pods that run in user-defined projects.
+endif::openshift-rosa[]
+
+You can use the pod identity webhook to enable a service account to automatically assume an AWS Identity and Access Management (IAM) role in your own pods. If the assumed IAM role has the required AWS permissions, the pods can run AWS SDK operations by using temporary STS credentials.
+
+include::modules/understanding-pod-identity-webhook-workflow-in-user-defined-projects.adoc[leveloffset=+1]
+include::modules/assuming-an-aws-iam-role-in-your-own-pods.adoc[leveloffset=+1]
+include::modules/setting-up-an-aws-iam-role-a-service-account.adoc[leveloffset=+2]
+include::modules/creating-a-service-account-in-your-project.adoc[leveloffset=+2]
+include::modules/creating-an-example-aws-sdk-container-image.adoc[leveloffset=+2]
+include::modules/deploying-a-pod-that-includes-an-aws-sdk.adoc[leveloffset=+2]
+include::modules/verifying-the-assumed-iam-role-in-your-pod.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_configuring-alert-notifications"]
+== Additional resources
+
+* For more information about using AWS IAM roles with service accounts, see link:https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html[IAM roles for service accounts] in the AWS documentation.
+
+* For information about AWS IAM role delegation, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html[Creating a role to delegate permissions to an AWS service] in the AWS documentation.
+
+* For details about AWS SDKs, see link:https://docs.aws.amazon.com/sdkref/latest/guide/overview.html[AWS SDKs and Tools Reference Guide] in the AWS documentation.
+
+* For more information about installing and using the AWS Boto3 SDK for Python, see the link:https://boto3.amazonaws.com/v1/documentation/api/latest/index.html[AWS Boto3 documentation].
+
+ifdef::openshift-rosa,openshift-dedicated[]
+* For general information about webhook admission plug-ins for OpenShift, see link:https://docs.openshift.com/container-platform/4.11/architecture/admission-plug-ins.html#admission-webhooks-about_admission-plug-ins[Webhook admission plug-ins] in the OpenShift Container Platform documentation.
+endif::openshift-rosa,openshift-dedicated[]

images/pod-identity-webhook-workflow-in-user-defined-projects.png

@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
+
+:_content-type: PROCEDURE
+[id="assuming-an-aws-iam-role-in-your-own-pods_{context}"]
+= Assuming an AWS IAM role in your own pods
+
+Follow the procedures in this section to enable a service account to assume an AWS Identity and Access Management (IAM) role in a pod deployed in a user-defined project.
+
+You can create the required resources, including an AWS IAM role, a service account, a container image that includes an AWS SDK, and a pod deployed by using the image. In the example, the AWS Boto3 SDK for Python is used. You can also verify that the pod identity webhook mutates the AWS environment variables, the volume mount, and the token volume into your pod. Additionally, you can check that the service account assumes the AWS IAM role in your pod and can successfully run AWS SDK operations. 

modules/assuming-an-aws-iam-role-in-your-own-pods.adoc

@@ -0,0 +1,95 @@
+// Module included in the following assemblies:
+//
+// * authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
+
+:_content-type: PROCEDURE
+[id="creating-a-service-account-in-your-project_{context}"]
+= Creating a service account in your project
+
+Add a service account in your user-defined project. Include an `eks.amazonaws.com/role-arn` annotation in the service account configuration that references the Amazon Resource Name (ARN) for the AWS Identity and Access Management (IAM) role that you want the service account to assume.
+
+.Prerequisites
+
+* You have created an AWS IAM role for your service account. For more information, see _Setting up an AWS IAM role for a service account_.
+* You have access to a {product-title} with AWS Security Token Service (STS) cluster. Admin-level user privileges are not required.
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. In your {product-title} cluster, create a project:
++
+[source,terminal]
+----
+$ oc new-project <project_name> <1>
+----
+<1> Replace `<project_name>` with the name of your project. The name must match the project name that you specified in your AWS IAM role configuration.
++
+[NOTE]
+====
+You are automatically switched to the project when it is created.
+====
+
+. Create a file named `test-service-account.yaml` with the following service account configuration:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: <service_account_name> <1>
+  namespace: <project_name> <2>
+  annotations:
+    eks.amazonaws.com/role-arn: "<aws_iam_role_arn>" <3>
+----
+// Add these annotations in the preceding code block later:
+//    eks.amazonaws.com/sts-regional-endpoints: "true" <4>
+//    eks.amazonaws.com/token-expiration: "86400" <5>
+<1> Replace `<service_account_name>` with the name of your service account. The name must match the service account name that you specified in your AWS IAM role configuration.
+<2> Replace `<project_name>` with the name of your project. The name must match the project name that you specified in your AWS IAM role configuration.
+<3> Specifies the ARN of the AWS IAM role that the service account assumes for use within your pod. Replace `<aws_iam_role_arn>` with the ARN for the AWS IAM role that you created for your service account. The format of the role ARN is `arn:aws:iam::<aws_account_id>:role/<aws_iam_role_name>`.
+// Add these call outs when the additional annotations are added later:
+//<4> Optional: When set to `true`, the `AWS_STS_REGIONAL_ENDPOINTS=regional` environment variable is defined in the pod and AWS STS requests are sent to endpoints for the active region. When this option is not set to `true`, the AWS STS requests are by default sent to the global endpoint \https://sts.amazonaws.com. For more information, see link:https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html[AWS STS Regionalized endpoints] in the AWS documentation.
+//<5> Optional: Specifies the token expiration time in seconds. The default is `86400`.
+
+. Create the service account in your project:
++
+[source,terminal]
+----
+$ oc create -f test-service-account.yaml
+----
++
+.Example output:
+[source,terminal]
+----
+serviceaccount/<service_account_name> created
+----
+
+. Review the details of the service account:
++
+[source,terminal]
+----
+$ oc describe serviceaccount <service_account_name> <1>
+----
+<1> Replace `<service_account_name>` with the name of your service account.
++
+.Example output:
++
+[source,terminal]
+----
+Name:                <service_account_name> <1>
+Namespace:           <project_name> <2>
+Labels:              <none>
+Annotations:         eks.amazonaws.com/role-arn: <aws_iam_role_arn> <3>
+Image pull secrets:  <service_account_name>-dockercfg-rnjkq
+Mountable secrets:   <service_account_name>-dockercfg-rnjkq
+Tokens:              <service_account_name>-token-4gbjp
+Events:              <none>
+----
+// Add these annotations in the preceding code block later:
+//                     eks.amazonaws.com/sts-regional-endpoints: true <3>
+//                     eks.amazonaws.com/token-expiration: 86400 <3>
+<1> Specifies the name of the service account.
+<2> Specifies the project that contains the service account.
+<3> Lists the annotation for the ARN of the AWS IAM role that the service account assumes.
+// Update the preceding call out to the following when the additional annotations are added later:
+//<3> Lists the annotations for the ARN of the AWS IAM role that the service account assumes, the optional regional endpoint configuration, and the optional token expiration specification.

modules/creating-a-service-account-in-your-project.adoc

@@ -0,0 +1,67 @@
+// Module included in the following assemblies:
+//
+// * authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
+
+:_content-type: PROCEDURE
+[id="creating-an-example-aws-sdk-container-image_{context}"]
+= Creating an example AWS SDK container image
+
+The steps in this procedure provide an example method to create a container image that includes an AWS SDK.
+
+The example steps use Podman to create the container image and Quay.io to host the image. For more information about Quay.io, see link:https://docs.quay.io/solution/getting-started.html[Getting Started with Quay.io]. The container image can be used to deploy pods that can run AWS SDK operations. 
+
+[NOTE]
+====
+In this example procedure, the AWS Boto3 SDK for Python is installed into a container image. For more information about installing and using the AWS Boto3 SDK, see the link:https://boto3.amazonaws.com/v1/documentation/api/latest/index.html[AWS Boto3 documentation]. For details about other AWS SDKs, see link:https://docs.aws.amazon.com/sdkref/latest/guide/overview.html[AWS SDKs and Tools Reference Guide] in the AWS documentation.
+====
+
+.Prerequisites
+
+* You have installed Podman on your installation host.
+* You have a Quay.io user account.
+
+.Procedure
+
+. Add the following configuration to a file named `Containerfile`:
++
+[source,terminal]
+----
+FROM ubi9/ubi <1>
+RUN dnf makecache && dnf install -y python3-pip && dnf clean all && pip3 install boto3>=1.15.0 <2>
+----
+<1> Specifies the Red Hat Universal Base Image version 9.
+<2> Installs the AWS Boto3 SDK by using the `pip` package management system. In this example, AWS Boto3 SDK version 1.15.0 or later is installed.
+
+. From the directory that contains the file, build a container image named `awsboto3sdk`:
++
+[source,terminal]
+----
+$ podman build -t awsboto3sdk .
+----
+
+. Log in to Quay.io:
++
+[source,terminal]
+----
+$ podman login quay.io
+----
+
+. Tag the image in preparation for the upload to Quay.io:
++
+[source,terminal]
+----
+$ podman tag localhost/awsboto3sdk quay.io/<quay_username>/awsboto3sdk:latest <1>
+----
+<1> Replace `<quay_username>` with your Quay.io username.
+
+. Push the tagged container image to Quay.io:
++
+[source,terminal]
+----
+$ podman push quay.io/<quay_username>/awsboto3sdk:latest <1>
+----
+<1> Replace `<quay_username>` with your Quay.io username.
+
+. Make the Quay.io repository that contains the image public. This publishes the image so that it can be used to deploy a pod in your {product-title} cluster:
+.. On https://quay.io/, navigate to the *Repository Settings* page for repository that contains the image.
+.. Click *Make Public* to make the repository publicly available.

