jtblin / kube2iam / 103

Committed 26 May 2025 05:45AM UTC coverage: 8.102%. Remained the same

Build # 103

Build Type

push

circleci

Committed by Jerome Touffe-Blin

Commit Message

Trigger workflow on branches and tags (#390)

Run Details

73 of 901 relevant lines covered (8.1%)

1.03 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/cmd/main.go

package main

import (
        "strings"

        log "github.com/sirupsen/logrus"
        "github.com/spf13/pflag"

        "github.com/jtblin/kube2iam/iam"
        "github.com/jtblin/kube2iam/iptables"
        "github.com/jtblin/kube2iam/server"
        "github.com/jtblin/kube2iam/version"
)

// addFlags adds the command line flags.
func addFlags(s *server.Server, fs *pflag.FlagSet) {
        fs.StringVar(&s.APIServer, "api-server", s.APIServer, "Endpoint for the api server")
        fs.StringVar(&s.APIToken, "api-token", s.APIToken, "Token to authenticate with the api server")
        fs.StringVar(&s.AppPort, "app-port", s.AppPort, "Kube2iam server http port")
        fs.StringVar(&s.MetricsPort, "metrics-port", s.MetricsPort, "Metrics server http port (default: same as kube2iam server port)")
        fs.StringVar(&s.BaseRoleARN, "base-role-arn", s.BaseRoleARN, "Base role ARN")
        fs.BoolVar(&s.Debug, "debug", s.Debug, "Enable debug features")
        fs.StringVar(&s.DefaultIAMRole, "default-role", s.DefaultIAMRole, "Fallback role to use when annotation is not set")
        fs.StringVar(&s.IAMRoleKey, "iam-role-key", s.IAMRoleKey, "Pod annotation key used to retrieve the IAM role")
        fs.StringVar(&s.IAMExternalID, "iam-external-id", s.IAMExternalID, "Pod annotation key used to retrieve the IAM ExternalId")
        fs.DurationVar(&s.IAMRoleSessionTTL, "iam-role-session-ttl", s.IAMRoleSessionTTL, "TTL for the assume role session")
        fs.BoolVar(&s.Insecure, "insecure", false, "Kubernetes server should be accessed without verifying the TLS. Testing only")
        fs.StringVar(&s.MetadataAddress, "metadata-addr", s.MetadataAddress, "Address for the ec2 metadata")
        fs.BoolVar(&s.AddIPTablesRule, "iptables", false, "Add iptables rule (also requires --host-ip)")
        fs.BoolVar(&s.AutoDiscoverBaseArn, "auto-discover-base-arn", false, "Queries EC2 Metadata to determine the base ARN")
        fs.BoolVar(&s.AutoDiscoverDefaultRole, "auto-discover-default-role", false, "Queries EC2 Metadata to determine the default Iam Role and base ARN, cannot be used with --default-role, overwrites any previous setting for --base-role-arn")
        fs.StringVar(&s.HostInterface, "host-interface", "docker0", "Host interface for proxying AWS metadata")
        fs.BoolVar(&s.NamespaceRestriction, "namespace-restrictions", false, "Enable namespace restrictions")
        fs.StringVar(&s.NamespaceRestrictionFormat, "namespace-restriction-format", s.NamespaceRestrictionFormat, "Namespace Restriction Format (glob/regexp)")
        fs.StringVar(&s.NamespaceKey, "namespace-key", s.NamespaceKey, "Namespace annotation key used to retrieve the IAM roles allowed (value in annotation should be json array)")
        fs.DurationVar(&s.CacheResyncPeriod, "cache-resync-period", s.CacheResyncPeriod, "Kubernetes caches resync period")
        fs.BoolVar(&s.ResolveDupIPs, "resolve-duplicate-cache-ips", false, "Queries the k8s api server to find the source of truth when the pod cache contains multiple pods with the same IP")
        fs.StringVar(&s.HostIP, "host-ip", s.HostIP, "IP address of host")
        fs.StringVar(&s.NodeName, "node", s.NodeName, "Name of the node where kube2iam is running")
        fs.DurationVar(&s.BackoffMaxInterval, "backoff-max-interval", s.BackoffMaxInterval, "Max interval for backoff when querying for role.")
        fs.DurationVar(&s.BackoffMaxElapsedTime, "backoff-max-elapsed-time", s.BackoffMaxElapsedTime, "Max elapsed time for backoff when querying for role.")
        fs.StringVar(&s.LogFormat, "log-format", s.LogFormat, "Log format (text/json)")
        fs.StringVar(&s.LogLevel, "log-level", s.LogLevel, "Log level")
        fs.BoolVar(&s.UseRegionalStsEndpoint, "use-regional-sts-endpoint", false, "use the regional sts endpoint if AWS_REGION is set")
        fs.BoolVar(&s.Verbose, "verbose", false, "Verbose")
        fs.BoolVar(&s.Version, "version", false, "Print the version and exits")
}

func main() {
        s := server.NewServer()
        addFlags(s, pflag.CommandLine)
        pflag.Parse()

