Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: kube2iam/kiam/kube-aws-iam-controller support #398

Closed
mumoshu opened this issue Jan 6, 2019 · 3 comments
Closed

feat: kube2iam/kiam/kube-aws-iam-controller support #398

mumoshu opened this issue Jan 6, 2019 · 3 comments

Comments

@mumoshu
Copy link
Contributor

mumoshu commented Jan 6, 2019
edited
Loading

As described in https://github.com/weaveworks/eksctl/pull/381/files#r245498323, a feature that eases deploying kube2iam/kiam/kube-aws-iam-controller would be good to have.

Adding a flag like --assume-role-access alone is an incomplete solution to the problem, because making apps like kube2iam also requires you to set correct trust-relationship(or assume role policy document) to the roles "assumed by" the instance role.

Adding a feature to eksctl that modifies assumed roles seems overkill and out-of-scope of the project.

Instead, I propose either of the belows:

  1. A flag like --instance-role that accepts an existing instance role arn. Also, an eksctl command that produces a cfn stack template containing the default eksctl instance role helps.
  2. Add --assume-role-access or --instance-role-policy-arns, and improve eksctl get nodegroup to print the nodegroup info containing the instance role arn, in a data format helps integration with other tools. JSON would work.
@mumoshu mumoshu mentioned this issue Jan 6, 2019
Merged
2 tasks
@mumoshu
Copy link
Contributor Author

mumoshu commented Jan 9, 2019

The third possible solution would be to add --assume-role-access/--node-role-policy-arns and --node-role-name. --node-role-name specifies the name of the node role created by eksctl. This is not for reusing an existing role, but used for specifying the exact name of the role to be created by eksctl.

As the role name is now known beforehand, you can establish trust relationship containing the role name before creating the cluster, which simplifies the setup when you use kube2iam/kiam/kube-aws-iam-controller.

The implementation can be done in cfn stack templates by setting RoleName for IAMRole resources, like kube-aws do.

@mumoshu
Copy link
Contributor Author

mumoshu commented Jan 9, 2019

--assume-role-access MAY become unnecessary after AWS ships the official pod IAM role support (aws/containers-roadmap#23 ETA though).

--node-role-policy-arns has a wider range of use-cases like giving whatever IAM permissions to pods not depending on kube-2iam, like hostNetwork pods.

Then, it may make more sense to add --node-role-policy-arns along with --node-role-name for maximum productivity :)

mumoshu added a commit to mumoshu/eksctl that referenced this issue Jan 9, 2019
@mumoshu
feat: kube2iam/kiam/kube-aws-iam-controller support
2bae1e6 
This adds two flags and one nodegroup config key to `eksctl`:

- `--node-role-policies` for additional IAM policies added to the eksctl-managed node role.
  This just exposes the existing configuration key `attachPolicyARNs` for a little ease-of-use, like other advanced flags.
- `--node-role-name` for specifying the exact name of the IAM role for nodes, as well as the corresponding nodegroup config key `instanceRoleName`.

Resolves eksctl-io#398
@mumoshu mumoshu mentioned this issue Jan 9, 2019
Merged
@mumoshu
Copy link
Contributor Author

mumoshu commented Jan 9, 2019
edited
Loading

Submitted a pull request for this #411.

This is slightly off-topic but I'm pretty sure that you can use --node-role-polilcies solely, without deploying kube2iam, when and only when you don't do multi-tenant.

This isn't perfect but still allows you to provide your pods minimum privilege, without needs to deploy and operate an AWS IAM integration of your choice.

mumoshu added a commit to mumoshu/eksctl that referenced this issue Jan 9, 2019
@mumoshu
feat: kube2iam/kiam/kube-aws-iam-controller support
4b45925 
This adds two flags and one nodegroup config key to `eksctl`:

- `--node-role-policies` for additional IAM policies added to the eksctl-managed node role.
  This just exposes the existing configuration key `attachPolicyARNs` for a little ease-of-use, like other advanced flags.
- `--node-role-name` for specifying the exact name of the IAM role for nodes, as well as the corresponding nodegroup config key `instanceRoleName`.

