Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IRSA well known policies for Amazon EFS CSI dynamic provisioning #3671

Closed
ruzickap opened this issue May 8, 2021 · 3 comments · Fixed by #3777
Closed

IRSA well known policies for Amazon EFS CSI dynamic provisioning #3671

ruzickap opened this issue May 8, 2021 · 3 comments · Fixed by #3777
Assignees
@nikimanoledaki
Labels
kind/feature New feature or request

Comments

@ruzickap
Copy link

ruzickap commented May 8, 2021

What feature/behavior/change do you want?
It would be handy to have IRSA well known policies for "Amazon EFS CSI dynamic provisioning" describe here: https://aws.amazon.com/blogs/containers/introducing-efs-csi-dynamic-provisioning/

Policy file: https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/v1.2.0/docs/iam-policy-example.json

Currently I need to configure eksctl this way to have it enabled:

iam:
  serviceAccounts:
    - metadata:
        name: efs-csi-controller-sa
        namespace: kube-system
      attachPolicy:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Action:
          - elasticfilesystem:DescribeAccessPoints
          - elasticfilesystem:DescribeFileSystems
          Resource: "*"
        - Effect: Allow
          Action:
          - elasticfilesystem:CreateAccessPoint
          Resource: "*"
          Condition:
            StringLike:
              aws:RequestTag/efs.csi.aws.com/cluster: true
        - Effect: Allow
          Action: elasticfilesystem:DeleteAccessPoint
          Resource: "*"
          Condition:
            StringEquals:
              aws:ResourceTag/efs.csi.aws.com/cluster: true

I would be nice to have well known policies instead for example:

iam:
  serviceAccounts:
    - metadata:
        name: efs-csi-controller-sa
        namespace: kube-system
      wellKnownPolicies:
        efsCSIController: true

Why do you want this feature?

To make it easier to configure Amazon EFS CSI dynamic provisioning.
@ruzickap ruzickap added the kind/feature New feature or request label May 8, 2021
@aclevername
Copy link
Contributor

Hey @ruzickap , that sounds reasonable. Would you be willing to work on a PR to add it :D ? If not we will add to our backlog of work 😄

@ruzickap
Copy link
Author

Hello

I'm sorry, but I don't know go enough to code it. I saw very similar PR here: #3518, but I can not do it.
Please put it to the backlog...

Thank you

@nikimanoledaki nikimanoledaki self-assigned this May 25, 2021
@nikimanoledaki nikimanoledaki mentioned this issue May 27, 2021
Merged
7 tasks
@nikimanoledaki
Copy link
Contributor

Hi @ruzickap, the well-known policies for the EFS CSI driver will be included in today's release of eksctl 0.53! 😊

Thanks for raising this and please let us know if there is any issue or if we can help with anything else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikimanoledaki nikimanoledaki

Labels
kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support constructing an IRSA with well known policies for EFS CSI driver nikimanoledaki/eksctl
3 participants
@ruzickap @nikimanoledaki @aclevername