Pass Domain through on EKS Provision for Route53 Permissions

[lukeweber]

When we provision an EKS cluster, we create a Route53NodeInstancePolicy in our cloudformation script that allows full access from the node to administer the route53 records.
See: https://github.com/crossplaneio/crossplane/blob/3bc975537fe11b104779c0deac5d57ed8bf53bd2/pkg/clients/aws/eks/eks.go#L252

Note configuration notes here:
https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws.md

We should improve the security model by limiting to the domain that cluster should operate on:

1. Pass domain name through from claim
2. Resolve domain name to actual hosted zone id
3. Pass hosted zone id to cloudformation script in eks.go client to limit scope of permissions in aws role.

[ichekrygin]

Let us revisit EKS design, specifically as it pertains to components: master, workers, security, and authz.

The initial (first glance) though, I don't think we should assume that all EKS clusters will be configured with External-DNS by default, hence, if this issue is driven primarily by this use case then I think we should carefully consider ramifications. I am not opposed to entertaining the possibilities of provisioning all EKS clusters (or all managed Kubernetes Clusters) with External-DNS support by default, but I think this topic warrants a wider discussion scope.

[lukeweber]

Fully agree, by configurable in this ticket I would expect that no permission would be granted to manage any domain if the domain wasn’t set and that domain would be optional.

…

On Fri, May 24, 2019 at 1:01 AM Illya Chekrygin ***@***.***> wrote: Let us revisit EKS design, specifically as it pertains to components: master, workers, security, and authz. The initial (first glance) though, I don't think we should assume that all EKS clusters will be configured with External-DNS by default, hence, if this issue is driven primarily by this use case then I think we should carefully consider ramifications. I am not opposed to entertaining the possibilities of provisioning all EKS clusters (or all managed Kubernetes Clusters) with External-DNS support by default, but I think this topic warrants a wider discussion scope. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/crossplaneio/crossplane/issues/491?email_source=notifications&email_token=AABPWI2UITIOC3QQCSLQFCTPW6OFZA5CNFSM4HOBEJAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWEO3NI#issuecomment-495513013>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABPWI5PBVJIL4436VAANP3PW6OFZANCNFSM4HOBEJAA> .

[muvaf]

Not relevant anymore.