{"id":13533470,"url":"https://github.com/jtblin/kube2iam","last_synced_at":"2026-04-30T03:02:57.473Z","repository":{"id":38554215,"uuid":"58301572","full_name":"jtblin/kube2iam","owner":"jtblin","description":"kube2iam  provides different AWS IAM roles for pods running on Kubernetes","archived":false,"fork":false,"pushed_at":"2025-03-27T09:10:08.000Z","size":358,"stargazers_count":2006,"open_issues_count":120,"forks_count":324,"subscribers_count":40,"default_branch":"master","last_synced_at":"2025-05-07T10:52:33.185Z","etag":null,"topics":["aws","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jtblin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-05-08T07:34:36.000Z","updated_at":"2025-05-05T03:13:21.000Z","dependencies_parsed_at":"2023-02-19T03:15:38.786Z","dependency_job_id":"fd253d0a-1a04-4597-96fb-a55e18851f3d","html_url":"https://github.com/jtblin/kube2iam","commit_stats":{"total_commits":201,"total_committers":73,"mean_commits":"2.7534246575342465","dds":0.7114427860696517,"last_synced_commit":"32a82bd1c60fc63d15fca76b9364bab8c153d316"},"previous_names":[],"tags_count":52,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtblin%2Fkube2iam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtblin%2Fkube2iam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtblin%2Fkube2iam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtblin%2Fkube2iam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jtblin","download_url":"https://codeload.github.com/jtblin/kube2iam/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254129479,"owners_count":22019628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","kubernetes"],"created_at":"2024-08-01T07:01:20.127Z","updated_at":"2026-04-30T03:02:52.305Z","avatar_url":"https://github.com/jtblin.png","language":"Go","funding_links":[],"categories":["Security","AWS","Security \u0026 Compliance","HarmonyOS","Go","Open Source Projects","HTML","Tools"],"sub_categories":["[Jenkins](#jenkins)","Windows Manager","Kubernetes"],"readme":"[![CircleCI](https://dl.circleci.com/status-badge/img/circleci/Tv5Xa331HXLx98iuW72Ug4/Po3PqWxjiikmpntHfiZoXW/tree/master.svg?style=shield\u0026circle-token=d0a793bd02cdcccff259a236dde26e6cc749d35d)](https://app.circleci.com/pipelines/circleci/Tv5Xa331HXLx98iuW72Ug4/Po3PqWxjiikmpntHfiZoXW)\n[![Docker Pulls](https://img.shields.io/docker/pulls/jtblin/kube2iam.svg)](https://hub.docker.com/r/jtblin/kube2iam/)\n[![Go Report Card](https://goreportcard.com/badge/github.com/jtblin/kube2iam)](https://goreportcard.com/report/github.com/jtblin/kube2iam)\n[![license](https://img.shields.io/github/license/jtblin/kube2iam.svg)](https://github.com/jtblin/kube2iam/blob/master/LICENSE)\n\n# kube2iam\n\nProvide IAM credentials to containers running inside a kubernetes cluster based on annotations.\n\n## Context\n\nTraditionally in AWS, service level isolation is done using IAM roles. IAM roles are attributed through instance\nprofiles and are accessible by services through the transparent usage by the aws-sdk of the ec2 metadata API.\nWhen using the aws-sdk, a call is made to the EC2 metadata API which provides temporary credentials\nthat are then used to make calls to the AWS service.\n\n## Problem statement\n\nThe problem is that in a multi-tenanted containers based world, multiple containers will be sharing the underlying\nnodes. Given containers will share the same underlying nodes, providing access to AWS\nresources via IAM roles would mean that one needs to create an IAM role which is a union of all\nIAM roles. This is not acceptable from a security perspective.\n\n## Solution\n\nThe solution is to redirect the traffic that is going to the ec2 metadata API for docker containers to a container\nrunning on each instance, make a call to the AWS API to retrieve temporary credentials and return these to the caller.\nOther calls will be proxied to the EC2 metadata API. This container will need to run with host networking enabled\nso that it can call the EC2 metadata API itself.\n\n## Usage\n\n### IAM roles\n\nIt is necessary to create an IAM role which can assume other roles and assign it to each kubernetes worker and list regions.  \nList regions required permissions because aws-go-sdk-v2 doesn't include regions list.  \n\n```\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"sts:AssumeRole\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"*\"\n    },\n    {\n      \"Action\": [\n        \"ec2:DescribeRegions\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"*\"\n    },\n  ]\n}\n```\n\nThe roles that will be assumed must have a Trust Relationship which allows them to be assumed by the kubernetes worker\nrole. See this [StackOverflow post](http://stackoverflow.com/a/33850060) for more details.\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    },\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::123456789012:role/kubernetes-worker-role\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n```\n\n### kube2iam daemonset\n\nRun the kube2iam container as a daemonset (so that it runs on each worker) with `hostNetwork: true`.\nThe kube2iam daemon and iptables rule (see below) need to run before all other pods that would require\naccess to AWS resources.\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n  name: kube2iam\n  labels:\n    app: kube2iam\nspec:\n  selector:\n    matchLabels:\n      name: kube2iam\n  template:\n    metadata:\n      labels:\n        name: kube2iam\n    spec:\n      hostNetwork: true\n      containers:\n        - image: jtblin/kube2iam:latest\n          name: kube2iam\n          args:\n            - \"--base-role-arn=arn:aws:iam::123456789012:role/\"\n            - \"--node=$(NODE_NAME)\"\n          env:\n            - name: NODE_NAME\n              valueFrom:\n                fieldRef:\n                  fieldPath: spec.nodeName\n          ports:\n            - containerPort: 8181\n              hostPort: 8181\n              name: http\n```\n\n### iptables\n\nTo prevent containers from directly accessing the EC2 metadata API and gaining unwanted access to AWS resources,\nthe traffic to `169.254.169.254` must be proxied for docker containers.\n\n```bash\niptables \\\n  --append PREROUTING \\\n  --protocol tcp \\\n  --destination 169.254.169.254 \\\n  --dport 80 \\\n  --in-interface docker0 \\\n  --jump DNAT \\\n  --table nat \\\n  --to-destination `curl 169.254.169.254/latest/meta-data/local-ipv4`:8181\n```\n\nThis rule can be added automatically by setting `--iptables=true`, setting the `HOST_IP` environment\nvariable, and running the container in a privileged security context.\n\n**Warning**: It is possible that other pods are started on an instance before kube2iam has started. Using `--iptables=true` (instead of applying the rule before starting the kubelet) **could give those pods the opportunity to access the real EC2 metadata API, assume the role of the EC2 instance and thereby have all permissions the instance role has** (including assuming potential other roles). Use with care if you don't trust the users of your kubernetes cluster or if you are running pods (that could be exploited) that have permissions to create other pods (e.g. controllers / operators).\n\nNote that the interface `--in-interface` above or using the `--host-interface` cli flag may be\ndifferent than `docker0` depending on which virtual network you use e.g.\n\n* for Calico, use `cali+` (the interface name is something like cali1234567890)\n* for kops (on kubenet), use `cbr0`\n* for CNI, use `cni0`\n* for [EKS](https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html)/[amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s), even with calico installed uses `eni+`. (Each pod gets an interface like `eni4c0e15dfb05`)\n* for weave use `weave`\n* for flannel use `cni0`\n* for [kube-router](https://github.com/cloudnativelabs/kube-router) use `kube-bridge`\n* for [OpenShift](https://www.openshift.org/) use `tun0`\n* for [Cilium](https://www.cilium.io) use `lxc+`\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n  name: kube2iam\n  labels:\n    app: kube2iam\nspec:\n  selector:\n    matchLabels:\n      name: kube2iam\n  template:\n    metadata:\n      labels:\n        name: kube2iam\n    spec:\n      hostNetwork: true\n      containers:\n        - image: jtblin/kube2iam:latest\n          name: kube2iam\n          args:\n            - \"--base-role-arn=arn:aws:iam::123456789012:role/\"\n            - \"--iptables=true\"\n            - \"--host-ip=$(HOST_IP)\"\n            - \"--node=$(NODE_NAME)\"\n          env:\n            - name: HOST_IP\n              valueFrom:\n                fieldRef:\n                  fieldPath: status.podIP\n            - name: NODE_NAME\n              valueFrom:\n                fieldRef:\n                  fieldPath: spec.nodeName\n          ports:\n            - containerPort: 8181\n              hostPort: 8181\n              name: http\n          securityContext:\n            privileged: true\n```\n\n### kubernetes annotation\n\nAdd an `iam.amazonaws.com/role` annotation to your pods with the role that you want to assume for this pod.\nThe optional `iam.amazonaws.com/external-id` will allow the use of an ExternalId as part of the assume role\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n  name: aws-cli\n  labels:\n    name: aws-cli\n  annotations:\n    iam.amazonaws.com/role: role-arn\n    iam.amazonaws.com/external-id: external-id\nspec:\n  containers:\n  - image: fstab/aws-cli\n    command:\n      - \"/home/aws/aws/env/bin/aws\"\n      - \"s3\"\n      - \"ls\"\n      - \"some-bucket\"\n    name: aws-cli\n```\n\nYou can use `--default-role` to set a fallback role to use when annotation is not set.\n\n#### ReplicaSet, CronJob, Deployment, etc.\n\nWhen creating higher-level abstractions than pods, you need to pass the annotation in the pod template of the\nresource spec.\n\nExample for a `Deployment`:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: nginx-deployment\nspec:\n  replicas: 3\n  template:\n    metadata:\n      annotations:\n        iam.amazonaws.com/role: role-arn\n      labels:\n        app: nginx\n    spec:\n      containers:\n      - name: nginx\n        image: nginx:1.9.1\n        ports:\n        - containerPort: 80\n```\n\nExample for a `CronJob`:\n\n```yaml\napiVersion: batch/v1beta1\nkind: CronJob\nmetadata:\n  name: my-cronjob\nspec:\n  schedule: \"00 11 * * 2\"\n  concurrencyPolicy: Forbid\n  startingDeadlineSeconds: 3600\n  jobTemplate:\n    spec:\n      template:\n        metadata:\n          annotations:\n            iam.amazonaws.com/role: role-arn\n        spec:\n          restartPolicy: OnFailure\n          containers:\n          - name: job\n            image: my-image\n```\n\n### Namespace Restrictions\n\nBy using the flag --namespace-restrictions you can enable a mode in which the roles that pods can assume is restricted\nby an annotation on the pod's namespace. This annotation should be in the form of a json array.\n\nTo allow the aws-cli pod specified above to run in the default namespace your namespace would look like the following.\n\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n  annotations:\n    iam.amazonaws.com/allowed-roles: |\n      [\"role-arn\"]\n  name: default\n```\n\n_Note:_ You can also use glob-based matching for namespace restrictions, which works nicely with the path-based\nnamespacing supported for AWS IAM roles.\n\nExample: to allow all roles prefixed with `my-custom-path/` to be assumed by pods in the default namespace, the\ndefault namespace would be annotated as follows:\n\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n  annotations:\n    iam.amazonaws.com/allowed-roles: |\n      [\"my-custom-path/*\"]\n  name: default\n```\n\nIf you prefer `regexp` to glob-based matching you can specify `--namespace-restriction-format=regexp`, then you can\nuse a `regexp` in your annotation:\n\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n  annotations:\n    iam.amazonaws.com/allowed-roles: |\n      [\"my-custom-path/.*\"]\n  name: default\n```\n\n_Note:_ If you use both `--namespace-restrictions` and `--auto-discover-base-arn` flags, it is possible to assume a role in a different account (hence with a different base ARN) but the `iam.amazonaws.com/allowed-roles` annotation must explicitly include the base ARN. \n\n\n### RBAC Setup\n\nThis is the basic RBAC setup to get kube2iam working correctly when your cluster is using rbac. Below is the bare minimum to get kube2iam working.\n\nFirst we need to make a service account.