Resolves eksctl-io#398
mumoshu added a commit to mumoshu/eksctl that referenced this issue Jan 11, 2019
@mumoshu
feat: kube2iam/kiam/kube-aws-iam-controller support
a33ea4e 
This adds two flags and one nodegroup config key to `eksctl`:

- `--node-role-policies` for additional IAM policies added to the eksctl-managed node role.
  This just exposes the existing configuration key `attachPolicyARNs` for a little ease-of-use, like other advanced flags.
- `--node-role-name` for specifying the exact name of the IAM role for nodes, as well as the corresponding nodegroup config key `instanceRoleName`.

Resolves eksctl-io#398
mumoshu added a commit to mumoshu/eksctl that referenced this issue Jan 13, 2019
@mumoshu
feat: kube2iam/kiam/kube-aws-iam-controller support
3fcee8d 
This adds two flags and one nodegroup config key to `eksctl`:

- `--node-role-policies` for additional IAM policies added to the eksctl-managed node role.
  This just exposes the existing configuration key `attachPolicyARNs` for a little ease-of-use, like other advanced flags.
- `--node-role-name` for specifying the exact name of the IAM role for nodes, as well as the corresponding nodegroup config key `instanceRoleName`.

Resolves eksctl-io#398
mumoshu added a commit to mumoshu/eksctl that referenced this issue Jan 16, 2019
@mumoshu
feat: kube2iam/kiam/kube-aws-iam-controller support
da37996 
This adds two flags and one nodegroup config key to `eksctl`:

- `--node-role-policies` for replacing the whole set of IAM policies associated to the eksctl-managed node role.
  This just exposes the existing configuration key `attachPolicyARNs` for a little ease-of-use, like other advanced flags.
- `--node-role-name` for specifying the exact name of the IAM role for nodes, as well as the corresponding nodegroup config key `instanceRoleName`. This implicitly enable the `NamedIAM` cfn capability.

Resolves eksctl-io#398
mumoshu added a commit to mumoshu/eksctl that referenced this issue Jan 17, 2019
@mumoshu
feat: kube2iam/kiam/kube-aws-iam-controller support
7e6cd81 
This adds two flags and one nodegroup config key to `eksctl`:

- `--node-role-policies` for replacing the whole set of IAM policies associated to the eksctl-managed node role.
  This just exposes the existing configuration key `attachPolicyARNs` for a little ease-of-use, like other advanced flags.
- `--node-role-name` for specifying the exact name of the IAM role for nodes, as well as the corresponding nodegroup config key `instanceRoleName`. This implicitly enable the `NamedIAM` cfn capability.

The flags are marked hidden show that they are not shown in the command help. This is done to make it easier to be removed in near future.

Resolves eksctl-io#398
mumoshu added a commit to mumoshu/eksctl that referenced this issue Jan 17, 2019
@mumoshu
feat: kube2iam/kiam/kube-aws-iam-controller support
d1565a6 
This adds two flags and one nodegroup config key to `eksctl`:

- `--node-role-policies` for replacing the whole set of IAM policies associated to the eksctl-managed node role.
  This just exposes the existing configuration key `attachPolicyARNs` for a little ease-of-use, like other advanced flags.
- `--node-role-name` for specifying the exact name of the IAM role for nodes, as well as the corresponding nodegroup config key `instanceRoleName`. This implicitly enable the `NamedIAM` cfn capability.

The flags are marked hidden show that they are not shown in the command help. This is done to make it easier to be removed in near future.

Resolves eksctl-io#398
torredil pushed a commit to torredil/eksctl that referenced this issue May 20, 2022
@k8s-ci-robot
Merge pull request eksctl-io#398 from gliptak/patch-1
a881c21 
Bring Go to 1.13 in Travis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mumoshu