To play with the operator
Prerequisites
Setup for your provider
Make sure to check the EC2 section for more details.
Every provider might need a different initial setup. Though at this moment we support EC2 and RDS, in the future it will be recommended to check out the Integrations page to find if we support the service of your choosing.
Try it locally
Grab the code
There are two ways to get the code:
- Clone the repository
git clone https://github.com/kotaicode/resource-booking-operator.git
- Pull the image
docker pull docker pull kotaicode/resource-booking-operator:latest
Run it
After we’ve set up and ran a Minikube cluster. We have to apply the manifests with:
make install
Then we are ready to run the operator with:
make run
At this point we should see logging from the running server, indicating that things are functioning properly.
Next, we can make sure we know how to manage resources.
Run it on your cluster
Amazon Web Services
Permissions
In order for the operator to control EC2 or RDS instances, it needs permissions to start, stop, and do other helpful actions. This is a sample policy document to give the necessary permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allowec2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:DescribeTags",
"ec2:StopInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
},
{
"Sid": "allowrds",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:ListTagsForResource",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource"
],
"Resource": "*"
}
]
}
Create a new policy with the permissions above and attach it to an IAM role which the operator can use, e.g. using IAM roles for service accounts.
Note: If your instances use KMS ecrypted EBS volumes, the operator also needs the kms:CreateGrant permission on the respective KMS keys.
Setting it up in EKS (Elastic Kubernetes Service)
-
Create the required policy granting the permissions.
-
Follow the AWS instructions to set up an IAM Role for the serviceaccount of the resource-booking-operator.
Namespace of the operator is
resource-booking-operator-system.
Name of the serviceaccount isresource-booking-operator-controller-manager.The required trust-policy for the IAM role will look like this (replace
$oidc-providerand$accountidwith your values):{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::$accountid:oidc-provider/$oidc-provider" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oidc-provider:sub": "system:serviceaccount:resource-booking-operator-system:resource-booking-operator-controller-manager", "$oidc-provider:aud": "sts.amazonaws.com" } } } ] } -
Build and push the docker image to your container registry:
make docker-build && make docker-push -
Build the manifests and deploy them to your cluster:
make deploy
To make sure the resource booking operator is using the IAM role you created, you need to set the eks.amazonaws.com/role-arn annotation in the serviceaccount to the ARN of the role. Here's how to do this:
- Find the ARN of the role you created.
- Open the serviceaccount configuration for the resource booking operator.
- Set the
eks.amazonaws.com/role-arnannotation to the ARN of the role you found. - Save the changes to the serviceaccount configuration.
This will ensure that the resource booking operator is using the correct IAM role for its operations.
For a general guide on how to control resources with bookings, head up to Managing Resources.