\n\n```yaml\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kube2iam\n  namespace: kube-system\n```\n\nNext we need to setup roles and binding for the the process.\n\n```yaml\n---\napiVersion: v1\nitems:\n  - apiVersion: rbac.authorization.k8s.io/v1\n    kind: ClusterRole\n    metadata:\n      name: kube2iam\n    rules:\n      - apiGroups: [\"\"]\n        resources: [\"namespaces\",\"pods\"]\n        verbs: [\"get\",\"watch\",\"list\"]\n  - apiVersion: rbac.authorization.k8s.io/v1\n    kind: ClusterRoleBinding\n    metadata:\n      name: kube2iam\n    subjects:\n    - kind: ServiceAccount\n      name: kube2iam\n      namespace: kube-system\n    roleRef:\n      kind: ClusterRole\n      name: kube2iam\n      apiGroup: rbac.authorization.k8s.io\nkind: List\n```\n\nYou will notice this lives in the kube-system namespace to allow for easier seperation between system services and other services.\n\nHere is what a kube2iam daemonset yaml might look like.\n\n```yaml\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n  name: kube2iam\n  namespace: kube-system\n  labels:\n    app: kube2iam\nspec:\n  selector:\n    matchLabels:\n      name: kube2iam\n  template:\n    metadata:\n      labels:\n        name: kube2iam\n    spec:\n      serviceAccountName: kube2iam\n      hostNetwork: true\n      containers:\n        - image: jtblin/kube2iam:latest\n          imagePullPolicy: Always\n          name: kube2iam\n          args:\n            - \"--app-port=8181\"\n            - \"--base-role-arn=arn:aws:iam::xxxxxxx:role/\"\n            - \"--iptables=true\"\n            - \"--host-ip=$(HOST_IP)\"\n            - \"--host-interface=weave\"\n            - \"--verbose\"\n          env:\n            - name: HOST_IP\n              valueFrom:\n                fieldRef:\n                  fieldPath: status.podIP\n          ports:\n            - containerPort: 8181\n              hostPort: 8181\n              name: http\n          securityContext:\n            privileged: true\n```\n\n### Using on OpenShift\n\n#### OpenShift 3\n\nTo use `kube2iam` on OpenShift one needs to configure additional resources.\n\nA complete example for OpenShift 3 looks like this. For OpenShift 4, see the next section.\n```yaml\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kube2iam\n  namespace: kube-system\n---\napiVersion: v1\nitems:\n  - apiVersion: rbac.authorization.k8s.io/v1beta1\n    kind: ClusterRole\n    metadata:\n      name: kube2iam\n    rules:\n      - apiGroups: [\"\"]\n        resources: [\"namespaces\",\"pods\"]\n        verbs: [\"get\",\"watch\",\"list\"]\n  - apiVersion: rbac.authorization.k8s.io/v1beta1\n    kind: ClusterRoleBinding\n    metadata:\n      name: kube2iam\n    subjects:\n    - kind: ServiceAccount\n      name: kube2iam\n      namespace: kube-system\n    roleRef:\n      kind: ClusterRole\n      name: kube2iam\n      apiGroup: rbac.authorization.k8s.io\nkind: List\n---\nkind: SecurityContextConstraints\napiVersion: v1\nmetadata:\n  name: kube2iam\nallowPrivilegedContainer: true\nallowHostPorts: true\nallowHostNetwork: true\nrunAsUser:\n  type: RunAsAny\nseLinuxContext:\n  type: MustRunAs\nusers:\n- system:serviceacount:kube-system:kube2iam\n---\napiVersion: extensions/v1beta1\nkind: DaemonSet\nmetadata:\n  name: kube2iam\n  namespace: kube-system\n  labels:\n    app: kube2iam\nspec:\n  selector:\n    matchLabels:\n      name: kube2iam\n  template:\n    metadata:\n      labels:\n        name: kube2iam\n    spec:\n      serviceAccountName: kube2iam\n      hostNetwork: true\n      nodeSelector:\n        role: app\n      containers:\n        - image: docker.io/jtblin/kube2iam:latest\n          imagePullPolicy: Always\n          name: kube2iam\n          args:\n            - \"--app-port=8181\"\n            - \"--auto-discover-base-arn\"\n            - \"--iptables=true\"\n            - \"--host-ip=$(HOST_IP)\"\n            - \"--host-interface=tun0\"\n            - \"--verbose\"\n          env:\n            - name: HOST_IP\n              valueFrom:\n                fieldRef:\n                  fieldPath: status.podIP\n          ports:\n            - containerPort: 8181\n              hostPort: 8181\n              name: http\n          securityContext:\n            privileged: true\n```\n\n**Note**: In (OpenShift) multi-tenancy setups it is recommended to restrict the assumable roles on the namespace level to prevent cross-namespace trust stealing.