sia

package
v1.10.28 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 29, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

README

SIA for AWS EKS

Configuration

SIA EKS requires a configuration file to be present in the /etc/sia/sia_config with the following required attributes:

{
    "version": "1.0.0",
    "service": "application-service-name",
    "accounts": [
        {
            "domain":  "application-domain-name",
            "account": "application-account-aws-id"
        }
    ]
}

The AWS Account administrator must create an IAM Role called <application-domain-name>.<application-service-name> and this role must be setup with a trust relationship configured with trusted entity as the role name for EKS IAM Role for Kubernetes Service Account, which will be used by the application.

SIA Configuration file provides a way to change the default user/group settings that the private key is owned by. By default, the private key is owned by user root and readable by group athenz. If the user wants to provide access to their service identity private key to another user, it can be accomplished by adding the user to the group athenz. If the user wants to change the user and group values, a config file must contain following optional fields:

{
    "version": "1.0.0",
    "service": "application-service-name",
    "accounts": [
        {
            "domain":  "application-domain-name",
            "account": "application-account-aws-id",
            "user": "unix-username",
            "group": "unix-groupname"
        }
    ]
}

SIA-EKS can be built with following parameters - e.g.

GOOS=linux go install -ldflags "-X main.Version=1.0.0 -X main.ZtsEndPoint=zts.athenz.io -X main.DnsDomain=aws.athenz.cloud -X main.ProviderPrefix=athenz.aws" ./...

alternatively, those parameters can be passed during runtime and runtime parameters will take precedence over build time parameters.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetAttestationData

func GetAttestationData(domain, service, account, region string, useRegionalSTS bool, sysLogger io.Writer) (*attestation.AttestationData, error)

New creates a new AttestationData with values fed to it and from the result of STS Assume Role

func GetEKSPodId

func GetEKSPodId() string

func GetRoleCertificate

func GetRoleCertificate(ztsUrl, svcKeyFile, svcCertFile string, opts *options.Options, sysLogger io.Writer) bool

func RefreshInstance

func RefreshInstance(data []*attestation.AttestationData, ztsUrl string, opts *options.Options, region string, sysLogger io.Writer) error

func RegisterInstance

func RegisterInstance(data []*attestation.AttestationData, ztsUrl string, opts *options.Options, region string, sysLogger io.Writer) error

Types

This section is empty.

Directories

Path Synopsis
cmd
devel

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL