https://github.com/aws-observability/aws-sigv4-proxy-admission-controller

This project creates a mutation admission controller that injects AWS SIGv4 proxy as a sidecar.
https://github.com/aws-observability/aws-sigv4-proxy-admission-controller

Last synced: about 1 month ago
JSON representation

This project creates a mutation admission controller that injects AWS SIGv4 proxy as a sidecar.

• Host: GitHub
• URL: https://github.com/aws-observability/aws-sigv4-proxy-admission-controller
• Owner: aws-observability
• License: apache-2.0
• Created: 2020-08-19T23:03:26.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2024-03-19T14:22:03.000Z (over 1 year ago)
• Last Synced: 2025-04-03T12:11:37.370Z (3 months ago)
• Language: Go
• Homepage:
• Size: 174 KB
• Stars: 27
• Watchers: 26
• Forks: 11
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

        
# AWS SIGv4 Proxy Admission Controller

The mutation admission controller will inject the [AWS SIGv4 Proxy](https://github.com/awslabs/aws-sigv4-proxy) as a sidecar into a pod if there are annotations specified in a container's deployment.yaml file or specific namespace labels.

## Getting Started

A helm chart exists to deploy all the resources needed to use the admission controller here: https://github.com/aws/eks-charts/tree/master/stable/aws-sigv4-proxy-admission-controller/.

### Installing the Controller via Helm Chart

Add the EKS repository to Helm:

```bash

helm repo add eks https://aws.github.io/eks-charts

```

Install the AWS SIGv4 Admission Controller chart with default configuration:

```bash

helm install aws-sigv4-proxy-admission-controller eks/aws-sigv4-proxy-admission-controller --namespace 

```

### Uninstalling the Helm Chart

To uninstall/delete the `aws-sigv4-proxy-admission-controller` release:

```bash

helm uninstall aws-sigv4-proxy-admission-controller --namespace 

```

### Doing It Yourself

If you wish to build the image on your own, change the variables in Makefile for your image repo, image name, and tag.

Build and push image

```

make all

```

Build image

```

make build-image

```

Push image

```

make push-image

```

Run tests

```

make test

```

You can override the admission controller image and other parameters in the [admission controller helm chart](https://github.com/aws/eks-charts/tree/master/stable/aws-sigv4-proxy-admission-controller).

## Usage

### Configuration

For each row in the chart below, you only need either the annotation or namespace label.

| Annotation | Namespace Label | Required

| - | - | -

| `sidecar.aws.signing-proxy/inject: true` | `sidecar-inject=true` | ✔

| `sidecar.aws.signing-proxy/host: ` | `sidecar-host=` | ✔

| `sidecar.aws.signing-proxy/name: ` | `sidecar-host=` |

| `sidecar.aws.signing-proxy/region: ` | `sidecar-host=` |

| `sidecar.aws.signing-proxy/role-arn: ` | `sidecar-role-arn=` |

| `sidecar.aws.signing-proxy/unsigned-payload: ` | `unsigned-payload=` |

| `sidecar.aws.signing-proxy/upstream-url-scheme: ` | `upstream-url-scheme=` |

For more information on the above annotations / namespace labels, please refer to the documentation in the [AWS SIGv4 Proxy](https://github.com/awslabs/aws-sigv4-proxy) repository.

#### Example Deployment

```

apiVersion: apps/v1

kind: Deployment

metadata:

  name: sleep

  namespace: sidecar

spec:

  replicas: 1

  selector:

    matchLabels:

      app: sleep

  template:

    metadata:

      annotations:

        sidecar.aws.signing-proxy/inject: "true"

        sidecar.aws.signing-proxy/host: "aps.us-west-2.amazonaws.com"

        sidecar.aws.signing-proxy/name: "aps"

        sidecar.aws.signing-proxy/region: "us-west-2"

        sidecar.aws.signing-proxy/role-arn: "arn:aws:iam::123456789:role/assume-role"

        sidecar.aws.signing-proxy/unsigned-payload: "false"

      labels:

        app: sleep

    spec:

      containers:

      - name: sleep

        image: tutum/curl

        command: ["/bin/sleep","infinity"]

        imagePullPolicy: IfNotPresent

```

To see the AWS SIGv4 Proxy installed as a sidecar in this deployment: save the above lines as a yaml file, make sure the admission controller helm chart is installed in your Kubernetes cluster, and run the following:

```bash

kubectl create namespace sidecar

kubectl create -f test-deploy.yaml

kubectl get pod -n sidecar

```

2 pods should be visible within the sleep pod.

## Security

See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.

## License

This project is licensed under the Apache-2.0 License.