\n\n#### OpenShift 4\n\nTo use `kube2iam` on OpenShift 4, the additional resources are slightly different from those for OpenShift 3 shown above. OpenShift 4 has [hard-coded iptables rules](https://github.com/openshift/origin/blob/release-4.1/cmd/sdn-cni-plugin/openshift-sdn_linux.go#L129) that block connections from containers to the EC2 metadata service 169.254.169.254. The `kube2iam` pods already run with host networking enabled, they are not affected by these OpenShift iptables rules.\n\nThe OpenShift iptables rules have implications for pods authenticating through `kube2iam` though. But let's look at an example for deploying `kube2iam` on OpenShift 4 first:\n\n```yaml\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kube2iam\n  namespace: kube-system\n---\napiVersion: v1\nitems:\n  - apiVersion: rbac.authorization.k8s.io/v1beta1\n    kind: ClusterRole\n    metadata:\n      name: kube2iam\n    rules:\n      - apiGroups: [\"\"]\n        resources: [\"namespaces\",\"pods\"]\n        verbs: [\"get\",\"watch\",\"list\"]\n  - apiVersion: rbac.authorization.k8s.io/v1beta1\n    kind: ClusterRoleBinding\n    metadata:\n      name: kube2iam\n    subjects:\n    - kind: ServiceAccount\n      name: kube2iam\n      namespace: kube-system\n    roleRef:\n      kind: ClusterRole\n      name: kube2iam\n      apiGroup: rbac.authorization.k8s.io\nkind: List\n---\napiVersion: extensions/v1beta1\nkind: DaemonSet\nmetadata:\n  name: kube2iam\n  namespace: kube-system\n  labels:\n    app: kube2iam\nspec:\n  selector:\n    matchLabels:\n      name: kube2iam\n  template:\n    metadata:\n      labels:\n        name: kube2iam\n    spec:\n      serviceAccountName: kube2iam\n      hostNetwork: true\n      nodeSelector:\n        node-role.kubernetes.io/worker: ''\n      containers:\n        - image: docker.io/jtblin/kube2iam:latest\n          imagePullPolicy: Always\n          name: kube2iam\n          args:\n            - \"--app-port=8181\"\n            - \"--auto-discover-base-arn\"\n            - \"--host-ip=$(HOST_IP)\"\n            - \"--host-interface=tun0\"\n            - \"--verbose\"\n          env:\n            - name: HOST_IP\n              valueFrom:\n                fieldRef:\n                  fieldPath: status.podIP\n          ports:\n            - containerPort: 8181\n              hostPort: 8181\n              name: http\n```\n\nCompared to the OpenShift 3 example in the previous section, we removed the `kube2iam` SecurityContextConstraint. In the `kube2iam` DaemonSet, we changed the nodeSelector to the match OpenShift 4 worker nodes, removed the iptables argument, and removed the `privileged` securityContext.\n\nWe use the OpenShift `hostnetwork` SecurityContextConstraint for `kube2iam`:\n\n```\noc adm policy add-scc-to-user hostnetwork -n kube-system -z kube2iam\n```\n\nFor applications, the iptables rule that `kube2iam` would create to redirect 169.254.169.254 connections to the `kube2iam` pods has no effect because the [hard-coded iptables rules](https://github.com/openshift/origin/blob/release-4.1/cmd/sdn-cni-plugin/openshift-sdn_linux.go#L129) block those connections on OpenShift 4.\n\nAs a workaround, the environment variables http_proxy and no_proxy can be set to use `kube2iam` as a HTTP proxy when accessing the metadata service. Below is an example for the aws-service-operator:\n\n```\n- kind: Deployment\n  apiVersion: apps/v1beta1\n  metadata:\n    name: aws-service-operator\n    namespace: aws-service-operator\n  spec:\n    replicas: 1\n    template:\n      metadata:\n        annotations:\n          iam.amazonaws.com/role: aws-service-operator\n        labels:\n          app: aws-service-operator\n      spec:\n        serviceAccountName: aws-service-operator\n        containers:\n        - name: aws-service-operator\n          image: awsserviceoperator/aws-service-operator:v0.0.1-alpha4\n          imagePullPolicy: Always\n          command:\n            - /bin/sh\n          