        logLevel, err := log.ParseLevel(s.LogLevel)
        if err != nil {
                log.Fatalf("%s", err)
        }

        if s.Verbose {
                log.SetLevel(log.DebugLevel)
        } else {
                log.SetLevel(logLevel)
        }

        if strings.ToLower(s.LogFormat) == "json" {
                log.SetFormatter(&log.JSONFormatter{})
        }

        if s.Version {
                version.PrintVersionAndExit()
        }

        if s.BaseRoleARN != "" {
                if !iam.IsValidBaseARN(s.BaseRoleARN) {
                        log.Fatalf("Invalid --base-role-arn specified, expected: %s", iam.ARNRegexp.String())
                }
                if !strings.HasSuffix(s.BaseRoleARN, "/") {
                        s.BaseRoleARN += "/"
                }
        }

        if s.AutoDiscoverBaseArn {
                if s.BaseRoleARN != "" {
                        log.Fatal("--auto-discover-base-arn cannot be used if --base-role-arn is specified")
                }
                arn, err := iam.GetBaseArn()
                if err != nil {
                        log.Fatalf("%s", err)
                }
                log.Infof("base ARN autodetected, %s", arn)
                s.BaseRoleARN = arn
        }

        if s.AutoDiscoverDefaultRole {
                if s.DefaultIAMRole != "" {
                        log.Fatalf("You cannot use --default-role and --auto-discover-default-role at the same time")
                }
                arn, err := iam.GetBaseArn()
                if err != nil {
                        log.Fatalf("%s", err)
                }
                s.BaseRoleARN = arn
                instanceIAMRole, err := iam.GetInstanceIAMRole()
                if err != nil {
                        log.Fatalf("%s", err)
                }
                s.DefaultIAMRole = instanceIAMRole
                log.Infof("Using instance IAMRole %s%s as default", s.BaseRoleARN, s.DefaultIAMRole)
        }

        if s.AddIPTablesRule {
                if err := iptables.AddRule(s.AppPort, s.MetadataAddress, s.HostInterface, s.HostIP); err != nil {
                        log.Fatalf("%s", err)
                }
        }

        if err := s.Run(s.APIServer, s.APIToken, s.NodeName, s.Insecure); err != nil {
                log.Fatalf("%s", err)
        }
}