modules/creating-an-example-aws-sdk-container-image.adoc

@@ -0,0 +1,67 @@
+// Module included in the following assemblies:
+//
+// * authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
+
+:_content-type: PROCEDURE
+[id="deploying-a-pod-that-includes-an-aws-sdk_{context}"]
+= Deploying a pod that includes an AWS SDK
+
+Deploy a pod in a user-defined project from a container image that includes an AWS SDK. In your pod configuration, specify the service account that includes the `eks.amazonaws.com/role-arn` annotation.
+
+With the service account reference in place for your pod, the pod identity webhook injects the AWS environment variables, the volume mount, and the token volume into your pod. The pod mutation enables the service account to automatically assume the AWS IAM role in the pod.
+
+.Prerequisites
+
+* You have created an AWS Identity and Access Management (IAM) role for your service account. For more information, see _Setting up an AWS IAM role for a service account_.
+* You have access to a {product-title} cluster that uses the AWS Security Token Service (STS). Admin-level user privileges are not required.
+* You have installed the OpenShift CLI (`oc`).
+* You have created a service account in your project that includes an `eks.amazonaws.com/role-arn` annotation that references the Amazon Resource Name (ARN) for the IAM role that you want the service account to assume.
+* You have a container image that includes an AWS SDK and the image is available to your cluster. For detailed steps, see _Creating an example AWS SDK container image_.
++
+[NOTE]
+====
+In this example procedure, the AWS Boto3 SDK for Python is used. For more information about installing and using the AWS Boto3 SDK, see the link:https://boto3.amazonaws.com/v1/documentation/api/latest/index.html[AWS Boto3 documentation]. For details about other AWS SDKs, see link:https://docs.aws.amazon.com/sdkref/latest/guide/overview.html[AWS SDKs and Tools Reference Guide] in the AWS documentation.
+====
+
+.Procedure
+
+. Create a file named `awsboto3sdk-pod.yaml` with the following pod configuration:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: <project_name> <1>
+  name: awsboto3sdk <2>
+spec:
+  serviceAccountName: <service_account_name> <3>
+  containers:
+  - name: awsboto3sdk
+    image: quay.io/<quay_username>/awsboto3sdk:latest <4>
+    command:
+    - /bin/bash
+    - "-c"
+    - "sleep 100000" <5>
+  terminationGracePeriodSeconds: 0
+  restartPolicy: Never
+----
+<1> Replace `<project_name>` with the name of your project. The name must match the project name that you specified in your AWS IAM role configuration.
+<2> Specifies the name of the pod.
+<3> Replace `<service_account_name>` with the name of the service account that is configured to assume the AWS IAM role. The name must match the service account name that you specified in your AWS IAM role configuration.
+<4> Specifies the location of your `awsboto3sdk` container image. Replace `<quay_username>` with your Quay.io username.
+<5> In this example pod configuration, this line keeps the pod running for 100000 seconds to enable verification testing in the pod directly. For detailed verification steps, see _Verifying the assumed IAM role in your pod_.
+
+. Deploy an `awsboto3sdk` pod:
++
+[source,terminal]
+----
+$ oc create -f awsboto3sdk-pod.yaml
+----
++
+.Example output:
++
+[source,terminal]
+----
+pod/awsboto3sdk created
+----

modules/deploying-a-pod-that-includes-an-aws-sdk.adoc

@@ -0,0 +1,91 @@
+// Module included in the following assemblies:
+//
+// * authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
+
+:_content-type: PROCEDURE
+[id="setting-up-an-aws-iam-role-a-service-account_{context}"]
+= Setting up an AWS IAM role for a service account
+
+Create an AWS Identity and Access Management (IAM) role to be assumed by a service account in your {product-title} cluster. Attach the permissions that are required by your service account to run AWS SDK operations in a pod.
+
+.Prerequisites
+
+* You have the permissions required to install and configure IAM roles in your AWS account.
+* You have access to a {product-title} cluster that uses the AWS Security Token Service (STS). Admin-level user privileges are not required.
+* You have the Amazon Resource Name (ARN) for the OpenID Connect (OIDC) provider that is configured as the service account issuer in your {product-title} with STS cluster.
++
+[NOTE]
+====
+In {product-title} with STS clusters, the OIDC provider is created during install and set as the service account issuer by default. If you do not know the OIDC provider ARN, contact your cluster administrator.
+====
+* You have installed the AWS CLI (`aws`).
+
+.Procedure
+
+. Create a file named `trust-policy.json` with the following JSON configuration:
++
+--
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "<oidc_provider_arn>" <1>
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "<oidc_provider_name>:sub": "system:serviceaccount:<project_name>:<service_account_name>" <2>
+                }
+            }
+        }
+    ]
+}
+----
+<1> Replace `<oidc_provider_arn>` with the ARN of your OIDC provider, for example `arn:aws:iam::<aws_account_id>:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`.
+<2> Limits the role to the specified project and service account. Replace `<oidc_provider_name>` with the name of your OIDC provider, for example `rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. Replace `<project_name>:<service_account_name>` with your project name and service account name, for example `my-project:test-service-account`. 
++
+[NOTE]
+====
+Alternatively, you can limit the role to any service account within the specified project by using `"<oidc_provider_name>:sub": "system:serviceaccount:<project_name>:*"`. If you supply the `*` wildcard, you must replace `StringEquals` with `StringLike` in the preceding line.
+====
+--
+
+. Create an AWS IAM role that uses the trust policy that is defined in the `trust-policy.json` file:
++
+[source,terminal]
+----
+$ aws iam create-role \
+    --role-name <aws_iam_role_name> \ <1>
+    --assume-role-policy-document file://trust-policy.json <2>
+----
+<1> Replace `<aws_iam_role_name>` with the name of your IAM role, for example `pod-identity-test-role`.
+<2> References the `trust-policy.json` file that you created in the preceding step.
++
+.Example output:
+[source,terminal]
+----
+ROLE    arn:aws:iam::<aws_account_id>:role/<aws_iam_role_name>        2022-09-28T12:03:17+00:00       /       AQWMS3TB4Z2N3SH7675JK   <aws_iam_role_name>
+ASSUMEROLEPOLICYDOCUMENT        2012-10-17
+STATEMENT       sts:AssumeRoleWithWebIdentity   Allow
+STRINGEQUALS    system:serviceaccount:<project_name>:<service_account_name>
+PRINCIPAL       <oidc_provider_arn>
+----
++
+Retain the ARN for the role in the output. The format of the role ARN is `arn:aws:iam::<aws_account_id>:role/<aws_iam_role_name>`.
+
+. Attach any managed AWS permissions that are required when the service account runs AWS SDK operations in your pod:
++
+[source,terminal]
+----
+$ aws iam attach-role-policy \
+    --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \ <1>
+    --role-name <aws_iam_role_name> <2>
+----
+<1> The policy in this example adds read-only access permissions to the IAM role.
+<2> Replace `<aws_iam_role_name>` with the name of the IAM role that you created in the preceding step.
+
+. Optional: Add custom attributes or a permissions boundary to the role. For more information, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html[Creating a role to delegate permissions to an AWS service] in the AWS documentation.