args:\n          - \"-c\"\n          - export http_proxy=${HOST_IP}:8181; /usr/local/bin/aws-service-operator server --cluster-name=\u003cCLUSTER_NAME\u003e --region=\u003cREGION\u003e --account-id=\u003cACCOUNT_ID\u003e --k8s-namespace=\u003cK8S_NAMESPACE\u003e\n        env:\n          - name: HOST_IP\n            valueFrom:\n              fieldRef:\n                apiVersion: v1\n                fieldPath: status.hostIP\n          - name: no_proxy\n            value: \"*.amazonaws.com,\u003cKUBE_API_IP\u003e:443\"\n```\n\nCompared to the Deployment definition from [aws-service-operator/configs/aws-service-operator.yaml](https://github.com/awslabs/aws-service-operator/blob/master/configs/aws-service-operator.yaml), this adds the http_proxy and no_proxy environment variables.\n\nBecause we use the IP address of the OpenShift node to access the `kube2iam` pod, we cannot set http_proxy in the `env` list, but use a shell command instead.\n\nThe value for the no_proxy environment variable is specific to the application. `kube2iam` only allows proxy connections to 169.254.169.254. All other hostnames or IP addresses that the application connects to through HTTP or HTTPS need to be listed in the no_proxy variable.\n\nFor example, the aws-service-operator needs access to various AWS APIs and the Kubernetes API. The Kubernetes API listens on the first IP address in the OpenShift service network. If `172.31.0.0/16` is the OpenShift cluster service network, KUBE_API_IP is `172.31.0.1`.\n\n### Debug\n\nBy using the --debug flag you can enable some extra features making debugging easier:\n\n* `/debug/store` endpoint enabled to dump knowledge of namespaces and role association.\n\n### Base ARN auto discovery\n\nBy using the `--auto-discover-base-arn` flag, kube2iam will auto discover the base ARN via the EC2 metadata service.\n\n### Using ec2 instance role as default role\n\nBy using the `--auto-discover-default-role` flag, kube2iam will auto discover the base ARN and the IAM role attached to\nthe instance and use it as the fallback role to use when annotation is not set.\n\n### AWS STS Endpoint and Regions\n\nSTS is a unique service in that it is actually considered a global service that defaults to endpoint at **https://sts.amazonaws.com**, regardless of your region setting. However, unlike other global services (e.g. CloudFront, IAM), STS also has regional endpoints which can only be explicitly used programatically. The use of a regional sts endpoint can reduce the latency for STS requests.\n\n`kube2iam` supports the use of STS regional endpoints by using the `--use-regional-sts-endpoint` flag as well as by setting the appropriate `AWS_REGION` environment variable in your daemonset environment. With these two settings configured, `kube2iam` will use the STS api endpoint for that region. If you enable debug level logging, the sts endpoint used to retrieve credentials will be logged.\n\n### Metrics\n\n`kube2iam` exports a number of [Prometheus](https://github.com/prometheus/prometheus) metrics to assist with monitoring\nthe system's performance. By default, these are exported at the `/metrics` HTTP endpoint on the\napplication server port (specified by `--app-port`). This does not always make sense, as anything with access to the\napplication server port can assume roles via `kube2iam`. To mitigate this use the `--metrics-port` argument to specify\na different port that will host the `/metrics` endpoint.\n\nAll of the exported metrics are prefixed with `kube2iam_`. See the [Prometheus documentation](https://prometheus.io/docs/prometheus/latest/getting_started/)\nfor more information on how to get up and running with Prometheus.\n\n### Options\n\nBy default, `kube2iam` will use the in-cluster method to connect to the kubernetes master, and use the\n`iam.amazonaws.com/role` annotation to retrieve the role for the container. Either set the `base-role-arn` option to\napply to all roles and only pass the role name in the `iam.amazonaws.com/role` annotation, otherwise pass the full role\nARN in the annotation.