Forem: Tuan Anh Tran The latest articles on Forem by Tuan Anh Tran (@tuananh_org). https://forem.com/tuananh_org https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F578635%2Fc68fc461-6e94-47ae-8462-4082260fa514.jpeg Forem: Tuan Anh Tran https://forem.com/tuananh_org en aws-cli v2: how much smaller can it get? Answer: a lot smaller :) Tuan Anh Tran Sun, 19 Mar 2023 16:54:26 +0000 https://forem.com/aws-builders/aws-cli-v2-how-much-smaller-can-it-get-answer-a-lot-smaller--22fl https://forem.com/aws-builders/aws-cli-v2-how-much-smaller-can-it-get-answer-a-lot-smaller--22fl <p>Pulling the official aws-cli image, I got a huge 374MB image.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> docker images | grep amazon amazon/aws-cli latest abb3d3272080 3 days ago 374MB </code></pre> </div> <p>It's rather big for a CLI and so I thought: "Maybe I can make it smaller".</p> <h2> Entering Wolfi </h2> <p>Wolfi is a project sponsored by Chainguard. Wolfi is described as:</p> <blockquote> <p><a href="https://github.com/wolfi-dev/" rel="noopener noreferrer">Wolfi</a> is a stripped-down distro designed for the cloud-native era.</p> </blockquote> <p>Well, you can think of it like Google's <a href="https://github.com/GoogleContainerTools/distroless" rel="noopener noreferrer">distroless</a>.</p> <p>The reason I want to select Wolfi is because of a bunch of reasons:</p> <ul> <li>Better SBOM support. Well, not all the SBOMs are created equally and what's better than building everything from sources and create SBOM from there.</li> <li>Multi-arch (amd64, arm64 are must but maybe armv7 as well?)</li> <li>Smaller image size.</li> <li>Signed and verifiable :)</li> <li>Secure. Let's aim for that sweet 0 CVE.</li> </ul> <h2> aws-cli v2 </h2> <p>aws-cli v2 is powered by a bunch of C project like <a href="https://github.com/awslabs/aws-c-http" rel="noopener noreferrer">aws-c-http</a>, <a href="https://github.com/awslabs/aws-c-auth" rel="noopener noreferrer">aws-c-auth</a>, etc... and so I need to package those first.</p> <p>What I don't quite understand is AWS's decision to still use Python as frontend for the CLI. And packaging Python packages is like going down the rabbit hole.</p> <p>I'm going to use <a href="https://github.com/chainguard-dev/melange" rel="noopener noreferrer">melange</a> for packaging. I write melange package's manifest in YAML and melange spits out APK file for me.</p> <p>Here's what a package build file looks like with melange</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">package</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-c-http</span> <span class="na">version</span><span class="pi">:</span> <span class="s">0.7.5</span> <span class="na">epoch</span><span class="pi">:</span> <span class="m">0</span> <span class="na">description</span><span class="pi">:</span> <span class="s">AWS C99 implementation of the HTTP/1.1 and HTTP/2 specifications</span> <span class="na">copyright</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">license</span><span class="pi">:</span> <span class="s">Apache-2.0</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="na">keyring</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://packages.wolfi.dev/os/wolfi-signing.rsa.pub</span> <span class="na">repositories</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://packages.wolfi.dev/os</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">@local</span><span class="nv"> </span><span class="s">./packages'</span> <span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws-c-cal-dev@local</span> <span class="pi">-</span> <span class="s">aws-c-common-dev@local</span> <span class="pi">-</span> <span class="s">aws-c-compression-dev@local</span> <span class="pi">-</span> <span class="s">aws-c-io-dev@local</span> <span class="pi">-</span> <span class="s">build-base</span> <span class="pi">-</span> <span class="s">busybox</span> <span class="pi">-</span> <span class="s">ca-certificates-bundle</span> <span class="pi">-</span> <span class="s">cmake</span> <span class="pi">-</span> <span class="s">s2n-tls-dev@local</span> <span class="pi">-</span> <span class="s">samurai</span> <span class="na">pipeline</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">fetch</span> <span class="na">with</span><span class="pi">:</span> <span class="na">expected-sha512</span><span class="pi">:</span> <span class="s">90bfd0abfce8727bd4ef6e9a016e6183c2c4349c2d6e4cc02b932f5109ceb3476d79b853e74ca4888b768f44eba9ae953ca5e9b900704a2a3370a200c0168c02</span> <span class="na">uri</span><span class="pi">:</span> <span class="s">https://github.com/awslabs/aws-c-http/archive/refs/tags/v${{package.version}}.tar.gz</span> <span class="pi">-</span> <span