Skip to content
This repository has been archived by the owner on Apr 7, 2020. It is now read-only.

Minimal Permissions for Azure/GCP/OpenStack Shoot Clusters #133

Closed
vlerenc opened this issue Jun 21, 2018 · 4 comments
Closed

Minimal Permissions for Azure/GCP/OpenStack Shoot Clusters #133

vlerenc opened this issue Jun 21, 2018 · 4 comments
Labels
platform/aws Amazon Web Services (AWS) platform/infrastructure platform/gcp Google Cloud Platform (GCP) platform/infrastructure platform/openstack OpenStack platform/infrastructure

Comments

@vlerenc
Copy link

vlerenc commented Jun 21, 2018

We have narrowed down the access permissions for AWS shoot clusters (potential remainder tracked in #178), but not yet for Azure, GCP and OpenStack, which this ticket is now about. We expect less success on these infrastructures as AWSes permision/policy options are very detailed. This may break the "shared account" idea on these infrastructures (Azure and GCP - OpenStack can be mitigated by programmatically creating tenants on the fly).
@vlerenc
Copy link
Author

vlerenc commented Apr 10, 2019

Is there anything else to be done @dkistner, @DockToFuture, @rfranzke, @afritzler or can we close this one? E.g. Azure seems to have a pretty coarse-grained permission model. Not sure whether we can do much for GCP and OpenStack either. AWS offered a lot, but we explored/exploted that in detail already.

@dkistner
Copy link
Contributor

For Azure there are some efforts to run the kubelet without any platform access, see here: kubernetes/kubernetes#77309

If this works, then we should stay with the Contributer permissions (as default) to configure the control plane components as defining custom roles requires Owner permissions.

For interested users we could provide a guide with the minimal permission which Gardener require described. The user have to create a role and assign it to the service principal which is passed to Gardener.

@vlerenc
Copy link
Author

vlerenc commented May 15, 2019

Good news, good news indeed!

@rfranzke rfranzke transferred this issue from gardener/gardener Jun 12, 2019
@rfranzke rfranzke added platform/aws Amazon Web Services (AWS) platform/infrastructure platform/gcp Google Cloud Platform (GCP) platform/infrastructure platform/openstack OpenStack platform/infrastructure labels Jul 21, 2019
@gardener-robot-ci-1 gardener-robot-ci-1 added lifecycle/stale Nobody worked on this for 2 months (will further age and may be closed after 6 months of inactivity) and removed lifecycle/stale Nobody worked on this for 2 months (will further age and may be closed after 6 months of inactivity) labels Sep 20, 2019
@ghost ghost added lifecycle/stale Nobody worked on this for 2 months (will further age and may be closed after 6 months of inactivity) and removed lifecycle/stale Nobody worked on this for 2 months (will further age and may be closed after 6 months of inactivity) labels Nov 19, 2019
@ghost ghost added lifecycle/stale Nobody worked on this for 2 months (will further age and may be closed after 6 months of inactivity) and removed lifecycle/stale Nobody worked on this for 2 months (will further age and may be closed after 6 months of inactivity) labels Jan 19, 2020
This was referenced Feb 4, 2020
Open
Closed
Open
Open
Closed
Open
@rfranzke
Copy link
Contributor

rfranzke commented Feb 4, 2020

Replaced with individual issues in dedicated provider repositories.
/close

@rfranzke rfranzke closed this as completed Feb 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
platform/aws Amazon Web Services (AWS) platform/infrastructure platform/gcp Google Cloud Platform (GCP) platform/infrastructure platform/openstack OpenStack platform/infrastructure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dkistner @vlerenc @rfranzke @gardener-robot-ci-1