\n\n```bash\n$ kube2iam --help\nUsage of kube2iam:\n      --api-server string                     Endpoint for the api server\n      --api-token string                      Token to authenticate with the api server\n      --app-port string                       Kube2iam server http port (default \"8181\")\n      --auto-discover-base-arn                Queries EC2 Metadata to determine the base ARN\n      --auto-discover-default-role            Queries EC2 Metadata to determine the default Iam Role and base ARN, cannot be used with --default-role, overwrites any previous setting for --base-role-arn\n      --backoff-max-elapsed-time duration     Max elapsed time for backoff when querying for role. (default 2s)\n      --backoff-max-interval duration         Max interval for backoff when querying for role. (default 1s)\n      --base-role-arn string                  Base role ARN\n      --iam-role-session-ttl                  Length of session when assuming the roles (default 15m)\n      --debug                                 Enable debug features\n      --default-role string                   Fallback role to use when annotation is not set\n      --host-interface string                 Host interface for proxying AWS metadata (default \"docker0\")\n      --host-ip string                        IP address of host\n      --iam-role-key string                   Pod annotation key used to retrieve the IAM role (default \"iam.amazonaws.com/role\")\n      --iam-external-id string                Pod annotation key used to retrieve the IAM ExternalId (default \"iam.amazonaws.com/external-id\")\n      --insecure                              Kubernetes server should be accessed without verifying the TLS. Testing only\n      --iptables                              Add iptables rule (also requires --host-ip)\n      --log-format string                     Log format (text/json) (default \"text\")\n      --log-level string                      Log level (default \"info\")\n      --metadata-addr string                  Address for the ec2 metadata (default \"169.254.169.254\")\n      --metrics-port string                   Metrics server http port (default: same as kube2iam server port) (default \"8181\")\n      --namespace-key string                  Namespace annotation key used to retrieve the IAM roles allowed (value in annotation should be json array) (default \"iam.amazonaws.com/allowed-roles\")\n      --cache-resync-period                   Refresh interval for pod and namespace caches\n      --resolve-duplicate-cache-ips           Queries the k8s api server to find the source of truth when the pod cache contains multiple pods with the same IP\n      --namespace-restriction-format string   Namespace Restriction Format (glob/regexp) (default \"glob\")\n      --namespace-restrictions                Enable namespace restrictions\n      --node string                           Name of the node where kube2iam is running\n      --use-regional-sts-endpoint             use the regional sts endpoint if AWS_REGION is set\n      --verbose                               Verbose\n      --version                               Print the version and exits\n```\n\n## Development loop\n\n* Use [minikube](https://github.com/kubernetes/minikube) to run cluster locally\n* Build and push dev image to docker hub: `make docker-dev DOCKER_REPO=\u003cyour docker hub username\u003e`\n* Update `deployment.yaml` as needed\n* Deploy to local kubernetes cluster: `kubectl create -f deployment.yaml` or\n  `kubectl delete -f deployment.yaml \u0026\u0026 kubectl create -f deployment.yaml`\n* Expose as service: `kubectl expose deployment kube2iam --type=NodePort`\n* Retrieve the services url: `minikube service kube2iam --url`\n* Test your changes e.g. `curl -is $(minikube service kube2iam --url)/healthz`\n\n# Author\n\nJerome Touffe-Blin, [@jtblin](https://twitter.com/jtblin), [About me](http://about.me/jtblin)\n\n# License\n\nkube2iam is copyright 2020 Jerome Touffe-Blin and contributors.\nIt is licensed under the BSD license. See the included LICENSE file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjtblin%2Fkube2iam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjtblin%2Fkube2iam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjtblin%2Fkube2iam/lists"}