fixes #16 by addind max session duration to role

redradrat · Nov 27, 2020 · 54e6ee5 · 54e6ee5
1 parent 59faed4
commit 54e6ee5
Show file tree

Hide file tree

Showing 6 changed files with 192 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -72,6 +72,7 @@ spec:
         "StringEquals":
           "blablabla": "system:serviceaccount:kube-system:aws-cluster-autoscaler"
   createServiceAccount: true
+  maxSessionDuration: 3600
 ```
 
 Resulting `ServiceAccount`:

diff --git a/api/v1beta1/role_types.go b/api/v1beta1/role_types.go
@@ -36,6 +36,11 @@ type RoleSpec struct {
 	// CreateServiceAccount triggers the creation of an annotated ServiceAccount for the created role
 	CreateServiceAccount bool `json:"createServiceAccount,omitempty"`
 
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// MaxSessionDuration specifies the maximum duration a session with this role assumed can last
+	MaxSessionDuration *int64 `json:"maxSessionDuration,omitempty"`
+
 	// +kubebuilder:validation:Optional
 	//
 	// Description holds the description string for the Role

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/controllers/role_controller.go b/controllers/role_controller.go
@@ -97,14 +97,18 @@ func (r *RoleReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	// new role instance
 	var ins *iam.RoleInstance
 	roleName := r.ResourcePrefix + role.Name
+	var duration int64 = 3600
+	if role.Spec.MaxSessionDuration != nil {
+		duration = *role.Spec.MaxSessionDuration
+	}
 	if role.Status.ARN != "" {
 		parsedArn, err := aws.ARNify(role.Status.ARN)
 		if err != nil {
 			return ctrl.Result{}, errWithStatus(&role, fmt.Errorf("ARN in Role status is not valid/parsable"), r.Status(), ctx)
 		}
-		ins = iam.NewExistingRoleInstance(roleName, role.Spec.Description, polDoc, parsedArn[len(parsedArn)-1])
+		ins = iam.NewExistingRoleInstance(roleName, role.Spec.Description, duration, polDoc, parsedArn[len(parsedArn)-1])
 	} else {
-		ins = iam.NewRoleInstance(roleName, role.Spec.Description, polDoc)
+		ins = iam.NewRoleInstance(roleName, role.Spec.Description, duration, polDoc)
 	}
 
 	cleanupFunc := roleCleanup(r, ctx, role)

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/go-logr/logr v0.1.0
 	github.com/onsi/ginkgo v1.11.0
 	github.com/onsi/gomega v1.8.1
-	github.com/redradrat/cloud-objects v0.0.0-20200618154749-39f65bf1649f
+	github.com/redradrat/cloud-objects v0.0.0-20201127175728-ba53f8138637
 	k8s.io/api v0.17.2
 	k8s.io/apimachinery v0.17.2
 	k8s.io/client-go v0.17.2