-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
csi: add required policies for aws csi driver #1945
Conversation
✅ Deploy Preview for constellation-docs canceled.
|
resource "aws_iam_role_policy_attachment" "csi_driver_policy_worker" { | ||
role = aws_iam_role.worker_node_role.name | ||
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" | ||
} | ||
|
||
// TODO(msanft): incorporate this into the custom worker node policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// TODO(msanft): incorporate this into the custom worker node policy | |
// TODO(msanft): incorporate this into the custom control-plane node policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By "incorporate into custom policy", do you mean to extract the permissions from the managed AWS-CSI role and add the permissions to our role?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly. I think we should add this to the minimal permission set we define for all CSPs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The one that we document, that's used in the CI, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it is something worth doing because the managed role provides excess permissions, or is it just to combine permissions into one?
If its the later I would argue against it and keep the current way of attaching the role, as this guarantees the role to always have the correct permissions for CSI
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Slight title change for changelog readability. |
Context
Proposed change(s)
Additional info
Checklist