https://github.com/almariah/k8s-metadata-injector

Inject metadata into kubernetes resources based on namespces
https://github.com/almariah/k8s-metadata-injector

aws kubernetes

Last synced: 3 months ago
JSON representation

Inject metadata into kubernetes resources based on namespces

• Host: GitHub
• URL: https://github.com/almariah/k8s-metadata-injector
• Owner: almariah
• Created: 2019-02-08T22:21:13.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2020-01-27T13:02:29.000Z (almost 5 years ago)
• Last Synced: 2024-06-26T15:36:02.557Z (5 months ago)
• Topics: aws, kubernetes
• Language: Go
• Homepage:
• Size: 5.18 MB
• Stars: 17
• Watchers: 3
• Forks: 10
• Open Issues: 5
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-devops - k8s-metadata-injector - Inject metadata into kubernetes resources based on namespces (Kubernetes)

README

        
# k8s-metadata-injector

## Introduction

Labels and annotations are important to classify Kubernetes resources. Further, there are some annotations that will tag the corresponding AWS resources created by the Kubernetes itself.

The `k8s-metadata-injector` has two goals:

* Inject additional labels and annotations to `pods`, `services` and `persistentvolumeclaims` based on predefined config per namespace.

* Add tags to created AWS EBS volumes created by `persistentvolumeclaims` (`-ebs-tagging=true` should be configured)

You can add tags to EBS volumes by setting the following annotations in `persistentVolumeClaim` or `volumeClaimTemplate` as follow (example):

```yaml

ebs-tagger.kubernetes.io/ebs-additional-resource-tags: "Team=devops,Env=prod,Project=k8s"

```

Further you can automatically inject this annotation into any `persistentVolumeClaim` or `volumeClaimTemplate`

by adding the annotation in `persistentVolumeClaim` of any namespace config for `k8s-metadata-injector` as shown in `deployment/cm.yaml`

The reason to supports these kind of resources is their importance to cost and usage estimations such that:

* pod will correspond to cpu/mem usages on AWS EC2s

* services will be correspond to AWS Load balancers

* persistentvolumeclaims will correspond to EBS volumes

The ability to automatically inject labels and annotations to the previous resources based on namespaces will simplify the classification and grouping of cluster resources that corresponds to AWS resources. It could be used with other tools for cost estimations like Cloudhealth.

To exclude resources from metadata injection you can use the following annotation:

```yaml

k8s-metadata-injector.kubernetes.io/skip": "true"

```

**Note:** the `kube-system` and `kube-public` namespaces are excluded from injection.

## Installation

To install `k8s-metadata-injector`:

* Ensure that MutatingAdmissionWebhook admission controllers are enabled.

* Ensure that the admissionregistration.k8s.io/v1beta1 API is enabled.

* For AWS, if tagging EBS volumes is needed, then `ebs-tagging` should be `true` in containers command line arguments. 

Then modify the config in `metadataconfig.yaml` as desired to inject the annotations and labels to all defined namespaces, and deploy:

```bash

kubectl apply -k install

```

### Namespace Configuration (`metadataconfig.yaml`):

* For version `2.0.0` and later, the metadata is configured by namespace. Further you can configure default values for all namespaces (even if not configured) by using `"*"`. For configured namespaces, the default values will be merged with namespace configuration such that namespaces will always override the default values.

Also, you can ignore namespaces from injection (`kube-system` and `kube-public` are ignored by default) by using `ignoredNamespaces` (`v2.0.0` only). For example:

```yaml

ignoredNamespaces:

    - ns1

    - ns2

    ...

namespaces:

    "*":

        pod:

        ...

        service:

        ...

        persistentVolumeClaim:

        ...

    default:

        pod:

            annotations:

                key: value

                ...

            lables:

                key: value

                ...

        service:

            annotations:

                key: value

                ...

            lables:

                key: value

                ...

        ...

    other_namespace:

        ...

    ...

```

For version `1.x.x`, the metadata is configured by resource types. For example

```yaml

pod:

    default:

        annotations:

            key: value

            ...

        lables:

            key: value

            ...

    other_namespace:

        ...

service:

    default:

        annotations:

            key: value

            ...

        lables:

            key: value

            ...          

    other_namespace:

        ...

...

```

### Required IAM policy:

To tag EBS volumes based on `ebs-tagger.kubernetes.io/ebs-additional-resource-tags` annotation, the following policy is needed:

```json

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Action": [

                "ec2:CreateTags"

            ],

            "Resource": "arn:aws:ec2:*:*:volume/*",

            "Effect": "Allow"

        }

    ]

}

```

In `deployment/install.yaml` kube2iam annotation `iam.amazonaws.com/role: KubernetesEBSCreateTagsAccess` is used as an example to allow `ebs-tagger` (small controller in k8s-metadata-injector) to tag EBS volumes.

## Build

To build `k8s-metadata-injector` as a docker container:

```bash

docker build -t abdullahalmariah/k8s-metadata-injector:latest .

docker push abdullahalmariah/k8s-metadata-injector:latest

```