class="na">runs</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ "$CBUILD" != "$CHOST" ]; then</span> <span class="s">CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux"</span> <span class="s">fi</span> <span class="s">CFLAGS="$CFLAGS -flto=auto" \</span> <span class="s">CXXFLAGS="$CXXFLAGS -flto=auto" \</span> <span class="s">cmake -B build -G Ninja \</span> <span class="s">-DCMAKE_INSTALL_PREFIX=/usr \</span> <span class="s">-DCMAKE_INSTALL_LIBDIR=/usr/lib \</span> <span class="s">-DBUILD_SHARED_LIBS=True \</span> <span class="s">-DCMAKE_BUILD_TYPE=None \</span> <span class="s">-DBUILD_TESTING="$(want_check &amp;&amp; echo ON || echo OFF)" \</span> <span class="s">$CMAKE_CROSSOPTS</span> <span class="s">cmake --build build</span> <span class="pi">-</span> <span class="na">runs</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DESTDIR="${{targets.destdir}}" cmake --install build</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">strip</span> <span class="na">subpackages</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-c-http-dev</span> <span class="na">pipeline</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">split/dev</span> <span class="pi">-</span> <span class="na">runs</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p "${{targets.subpkgdir}}"/usr/lib</span> <span class="s">mv "${{targets.destdir}}"/usr/lib/aws-c-http "${{targets.subpkgdir}}"/usr/lib/</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="na">runtime</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws-c-http</span> <span class="na">description</span><span class="pi">:</span> <span class="s">aws-c-http dev</span> </code></pre> </div> <p>I also need to package a bunch of Python libs like <code>py3-certifi</code>, <code>py3-distro</code>, etc... because they are not available on Wolfi yet.</p> <p>Once those are done, I just need to build <code>aws-cli</code> package, put those APK files in a final image with Chainguard's <a href="https://github.com/chainguard-dev/apko" rel="noopener noreferrer">apko</a>.</p> <h2> Preliminary result </h2> <p>The early result looks very promising. The final image is much smaller. 50% smaller to be precised. And I mean without any optimizations at all. I haven't even split the docs into their own packages yet.</p> <p>Let's look at it.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnnb6d3ntoxeh290id5h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnnb6d3ntoxeh290id5h.png" alt="new aws-cli image size"></a></p> <p>186MB vs the original 374MB. A whooping 188MB stripped off from the official aws-cli image. That's 50% size reduction.</p> <p>Are you sure it's even working :D</p> <h2> Final </h2> <p>I haven't quite done with it yet but you can try it by pulling <code>ghcr.io/tuananh/aws-cli</code>.</p> <p>For now, it's still very much work-in-progress so expect things may break here and there :)</p> aws cli AWS - The YAML Way Tuan Anh Tran Tue, 19 Oct 2021 06:47:08 +0000 https://forem.com/aws-builders/aws-the-yaml-way-3kgh https://forem.com/aws-builders/aws-the-yaml-way-3kgh <p>Originally posted <a href="https://github.com/tuananh/aws-the-yaml-way" rel="noopener noreferrer">here on GitHub</a></p> <h1> AWS - The YAML way </h1> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ca35vharbyak3kgv0ef.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ca35vharbyak3kgv0ef.jpg" alt="aws - the yaml way"></a></p> <h2> Motivation </h2> <ol> <li>I want to manage AWS infrastructure with YAML</li> <li>I want to use Kubernetes RBAC for authorization</li> <li>I want to be able to defines rules to govern my cloud resources</li> </ol> <h2> But why? </h2> <p>Why not :)</p> <h2> How? </h2> <ul> <li>For (1), there's <a href="https://aws.amazon.com/blogs/containers/aws-controllers-for-kubernetes-ack/" rel="noopener noreferrer">AWS Controllers for Kubernetes</a> (ACK) or maybe <a href="https://crossplane.io/" rel="noopener noreferrer">Crossplane</a> </li> <li>For (2), it's quite straight forward. If we can express AWS resources using Kubernetes CRDs, then it's done.</li> <li>For (3), I'm thinking <a href="https://kyverno.io/" rel="noopener noreferrer">Kyverno</a> or <a href="https://www.openpolicyagent.org" rel="noopener noreferrer">OpenPolicyAgent</a>.