Configurable task role
Configurable task role via `iam.amazonaws.com/role`, which is also used by kube2iam.
This commit is contained in:
Johannes Würbach
committed by
Robbie Zhang
Robbie Zhang
parent
e66d36308c
commit
bb5dbdbd6e
@@ -221,6 +221,9 @@ func (c *Cluster) loadPodState() error {
|
|||||||
pod.uid = k8sTypes.UID(*task.StartedBy)
|
pod.uid = k8sTypes.UID(*task.StartedBy)
|
||||||
pod.taskDefArn = *task.TaskDefinitionArn
|
pod.taskDefArn = *task.TaskDefinitionArn
|
||||||
pod.taskArn = *task.TaskArn
|
pod.taskArn = *task.TaskArn
|
||||||
|
if taskDef.TaskRoleArn != nil {
|
||||||
|
pod.taskRoleArn = *taskDef.TaskRoleArn
|
||||||
|
}
|
||||||
pod.taskStatus = *task.LastStatus
|
pod.taskStatus = *task.LastStatus
|
||||||
pod.taskRefreshTime = time.Now()
|
pod.taskRefreshTime = time.Now()
|
||||||
|
|
||||||
|
|||||||
@@ -33,6 +33,9 @@ const (
|
|||||||
|
|
||||||
// Reason used for task state changes.
|
// Reason used for task state changes.
|
||||||
taskGenericReason = "Initiated by user"
|
taskGenericReason = "Initiated by user"
|
||||||
|
|
||||||
|
// Annotation to configure the task role.
|
||||||
|
taskRoleAnnotation = "iam.amazonaws.com/role"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Pod is the representation of a Kubernetes pod in Fargate.
|
// Pod is the representation of a Kubernetes pod in Fargate.
|
||||||
@@ -46,6 +49,7 @@ type Pod struct {
|
|||||||
cluster *Cluster
|
cluster *Cluster
|
||||||
taskDefArn string
|
taskDefArn string
|
||||||
taskArn string
|
taskArn string
|
||||||
|
taskRoleArn string
|
||||||
taskStatus string
|
taskStatus string
|
||||||
taskRefreshTime time.Time
|
taskRefreshTime time.Time
|
||||||
taskCPU int64
|
taskCPU int64
|
||||||
@@ -104,6 +108,11 @@ func NewPod(cluster *Cluster, pod *corev1.Pod) (*Pod, error) {
|
|||||||
taskDef.Cpu = aws.String(strconv.Itoa(int(fgPod.taskCPU)))
|
taskDef.Cpu = aws.String(strconv.Itoa(int(fgPod.taskCPU)))
|
||||||
taskDef.Memory = aws.String(strconv.Itoa(int(fgPod.taskMemory)))
|
taskDef.Memory = aws.String(strconv.Itoa(int(fgPod.taskMemory)))
|
||||||
|
|
||||||
|
if val, ok := pod.Annotations[taskRoleAnnotation]; ok {
|
||||||
|
taskDef.TaskRoleArn = aws.String(val)
|
||||||
|
fgPod.taskRoleArn = *taskDef.TaskRoleArn
|
||||||
|
}
|
||||||
|
|
||||||
// Register the task definition with Fargate.
|
// Register the task definition with Fargate.
|
||||||
log.Printf("RegisterTaskDefinition input:%+v", taskDef)
|
log.Printf("RegisterTaskDefinition input:%+v", taskDef)
|
||||||
output, err := api.RegisterTaskDefinition(taskDef)
|
output, err := api.RegisterTaskDefinition(taskDef)
|
||||||
@@ -372,15 +381,22 @@ func (pod *Pod) getSpec(task *ecs.Task) (*corev1.Pod, error) {
|
|||||||
containers = append(containers, cntr)
|
containers = append(containers, cntr)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
annotations := make(map[string]string)
|
||||||
|
|
||||||
|
if pod.taskRoleArn != "" {
|
||||||
|
annotations[taskRoleAnnotation] = pod.taskRoleArn
|
||||||
|
}
|
||||||
|
|
||||||
podSpec := corev1.Pod{
|
podSpec := corev1.Pod{
|
||||||
TypeMeta: metav1.TypeMeta{
|
TypeMeta: metav1.TypeMeta{
|
||||||
Kind: "Pod",
|
Kind: "Pod",
|
||||||
APIVersion: "v1",
|
APIVersion: "v1",
|
||||||
},
|
},
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: pod.namespace,
|
Namespace: pod.namespace,
|
||||||
Name: pod.name,
|
Name: pod.name,
|
||||||
UID: pod.uid,
|
UID: pod.uid,
|
||||||
|
Annotations: annotations,
|
||||||
},
|
},
|
||||||
Spec: corev1.PodSpec{
|
Spec: corev1.PodSpec{
|
||||||
NodeName: pod.cluster.nodeName,
|
NodeName: pod.cluster.nodeName,
|
||||||
|
|||||||
Reference in New Issue
Block a user