Initial commit from kro/examples/aws/eks-cluster-mgmt

2026-04-21 09:55:53 -03:00
parent 0585444299
commit 7d11fd5889
66 changed files with 3667 additions and 0 deletions
@@ -0,0 +1,80 @@
+apiVersion: kro.run/v1alpha1
+kind: ResourceGroup
+metadata:
+  name: podidentity.kro.run
+  annotations:
+    argocd.argoproj.io/sync-wave: "-5"
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: PodIdentity  
+    spec:
+      name: string | default="pod-identity"
+      values:
+        aws:
+          clusterName: string
+        policy:
+          description: 'string | default="Test Description"'
+          path: 'string | default="/"'
+          policyDocument: string | default=""
+        piAssociation:
+          serviceAccount: string
+          piNamespace: string
+    status:
+      policyStatus: ${podpolicy.status.conditions}
+      roleStatus: ${podrole.status.conditions}
+  resources:
+  - id: podpolicy
+    readyWhen:
+      - ${podpolicy.status.conditions[0].status == "True"}
+    template:
+      apiVersion: iam.services.k8s.aws/v1alpha1
+      kind: Policy
+      metadata:
+        name: ${schema.spec.name}-pod-policy
+      spec:
+        name: ${schema.spec.name}-pod-policy
+        description: ${schema.spec.values.policy.description}
+        path: ${schema.spec.values.policy.path}
+        policyDocument: ${schema.spec.values.policy.policyDocument}
+  - id: podrole
+    readyWhen:
+      - ${podrole.status.conditions[0].status == "True"}
+    template:
+      apiVersion: iam.services.k8s.aws/v1alpha1
+      kind: Role
+      metadata:
+        name: ${schema.spec.name}-role
+      spec:
+        name: ${schema.spec.name}-role               
+        policies:
+          - ${podpolicy.status.ackResourceMetadata.arn}
+        assumeRolePolicyDocument: |
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "Service": "pods.eks.amazonaws.com"
+                },
+                "Action": [
+                  "sts:TagSession",
+                  "sts:AssumeRole"
+                ]
+              }
+            ]
+          }
+  - id: piAssociation
+    readyWhen:
+      - ${piAssociation.status.conditions[0].status == "True"}
+    template:
+      apiVersion: eks.services.k8s.aws/v1alpha1
+      kind: PodIdentityAssociation
+      metadata:
+        name: ${schema.spec.name}-pod-association-${schema.spec.values.piAssociation.serviceAccount}
+      spec:
+        clusterName: ${schema.spec.values.aws.clusterName}
+        roleARN: ${podrole.status.ackResourceMetadata.arn}
+        serviceAccount: ${schema.spec.values.piAssociation.serviceAccount}
+        namespace: ${schema.spec.values.piAssociation.piNamespace}