New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for well known policies with IRSA #3045
Changes from 5 commits
30a5983
0347704
fa4f8f6
7cd2224
a0e0b0e
ac7bc9d
d364084
bc5daf0
5260127
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
package v1alpha5 | ||
|
||
// WellKnownPolicies for attaching common IAM policies | ||
type WellKnownPolicies struct { | ||
// ImageBuilder allows for full ECR (Elastic Container Registry) access. | ||
ImageBuilder bool `json:"imageBuilder,inline"` | ||
// AutoScaler adds policies for cluster-autoscaler. See [autoscaler AWS | ||
// docs](https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html). | ||
AutoScaler bool `json:"autoScaler,inline"` | ||
// AWSLoadBalancerController adds policies for using the | ||
// aws-load-balancer-controller. See [Load Balancer | ||
// docs](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html). | ||
AWSLoadBalancerController bool `json:"awsLoadBalancerController,inline"` | ||
// ExternalDNS adds external-dns policies for Amazon Route 53. | ||
// See [external-dns | ||
// docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md). | ||
ExternalDNS bool `json:"externalDNS,inline"` | ||
// CertManager adds cert-manager policies. See [cert-manager | ||
// docs](https://cert-manager.io/docs/configuration/acme/dns01/route53). | ||
CertManager bool `json:"certManager,inline"` | ||
} | ||
|
||
func (p *WellKnownPolicies) HasPolicy() bool { | ||
return p.ImageBuilder || p.AutoScaler || p.AWSLoadBalancerController || p.ExternalDNS || p.CertManager | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,7 +25,7 @@ type IAMRole struct { | |
Path string `json:",omitempty"` | ||
|
||
AssumeRolePolicyDocument MapOfInterfaces `json:",omitempty"` | ||
ManagedPolicyArns []string `json:",omitempty"` | ||
ManagedPolicyArns []interface{} `json:",omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not clear why this is changed. Is it just because we're smuggling the return value from (I'm not clear on what this There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes it's kind of a less than ideal situation because we do some cloud formation using our own types and some using goformation. It's here that they're being mixed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm going to leave the intrinsics because we use them elsewhere (with |
||
PermissionsBoundary string `json:",omitempty"` | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would
attachWellKnownPolicies
be better? I'm still open forWellKnownPolicies
to change, but I think havingattach
prefixed helps to describe the intentThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's a little odd that this is would be a verb, when the general idea of declarative config suggests using nouns instead, to describe the resulting state, not how you get there.
attachedWellKnownPolicies
perhaps, but that's pretty verbose, and only subtly different, so likely to lead to muscle-memory mistakes.I think the various uses of
attach
in eksctl config stand out as verbs in a sea of nouns, but I guess usingattach
specifically is consistent here, e.g., we also havesecurityGroups.attachIDs
, notsecurityGroups.attachedIDs
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I was trying to avoid a verb but maybe
withWellKnownPolicies
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would I be at risk of ruining everything by saying I am not a fan of
WellKnown
?withCommonPolicies
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the one problem with "common" is that it has two meanings, one "well known", the other "shared"...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeh that's totally right.
withNamedPolicies
? although I suppose all policies have names.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Struggling to find a better alternative to
WellKnownPolicies
so I'm happy to stick with that. I'm still unsure aboutwith
vsattach
. I know that using the wordattach
isn't technically correct, but IMO its worth using it to remain consistent with the other fields.