sigs.k8s.io/cluster-api-provider-aws@v1.5.5/cmd/clusterawsadm/api/bootstrap/v1beta1/types.go (about) 1 /* 2 Copyright 2021 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1beta1 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 "k8s.io/apimachinery/pkg/runtime/schema" 22 23 infrav1 "sigs.k8s.io/cluster-api-provider-aws/api/v1beta1" 24 iamv1 "sigs.k8s.io/cluster-api-provider-aws/iam/api/v1beta1" 25 ) 26 27 // BootstrapUser contains a list of elements that is specific 28 // to the configuration and enablement of an IAM user. 29 type BootstrapUser struct { 30 31 // Enable controls whether or not a bootstrap AWS IAM user will be created. 32 // This can be used to scope down the initial credentials used to bootstrap the 33 // cluster. 34 // Defaults to false. 35 Enable bool `json:"enable"` 36 37 // UserName controls the username of the bootstrap user. Defaults to 38 // "bootstrapper.cluster-api-provider-aws.sigs.k8s.io" 39 UserName string `json:"userName,omitempty"` 40 41 // GroupName controls the group the user will belong to. Defaults to 42 // "bootstrapper.cluster-api-provider-aws.sigs.k8s.io" 43 GroupName string `json:"groupName,omitempty"` 44 45 // ExtraPolicyAttachments is a list of additional policies to be attached to the IAM user. 46 ExtraPolicyAttachments []string `json:"extraPolicyAttachments,omitempty"` 47 48 // ExtraGroups is a list of groups to add this user to. 49 ExtraGroups []string `json:"extraGroups,omitempty"` 50 51 // ExtraStatements are additional AWS IAM policy document statements to be included inline for the user. 52 ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"` 53 54 // Tags is a map of tags to be applied to the AWS IAM user. 55 Tags infrav1.Tags `json:"tags,omitempty"` 56 } 57 58 // ControlPlane controls the configuration of the AWS IAM role for 59 // the control plane of provisioned Kubernetes clusters. 60 type ControlPlane struct { 61 AWSIAMRoleSpec `json:",inline"` 62 63 // DisableClusterAPIControllerPolicyAttachment, if set to true, will not attach the AWS IAM policy for Cluster 64 // API Provider AWS to the control plane role. Defaults to false. 65 DisableClusterAPIControllerPolicyAttachment bool `json:"disableClusterAPIControllerPolicyAttachment,omitempty"` 66 67 // DisableCloudProviderPolicy if set to true, will not generate and attach the AWS IAM policy for the AWS Cloud Provider. 68 DisableCloudProviderPolicy bool `json:"disableCloudProviderPolicy"` 69 70 // EnableCSIPolicy if set to true, will generate and attach the AWS IAM policy for the EBS CSI Driver. 71 EnableCSIPolicy bool `json:"enableCSIPolicy"` 72 } 73 74 // AWSIAMRoleSpec defines common configuration for AWS IAM roles created by 75 // Kubernetes Cluster API Provider AWS. 76 type AWSIAMRoleSpec struct { 77 // Disable if set to true will not create the AWS IAM role. Defaults to false. 78 Disable bool `json:"disable"` // default: false 79 80 // ExtraPolicyAttachments is a list of additional policies to be attached to the IAM role. 81 ExtraPolicyAttachments []string `json:"extraPolicyAttachments,omitempty"` 82 83 // ExtraStatements are additional IAM statements to be included inline for the role. 84 ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"` 85 86 // TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role. 87 // See "sigs.k8s.io/cluster-api-provider-aws/cmd/clusterawsadm/api/iam/v1beta1" for more documentation. 88 TrustStatements []iamv1.StatementEntry `json:"trustStatements,omitempty"` 89 90 // Tags is a map of tags to be applied to the AWS IAM role. 91 Tags infrav1.Tags `json:"tags,omitempty"` 92 } 93 94 // EKSConfig represents the EKS related configuration config. 95 type EKSConfig struct { 96 // Disable controls whether EKS-related permissions are granted 97 Disable bool `json:"disable"` 98 // AllowIAMRoleCreation controls whether the EKS controllers have permissions for creating IAM 99 // roles per cluster 100 AllowIAMRoleCreation bool `json:"iamRoleCreation,omitempty"` 101 // EnableUserEKSConsolePolicy controls the creation of the policy to view EKS nodes and workloads. 102 EnableUserEKSConsolePolicy bool `json:"enableUserEKSConsolePolicy,omitempty"` 103 // DefaultControlPlaneRole controls the configuration of the AWS IAM role for 104 // the EKS control plane. This is the default role that will be used if 105 // no role is included in the spec and automatic creation of the role 106 // isn't enabled 107 DefaultControlPlaneRole AWSIAMRoleSpec `json:"defaultControlPlaneRole,omitempty"` 108 // ManagedMachinePool controls the configuration of the AWS IAM role for 109 // used by EKS managed machine pools. 110 ManagedMachinePool *AWSIAMRoleSpec `json:"managedMachinePool,omitempty"` 111 // Fargate controls the configuration of the AWS IAM role for 112 // used by EKS managed machine pools. 113 Fargate *AWSIAMRoleSpec `json:"fargate,omitempty"` 114 // KMSAliasPrefix is prefix to use to restrict permission to KMS keys to only those that have an alias 115 // name that is prefixed by this. 116 // Defaults to cluster-api-provider-aws-* 117 KMSAliasPrefix string `json:"kmsAliasPrefix,omitempty"` 118 } 119 120 // EventBridgeConfig represents configuration for enabling experimental feature to consume 121 // EventBridge EC2 events. 122 type EventBridgeConfig struct { 123 // Enable controls whether permissions are granted to consume EC2 events 124 Enable bool `json:"enable,omitempty"` 125 } 126 127 // ClusterAPIControllers controls the configuration of the AWS IAM role for 128 // the Kubernetes Cluster API Provider AWS controller. 129 type ClusterAPIControllers struct { 130 AWSIAMRoleSpec `json:",inline"` 131 // AllowedEC2InstanceProfiles controls which EC2 roles are allowed to be 132 // consumed by Cluster API when creating an ec2 instance. Defaults to 133 // *.<suffix>, where suffix is defaulted to .cluster-api-provider-aws.sigs.k8s.io 134 AllowedEC2InstanceProfiles []string `json:"allowedEC2InstanceProfiles,omitempty"` 135 } 136 137 // Nodes controls the configuration of the AWS IAM role for worker nodes 138 // in a cluster created by Kubernetes Cluster API Provider AWS. 139 type Nodes struct { 140 AWSIAMRoleSpec `json:",inline"` 141 142 // DisableCloudProviderPolicy if set to true, will not generate and attach the policy for the AWS Cloud Provider. 143 // Defaults to false. 144 DisableCloudProviderPolicy bool `json:"disableCloudProviderPolicy"` 145 146 // EC2ContainerRegistryReadOnly controls whether the node has read-only access to the 147 // EC2 container registry 148 EC2ContainerRegistryReadOnly bool `json:"ec2ContainerRegistryReadOnly"` 149 } 150 151 // +kubebuilder:object:root=true 152 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 153 154 // AWSIAMConfiguration controls the creation of AWS Identity and Access Management (IAM) resources for use 155 // by Kubernetes clusters and Kubernetes Cluster API Provider AWS. 156 type AWSIAMConfiguration struct { 157 metav1.TypeMeta `json:",inline"` 158 159 Spec AWSIAMConfigurationSpec `json:"spec,omitempty"` 160 } 161 162 // S3Buckets controls the configuration of the AWS IAM role for S3 buckets 163 // which can be created for storing bootstrap data for nodes requiring it. 164 type S3Buckets struct { 165 // Enable controls whether permissions are granted to manage S3 buckets. 166 Enable bool `json:"enable"` 167 168 // NamePrefix will be prepended to every AWS IAM role bucket name. Defaults to "cluster-api-provider-aws-". 169 // AWSCluster S3 Bucket name must be prefixed with the same prefix. 170 NamePrefix string `json:"namePrefix"` 171 } 172 173 // AWSIAMConfigurationSpec defines the specification of the AWSIAMConfiguration. 174 type AWSIAMConfigurationSpec struct { 175 // NamePrefix will be prepended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to "". 176 NamePrefix string `json:"namePrefix,omitempty"` 177 178 // NameSuffix will be appended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to 179 // ".cluster-api-provider-aws.sigs.k8s.io". 180 NameSuffix *string `json:"nameSuffix,omitempty"` 181 182 // ControlPlane controls the configuration of the AWS IAM role for a Kubernetes cluster's control plane nodes. 183 ControlPlane ControlPlane `json:"controlPlane,omitempty"` 184 185 // ClusterAPIControllers controls the configuration of an IAM role and policy specifically for Kubernetes Cluster API Provider AWS. 186 ClusterAPIControllers ClusterAPIControllers `json:"clusterAPIControllers,omitempty"` 187 188 // Nodes controls the configuration of the AWS IAM role for all nodes in a Kubernetes cluster. 189 Nodes Nodes `json:"nodes,omitempty"` 190 191 // BootstrapUser contains a list of elements that is specific 192 // to the configuration and enablement of an IAM user. 193 BootstrapUser BootstrapUser `json:"bootstrapUser,omitempty"` 194 195 // StackName defines the name of the AWS CloudFormation stack. 196 StackName string `json:"stackName,omitempty"` 197 198 // StackTags defines the tags of the AWS CloudFormation stack. 199 // +optional 200 StackTags map[string]string `json:"stackTags,omitempty"` 201 202 // Region controls which region the control-plane is created in if not specified on the command line or 203 // via environment variables. 204 Region string `json:"region,omitempty"` 205 206 // EKS controls the configuration related to EKS. Settings in here affect the control plane 207 // and nodes roles 208 EKS *EKSConfig `json:"eks,omitempty"` 209 210 // EventBridge controls configuration for consuming EventBridge events 211 EventBridge *EventBridgeConfig `json:"eventBridge,omitempty"` 212 213 // Partition is the AWS security partition being used. Defaults to "aws" 214 Partition string `json:"partition,omitempty"` 215 216 // SecureSecretsBackend, when set to parameter-store will create AWS Systems Manager 217 // Parameter Storage policies. By default or with the value of secrets-manager, 218 // will generate AWS Secrets Manager policies instead. 219 // +kubebuilder:validation:Enum=secrets-manager;ssm-parameter-store 220 SecureSecretsBackends []infrav1.SecretBackend `json:"secureSecretBackends,omitempty"` 221 222 // S3Buckets, when enabled, will add controller nodes permissions to 223 // create S3 Buckets for workload clusters. 224 // TODO: This field could be a pointer, but it seems it breaks setting default values? 225 // +optional 226 S3Buckets S3Buckets `json:"s3Buckets,omitempty"` 227 } 228 229 // GetObjectKind returns the AAWSIAMConfiguration's TypeMeta. 230 func (obj *AWSIAMConfiguration) GetObjectKind() schema.ObjectKind { 231 return &obj.TypeMeta 232 } 233 234 // NewAWSIAMConfiguration will generate a new default AWSIAMConfiguration. 235 func NewAWSIAMConfiguration() *AWSIAMConfiguration { 236 conf := &AWSIAMConfiguration{} 237 SetObjectDefaults_AWSIAMConfiguration(conf) 238 return conf 239 }