1	package main
2
3	import (
4	"strings"
5
6	log "github.com/sirupsen/logrus"
7	"github.com/spf13/pflag"
8
9	"github.com/jtblin/kube2iam/iam"
10	"github.com/jtblin/kube2iam/iptables"
11	"github.com/jtblin/kube2iam/server"
12	"github.com/jtblin/kube2iam/version"
13	)
14
15	// addFlags adds the command line flags.
16	func addFlags(s server.Server, fs pflag.FlagSet) {	×
17	fs.StringVar(&s.APIServer, "api-server", s.APIServer, "Endpoint for the api server")	×
18	fs.StringVar(&s.APIToken, "api-token", s.APIToken, "Token to authenticate with the api server")	×
19	fs.StringVar(&s.AppPort, "app-port", s.AppPort, "Kube2iam server http port")	×
20	fs.StringVar(&s.MetricsPort, "metrics-port", s.MetricsPort, "Metrics server http port (default: same as kube2iam server port)")	×
21	fs.StringVar(&s.BaseRoleARN, "base-role-arn", s.BaseRoleARN, "Base role ARN")	×
22	fs.BoolVar(&s.Debug, "debug", s.Debug, "Enable debug features")	×
23	fs.StringVar(&s.DefaultIAMRole, "default-role", s.DefaultIAMRole, "Fallback role to use when annotation is not set")	×
24	fs.StringVar(&s.IAMRoleKey, "iam-role-key", s.IAMRoleKey, "Pod annotation key used to retrieve the IAM role")	×
25	fs.StringVar(&s.IAMExternalID, "iam-external-id", s.IAMExternalID, "Pod annotation key used to retrieve the IAM ExternalId")	×
26	fs.DurationVar(&s.IAMRoleSessionTTL, "iam-role-session-ttl", s.IAMRoleSessionTTL, "TTL for the assume role session")	×
27	fs.BoolVar(&s.Insecure, "insecure", false, "Kubernetes server should be accessed without verifying the TLS. Testing only")	×
28	fs.StringVar(&s.MetadataAddress, "metadata-addr", s.MetadataAddress, "Address for the ec2 metadata")	×
29	fs.BoolVar(&s.AddIPTablesRule, "iptables", false, "Add iptables rule (also requires --host-ip)")	×
30	fs.BoolVar(&s.AutoDiscoverBaseArn, "auto-discover-base-arn", false, "Queries EC2 Metadata to determine the base ARN")	×
31	fs.BoolVar(&s.AutoDiscoverDefaultRole, "auto-discover-default-role", false, "Queries EC2 Metadata to determine the default Iam Role and base ARN, cannot be used with --default-role, overwrites any previous setting for --base-role-arn")	×
32	fs.StringVar(&s.HostInterface, "host-interface", "docker0", "Host interface for proxying AWS metadata")	×
33	fs.BoolVar(&s.NamespaceRestriction, "namespace-restrictions", false, "Enable namespace restrictions")	×
34	fs.StringVar(&s.NamespaceRestrictionFormat, "namespace-restriction-format", s.NamespaceRestrictionFormat, "Namespace Restriction Format (glob/regexp)")	×
35	fs.StringVar(&s.NamespaceKey, "namespace-key", s.NamespaceKey, "Namespace annotation key used to retrieve the IAM roles allowed (value in annotation should be json array)")	×
36	fs.DurationVar(&s.CacheResyncPeriod, "cache-resync-period", s.CacheResyncPeriod, "Kubernetes caches resync period")	×
37	fs.BoolVar(&s.ResolveDupIPs, "resolve-duplicate-cache-ips", false, "Queries the k8s api server to find the source of truth when the pod cache contains multiple pods with the same IP")	×
38	fs.StringVar(&s.HostIP, "host-ip", s.HostIP, "IP address of host")	×
39	fs.StringVar(&s.NodeName, "node", s.NodeName, "Name of the node where kube2iam is running")	×
40	fs.DurationVar(&s.BackoffMaxInterval, "backoff-max-interval", s.BackoffMaxInterval, "Max interval for backoff when querying for role.")	×
41	fs.DurationVar(&s.BackoffMaxElapsedTime, "backoff-max-elapsed-time", s.BackoffMaxElapsedTime, "Max elapsed time for backoff when querying for role.")	×
42	fs.StringVar(&s.LogFormat, "log-format", s.LogFormat, "Log format (text/json)")	×
43	fs.StringVar(&s.LogLevel, "log-level", s.LogLevel, "Log level")	×
44	fs.BoolVar(&s.UseRegionalStsEndpoint, "use-regional-sts-endpoint", false, "use the regional sts endpoint if AWS_REGION is set")	×
45	fs.BoolVar(&s.Verbose, "verbose", false, "Verbose")	×
46	fs.BoolVar(&s.Version, "version", false, "Print the version and exits")	×
47	}	×
48
49	func main() {	×
50	s := server.NewServer()	×
51	addFlags(s, pflag.CommandLine)	×
52	pflag.Parse()	×
53		×
54	logLevel, err := log.ParseLevel(s.LogLevel)	×
55	if err != nil {	×
56	log.Fatalf("%s", err)	×
57	}	×
58
59	if s.Verbose {	×
60	log.SetLevel(log.DebugLevel)	×
61	} else {	×
62	log.SetLevel(logLevel)	×
63	}	×
64
65	if strings.ToLower(s.LogFormat) == "json" {	×
66	log.SetFormatter(&log.JSONFormatter{})	×
67	}	×
68
69	if s.Version {	×
70	version.PrintVersionAndExit()	×
71	}	×
72
73	if s.BaseRoleARN != "" {	×
74	if !iam.IsValidBaseARN(s.BaseRoleARN) {	×
75	log.Fatalf("Invalid --base-role-arn specified, expected: %s", iam.ARNRegexp.String())	×
76	}	×
77	if !strings.HasSuffix(s.BaseRoleARN, "/") {	×
78	s.BaseRoleARN += "/"	×
79	}	×
80	}
81
82	if s.AutoDiscoverBaseArn {	×
83	if s.BaseRoleARN != "" {	×
84	log.Fatal("--auto-discover-base-arn cannot be used if --base-role-arn is specified")	×
85	}	×
86	arn, err := iam.GetBaseArn()	×
87	if err != nil {	×
88	log.Fatalf("%s", err)	×
89	}	×
90	log.Infof("base ARN autodetected, %s", arn)	×
91	s.BaseRoleARN = arn	×
92	}
93
94	if s.AutoDiscoverDefaultRole {	×
95	if s.DefaultIAMRole != "" {	×
96	log.Fatalf("You cannot use --default-role and --auto-discover-default-role at the same time")	×
97	}	×
98	arn, err := iam.GetBaseArn()	×
99	if err != nil {	×
100	log.Fatalf("%s", err)	×
101	}	×
102	s.BaseRoleARN = arn	×
103	instanceIAMRole, err := iam.GetInstanceIAMRole()	×
104	if err != nil {	×
105	log.Fatalf("%s", err)	×
106	}	×
107	s.DefaultIAMRole = instanceIAMRole	×
108	log.Infof("Using instance IAMRole %s%s as default", s.BaseRoleARN, s.DefaultIAMRole)	×
109	}
110
111	if s.AddIPTablesRule {	×
112	if err := iptables.AddRule(s.AppPort, s.MetadataAddress, s.HostInterface, s.HostIP); err != nil {	×
113	log.Fatalf("%s", err)	×
114	}	×
115	}
116
117	if err := s.Run(s.APIServer, s.APIToken, s.NodeName, s.Insecure); err != nil {	×
118	log.Fatalf("%s", err)	×
119	}	×
120	}

jtblin / kube2iam / 103

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous