Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/TeamBion/kubectl-irsa

The kubectl plugin which allows us to test IRSA configuration AWS sa
https://github.com/TeamBion/kubectl-irsa

aws irsa kubectl kubernetes oidc security

Last synced: about 2 months ago
JSON representation

The kubectl plugin which allows us to test IRSA configuration AWS sa

Host: GitHub
URL: https://github.com/TeamBion/kubectl-irsa
Owner: TeamBion
Created: 2022-04-09T05:16:14.000Z (over 2 years ago)
Default Branch: master
Last Pushed: 2022-11-02T23:02:07.000Z (about 2 years ago)
Last Synced: 2024-05-21T12:42:59.935Z (7 months ago)
Topics: aws, irsa, kubectl, kubernetes, oidc, security
Language: Go
Homepage:
Size: 216 KB
Stars: 21
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-kubectl-plugins - kubectl-irsa

README

# kubectl-irsa

This kubectl plugin allows us to test abilities of IAM policies which is assigned to the serviceAccount roles via AWS IAM Policy simulator service.
Beside of the IAM Policy Simulator it checks the other essential parts like this;

* Policy Simulator 🟢
* WebIdentity Issue 🟢
* Principal Checks 🟢
* OIDC linking issues like non existing IdentityProvider or wrong audience .. etc 🟠
* AdmissionController Check 🟠
* Thumbprint Check 🟠

## How to use ?

First step you have to create a simple resource and action map YAML file like this;

This yaml file contains resource list and related actions which would be possibly using by the serviceaccounts roles.

Notice: Each action simulates by the client on individual resources

```yaml
resources:
- arn:aws:s3:::my-org-cdn-bucket
actions:
- s3:DeleteBucket

```

After you create this yaml file you are able to use this like this

```sh
$ kubectl irsa -file config.yaml -sa application-service-account -namespace development
```
:warning: Important

Based on the latest Kubernetes version changes especially on AWS EKS, you may face issues with authentication API versions that's why you have to upgrade your AWS CLI V2 version while authenticating via IAM to connect the cluster.

How to upgrade awscli version

## ConfigurationDetails

| flag | Description |
| --- | ----------- |
| role | Name of the role which assumed by service account which is assigned into the annotations of `eks.amazonaws.com/role-arn` |
| config | Resource map configuration file |

## Setup

### From Source;

This is a simple pip3 package so if you want to install this plugin on your cluster you just need to run this command like this;

```sh
go build ./
mv kubectl-irsa $PATH:/usr/local/bin
```

### Download
You can download plugin artifact over there;

https://github.com/TeamBion/kubectl-irsa/releases

# Contribution

More than welcome! please don't hesitate to open bugs, questions, pull requests