</li> </ul> <h2> Let's do it </h2> <h3> Setup the env </h3> <p>I will skip the part where you setup AWS CLI and an EKS cluster Suppose that is all set and done. If not, follow the brief instructions below to setup a new EKS cluster. The easiest way IMO is to use <a href="https://eksctl.io/" rel="noopener noreferrer">eksctl</a> from Weaveworks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 create-key-pair <span class="nt">--region</span> ap-southeast-1 <span class="nt">--key-name</span> my-yaml-eks-key eksctl create cluster <span class="se">\</span> <span class="nt">--name</span> my-yaml-eks <span class="se">\</span> <span class="nt">--region</span> ap-southeast-1 <span class="se">\</span> <span class="nt">--with-oidc</span> <span class="se">\</span> <span class="nt">--ssh-access</span> <span class="se">\</span> <span class="nt">--ssh-public-key</span> my-yaml-eks-key <span class="se">\</span> <span class="nt">--managed</span> </code></pre> </div> <p>Wait for a bit for the cluster to be provisioned.</p> <p>There will be 2 CloudFormation stacks being provisioned so it might take awhile. If something goes wrong (disconnection, etc..), you can check with this command below<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl utils describe-stacks <span class="nt">--region</span><span class="o">=</span>ap-southeast-1 <span class="nt">--cluster</span><span class="o">=</span>my-yaml-eks </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>2021-10-18 22:35:28 <span class="o">[</span>ℹ] eksctl version 0.70.0 2021-10-18 22:35:28 <span class="o">[</span>ℹ] using region ap-southeast-1 2021-10-18 22:35:29 <span class="o">[</span>ℹ] setting availability zones to <span class="o">[</span>ap-southeast-1a ap-southeast-1b ap-southeast-1c] 2021-10-18 22:35:29 <span class="o">[</span>ℹ] subnets <span class="k">for </span>ap-southeast-1a - public:192.168.0.0/19 private:192.168.96.0/19 2021-10-18 22:35:29 <span class="o">[</span>ℹ] subnets <span class="k">for </span>ap-southeast-1b - public:192.168.32.0/19 private:192.168.128.0/19 2021-10-18 22:35:29 <span class="o">[</span>ℹ] subnets <span class="k">for </span>ap-southeast-1c - public:192.168.64.0/19 private:192.168.160.0/19 2021-10-18 22:35:29 <span class="o">[</span>ℹ] nodegroup <span class="s2">"ng-5c441b7d"</span> will use <span class="s2">""</span> <span class="o">[</span>AmazonLinux2/1.20] 2021-10-18 22:35:29 <span class="o">[</span>ℹ] using EC2 key pair %!q<span class="o">(</span><span class="k">*</span><span class="nv">string</span><span class="o">=</span>&lt;nil&gt;<span class="o">)</span> 2021-10-18 22:35:29 <span class="o">[</span>ℹ] using Kubernetes version 1.20 2021-10-18 22:35:29 <span class="o">[</span>ℹ] creating EKS cluster <span class="s2">"my-yaml-eks"</span> <span class="k">in</span> <span class="s2">"ap-southeast-1"</span> region with managed nodes 2021-10-18 22:35:29 <span class="o">[</span>ℹ] will create 2 separate CloudFormation stacks <span class="k">for </span>cluster itself and the initial managed nodegroup 2021-10-18 22:35:29 <span class="o">[</span>ℹ] <span class="k">if </span>you encounter any issues, check CloudFormation console or try <span class="s1">'eksctl utils describe-stacks --region=ap-southeast-1 --cluster=my-yaml-eks'</span> 2021-10-18 22:35:29 <span class="o">[</span>ℹ] CloudWatch logging will not be enabled <span class="k">for </span>cluster <span class="s2">"my-yaml-eks"</span> <span class="k">in</span> <span class="s2">"ap-southeast-1"</span> 2021-10-18 22:35:29 <span class="o">[</span>ℹ] you can <span class="nb">enable </span>it with <span class="s1">'eksctl utils update-cluster-logging --enable-types={SPECIFY-YOUR-LOG-TYPES-HERE (e.g. all)} --region=ap-southeast-1 --cluster=my-yaml-eks'</span> 2021-10-18 22:35:29 <span class="o">[</span>ℹ] Kubernetes API endpoint access will use default of <span class="o">{</span><span class="nv">publicAccess</span><span class="o">=</span><span class="nb">true</span>, <span class="nv">privateAccess</span><span class="o">=</span><span class="nb">false</span><span class="o">}</span> <span class="k">for </span>cluster <span class="s2">"my-yaml-eks"</span> <span class="k">in</span> <span class="s2">"ap-southeast-1"</span> 2021-10-18 22:35:29 <span class="o">[</span>ℹ] 2 sequential tasks: <span class="o">{</span> create cluster control plane <span class="s2">"my-yaml-eks"</span>, 2 sequential sub-tasks: <span class="o">{</span> 4 sequential sub-tasks: <span class="o">{</span> <span class="nb">wait </span><span class="k">for </span>control plane to become ready, associate IAM OIDC provider, 2 sequential sub-tasks: <span class="o">{</span> create IAM role <span class="k">for </span>serviceaccount <span class="s2">"kube-system/aws-node"</span>, create serviceaccount <span class="s2">"kube-system/aws-node"</span>, <span class="o">}</span>, restart daemonset <span class="s2">"kube-system/aws-node"</span>, <span class="o">}</span>, create managed nodegroup <span class="s2">"ng-5c441b7d"</span>, <span class="o">}</span> <span class="o">}</span> 2021-10-18 22:35:29 <span class="o">[</span>ℹ] building cluster stack <span class="s2">"eksctl-my-yaml-eks-cluster"</span> 2021-10-18 22:35:30 <span class="o">[</span>ℹ] deploying stack <span class="s2">"eksctl-my-yaml-eks-cluster"</span> </code></pre> </div> <p>Once it's done. Make sure the cluster is accessible</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvfpkjt3pyduqvf0woeiq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvfpkjt3pyduqvf0woeiq.png" alt="Image description"></a></p> <h3> Setup Crossplane </h3> <p>At first, I plan to use <a href="https://aws.amazon.com/blogs/containers/aws-controllers-for-kubernetes-ack/" rel="noopener noreferrer">ACK</a> but then I remember a friend of mine talked about Crossplane the other day so I want to give it a try. Bonus point, it works with multiple cloud providers :)</p> <p>I'm going to use Helm so make sure you have it installed. Simply follow the official <a href="https://crossplane.io/docs/v1.4/getting-started/install-configure.html" rel="noopener noreferrer">installation instructions on Crossplane website here</a>.</p> <p>As of this post, <code>1.4.1</code> is the latest chart version.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace crossplane-system helm repo add crossplane-stable https://charts.crossplane.io/stable helm repo update helm <span class="nb">install </span>crossplane <span class="nt">--namespace</span> crossplane-system crossplane-stable/crossplane <span class="nt">--version</span> 1.4.1 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME: crossplane LAST DEPLOYED: Mon Oct 18 23:05:25 2021 NAMESPACE: crossplane-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Release: crossplane Chart Name: crossplane Chart Description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume. Chart Version: 1.4.1 Chart Application Version: 1.4.1 Kube Version: v1.20.7-eks-d88609 </code></pre> </div> <p>Check the status<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm list <span class="nt">-n</span> crossplane-system kubectl get all <span class="nt">-n</span> crossplane-system </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyuft91257kzrckol30k0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyuft91257kzrckol30k0.png" alt="Image description"></a></p> <p>Also, make sure to install the Crossplane CLI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sL</span> https://raw.githubusercontent.com/crossplane/crossplane/master/install.sh | sh </code></pre> </div> <h3> Setup Crossplane provider for AWS </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">pkg.crossplane.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Provider</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">provider-aws</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">package</span><span class="pi">:</span> <span class="s">crossplane/provider-aws:alpha</span> </code></pre> </div> <p>After the provider is ready, apply the following next. You need to do this in 2 steps because otherwise, <code>ProviderConfig</code> kind is unknown.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[default]</span> <span class="s">aws_access_key_id = &lt;your-aws-access-key-id&gt;</span> <span class="s">aws_secret_access_key = &lt;your-aws-secret-access-key&gt;</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="kc">null</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">aws.crossplane.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ProviderConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-provider-config</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">credentials</span><span class="pi">:</span> <span class="na">source</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">crossplane-system</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">config</span> </code></pre> </div> <p>Check the status of the provider<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get providers </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzevzk00ow257hhqco54d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzevzk00ow257hhqco54d.png" alt="Image description"></a></p> <h3> Let's try to create some resources on AWS </h3> <p>Let's do a S3 bucket first. Make sure you do a random bucket name so that it won't conflict with an existing bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">s3.aws.crossplane.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Bucket</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-bucket-1923981293819238</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">providerConfigRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-provider-config</span> <span class="na">forProvider</span><span class="pi">:</span> <span class="na">locationConstraint</span><span class="pi">:</span> <span class="s">ap-southeast-1</span> <span class="na">acl</span><span class="pi">:</span> <span class="s">private</span> </code></pre> </div> <p>After a few seconds, the resource status will change to <code>Ready</code> and <code>Synced</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4mrvan6r4epsha7beigi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4mrvan6r4epsha7beigi.png" alt="Image description"></a></p> <p>So that's cool. What's next? Let's trying to use OPA or Kyverno to set some rules for our newly created resources.</p> <h3> Setup Kyverno </h3> <p>I'm gonna go with Kyverno here. No particular reason. I just feel OPA is too mainstream. The concept with OPA is similar. You can take it as homework for your lab session.</p> <p>Let's install Kyverno with Helm<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add kyverno https://kyverno.github.io/kyverno/ helm repo update helm <span class="nb">install </span>kyverno-crds kyverno/kyverno-crds <span class="nt">--namespace</span> kyverno <span class="nt">--create-namespace</span> helm <span class="nb">install </span>kyverno kyverno/kyverno <span class="nt">--namespace</span> kyverno </code></pre> </div> <p>Now, let's write a simple policy. Say, we don't want to allow creating S3 bucket anywhere except in <code>ap-southeast-1</code> region.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kyverno.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">allow-s3-ap-southeast-1-only</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">pod-policies.kyverno.io/autogen-controllers</span><span class="pi">:</span> <span class="s">none</span> <span class="na">policies.kyverno.io/title</span><span class="pi">:</span> <span class="s">Allow creating S3 bucket in ap-southeast-1 only</span> <span class="na">policies.kyverno.io/subject</span><span class="pi">:</span> <span class="s">Bucket</span> <span class="na">policies.kyverno.io/description</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">Allow creating S3 bucket in ap-southeast-1 only</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">validationFailureAction</span><span class="pi">:</span> <span class="s">enforce</span> <span class="na">background</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-in-ap-southeast-1-only</span> <span class="na">match</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Bucket</span> <span class="na">validate</span><span class="pi">:</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Using</span><span class="nv"> </span><span class="s">any</span><span class="nv"> </span><span class="s">location</span><span class="nv"> </span><span class="s">other</span><span class="nv"> </span><span class="s">than</span><span class="nv"> </span><span class="s">`ap-southeast-1`</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">allowed"</span> <span class="na">pattern</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">forProvider</span><span class="pi">:</span> <span class="na">locationConstraint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ap-southeast-1"</span> </code></pre> </div> <p>Now, let's try to create a S3 bucket in <code>us-east-1</code> region. You will be blocked by the admission controller.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># bad-s3.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">s3.aws.crossplane.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Bucket</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-bucket-091289310923801928309123</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">providerConfigRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-provider-config</span> <span class="na">forProvider</span><span class="pi">:</span> <span class="na">locationConstraint</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">acl</span><span class="pi">:</span> <span class="s">private</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create <span class="nt">-f</span> bad-s3.yaml </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc6537sl67749riahz6cs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc6537sl67749riahz6cs.png" alt="Image description"></a></p> <p>Now, the policy we have here is very simple but you can do all kind of stuff with Kyverno cluster policy. It would be a cool weekend hack to convert all rules you have currently to Kyverno cluster policy. That sounds like tons of fun :)</p> <h2> Conclusion </h2> <p>I'm not going to tell you should start doing this but it's a feasible way of managing infrastructure at small scale.</p> <p>Also with the release of AWS Cloud Control API, the resources model is very close with the Kubernetes resources model now. I'm expecting ACK to get much much better.</p> <p>Have fun hacking AWS :)</p> aws devops kubernetes