Configurable task role
Configurable task role via `iam.amazonaws.com/role`, which is also used by kube2iam.
This commit is contained in:
Johannes Würbach
committed by
Robbie Zhang
Robbie Zhang
parent
e66d36308c
commit
bb5dbdbd6e
@@ -221,6 +221,9 @@ func (c *Cluster) loadPodState() error {
|
||||
pod.uid = k8sTypes.UID(*task.StartedBy)
|
||||
pod.taskDefArn = *task.TaskDefinitionArn
|
||||
pod.taskArn = *task.TaskArn
|
||||
if taskDef.TaskRoleArn != nil {
|
||||
pod.taskRoleArn = *taskDef.TaskRoleArn
|
||||
}
|
||||
pod.taskStatus = *task.LastStatus
|
||||
pod.taskRefreshTime = time.Now()
|
||||
|
||||
|
||||
@@ -33,6 +33,9 @@ const (
|
||||
|
||||
// Reason used for task state changes.
|
||||
taskGenericReason = "Initiated by user"
|
||||
|
||||
// Annotation to configure the task role.
|
||||
taskRoleAnnotation = "iam.amazonaws.com/role"
|
||||
)
|
||||
|
||||
// Pod is the representation of a Kubernetes pod in Fargate.
|
||||
@@ -46,6 +49,7 @@ type Pod struct {
|
||||
cluster *Cluster
|
||||
taskDefArn string
|
||||
taskArn string
|
||||
taskRoleArn string
|
||||
taskStatus string
|
||||
taskRefreshTime time.Time
|
||||
taskCPU int64
|
||||
@@ -104,6 +108,11 @@ func NewPod(cluster *Cluster, pod *corev1.Pod) (*Pod, error) {
|
||||
taskDef.Cpu = aws.String(strconv.Itoa(int(fgPod.taskCPU)))
|
||||
taskDef.Memory = aws.String(strconv.Itoa(int(fgPod.taskMemory)))
|
||||
|
||||
if val, ok := pod.Annotations[taskRoleAnnotation]; ok {
|
||||
taskDef.TaskRoleArn = aws.String(val)
|
||||
fgPod.taskRoleArn = *taskDef.TaskRoleArn
|
||||
}
|
||||
|
||||
// Register the task definition with Fargate.
|
||||
log.Printf("RegisterTaskDefinition input:%+v", taskDef)
|
||||
output, err := api.RegisterTaskDefinition(taskDef)
|
||||
@@ -372,6 +381,12 @@ func (pod *Pod) getSpec(task *ecs.Task) (*corev1.Pod, error) {
|
||||
containers = append(containers, cntr)
|
||||
}
|
||||
|
||||
annotations := make(map[string]string)
|
||||
|
||||
if pod.taskRoleArn != "" {
|
||||
annotations[taskRoleAnnotation] = pod.taskRoleArn
|
||||
}
|
||||
|
||||
podSpec := corev1.Pod{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: "Pod",
|
||||
@@ -381,6 +396,7 @@ func (pod *Pod) getSpec(task *ecs.Task) (*corev1.Pod, error) {
|
||||
Namespace: pod.namespace,
|
||||
Name: pod.name,
|
||||
UID: pod.uid,
|
||||
Annotations: annotations,
|
||||
},
|
||||
Spec: corev1.PodSpec{
|
||||
NodeName: pod.cluster.nodeName,
|
||||
|
||||
Reference in New Issue
Block a user