Using kubernetes operator.knative.dev with iam.aws.rustrial.org
TypeScriptWhen integrating Knative with Kubernetes on AWS, you typically follow these steps:
-
Set Up an EKS Cluster: Deploy an Amazon EKS cluster, which will host your Kubernetes workloads. EKS manages the Kubernetes control plane for you, which simplifies cluster management.
-
Define IAM Roles for Service Accounts (IRSA): IRSA lets you associate an AWS IAM role with a Kubernetes service account. This gives your Knative services running on EKS the permissions they need to interact with other AWS services.
-
Install the Knative Operator: The Knative Operator is a method of installing, updating, and managing Knative components.
-
Configure Knative Serving or Eventing: Once the operator is installed, configure either Knative Serving for deploying and running serverless applications, or Knative Eventing for managing event subscriptions and delivery.
-
Deploy Applications using Knative: With Knative and AWS IRSA setup, you can now deploy serverless applications that can scale automatically and have fine-grained access control to AWS resources.
The resources you would need are:
- An EKS cluster provisioned (
aws.eks.Cluster
) - IAM roles and policies, possibly an IAM role for the EKS service and one that the Knative service account can assume (
aws.iam.Role
) - Kubernetes service account linked to the AWS IAM role through IRSA (
aws.eks.PodIdentityAssociation
) - Knative Operator which is generally installed using
kubectl
after your Kubernetes cluster is up and running
Below is a Pulumi program written in TypeScript that sets up the basics for this integration. The program focuses on provisioning the necessary AWS resources with Pulumi, while the Knative operator setup usually involves
kubectl
commands once the cluster is ready.import * as aws from "@pulumi/aws"; import * as eks from "@pulumi/eks"; // Create an EKS cluster. const cluster = new eks.Cluster("my-knative-cluster", { // Specify the desired settings for your cluster here. // For example, you can define the number of nodes, node types, networking, and more. }); // Create an IAM Role for the Knative service account to interact with AWS services. const knativeServiceAccountRole = new aws.iam.Role("knative-service-account-role", { assumeRolePolicy: aws.iam.getPolicyDocument({ statements: [{ actions: ["sts:AssumeRoleWithWebIdentity"], principals: [{ identifiers: [`system:serviceaccount:knative-serving:service-account-name`], type: "Federated", provider: "arn:aws:iam::${aws.getCallerIdentity().accountId}:oidc-provider/${cluster.endpoint().apply(ep => ep.replace("https://", ""))}.eks.${aws.getRegion().name}.amazonaws.com" }], conditions: [{ test: "StringEquals", variable: `${cluster.openIdConnectProvider.arn}:sub`, values: ["system:serviceaccount:knative-serving:service-account-name"] }] }], }), // Define the permissions for the role here. Typically, you will attach policies which // grant permissions to interact with AWS services that your Knative services need. }); // Associate the IAM role with a Kubernetes service account. const knativeServiceAccountAssociation = new aws.eks.PodIdentityAssociation("knative-pod-identity-association", { clusterName: cluster.eksCluster.name, roleName: knativeServiceAccountRole.name, namespace: "knative-serving", serviceAccount: "service-account-name", }); export const eksClusterName = cluster.eksCluster.name; export const knativeServiceAccountRoleArn = knativeServiceAccountRole.arn;
The above program sets up an EKS cluster and creates an IAM role that Knative's service account will use. This IAM role has a trust relationship that allows it to be assumed by a service account within the cluster. The
PodIdentityAssociation
resource links the IAM role to a Kubernetes service account.Important Notes:
- Replace
service-account-name
with the name of the service account used by your Knative services within theknative-serving
namespace. - Attach the specific AWS policies to
knativeServiceAccountRole
that grant the permissions your application needs. - The IAM role's trust relationship is set to work with the OIDC identity provider that is created for your EKS cluster, enabling the Kubernetes service account to assume the role.
- The actual Knative Operator installation will need to be performed separately using
kubectl
once your cluster is ready. Pulumi does not manage Knative installation directly as it's a set of Kubernetes resources to be managed post-cluster creation. - To manage Knative installations, you would typically use
kubectl apply
with YAML files that define Knative operators and components, which isn't something Pulumi does as it falls outside the infrastructure provisioning process.
This is the foundational infrastructure setup. Once this is complete, you would install Knative and configure it to use the service account linked to the AWS IAM role for operations requiring AWS resources.
-