-
Notifications
You must be signed in to change notification settings - Fork 295
More flexible configuration for IAM and stable naming for roles #607
Conversation
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Codecov Report
@@ Coverage Diff @@
## master #607 +/- ##
=========================================
- Coverage 37.99% 37.7% -0.29%
=========================================
Files 50 51 +1
Lines 3277 3302 +25
=========================================
Hits 1245 1245
- Misses 1830 1854 +24
- Partials 202 203 +1
Continue to review full report at Codecov.
|
# # managedIamRoleName: "yourManagedRole" | ||
# # ATTENTION: if you decide to use an existing InstanceProfile you need to ensure it has the needed permissions for kube-aws to run. | ||
# # kube-aws will not manage and never manage this InstanceProfile. IAM Roles will not be created by kube-aws in this case. | ||
# # existingInstanceProfile: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess iam
should be iamInstanceProfile
so that it is even more clearer that it is used to customize IamInstanceProfile
associated to nodes.
If we go that way, iam.existingInstanceProfile
could be just iamInstanceProfile.arn
. It will correspond more to e.g. subnets[].id
or apiEndpoints[].loadBalancer.id
which is there for reusing existing AWS resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
managedIamRoleName changes an IAM Role not the attached IAM Instance Profile, so renaming it to iamInstanceProfile.roleName might be confusing to people, but i don't have hard feelings about it if that key name looks more appealing, i will rename it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Fsero I think so too. Then, how about iamInstanceProfile.role.name
?
My idea is that it will be explicit about:
iamInstanceProfile
is used to customize what the instance profile is attached to nodesiamInstanceProfile.role
is used to customize what the role is associated to the instance profileiamInstanceProfile.role.name
is used to customize the name of the role associated to the instance profile
// I neither have hard feelings but just thought a bit of discussions would result in less explanations required to our users afterwards!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment below.
I like your idea of iam.instanceProfile
.
# # It will have attached a customer Managed Policy that you can modify afterwards if you need more permissions for your cluster. | ||
# # Be careful with the Statements you modify because an update could overwrite your own. | ||
# # the Statements included in the ManagedPolicy are the minimun ones required for the Controllers to run. | ||
# # managedIamRoleName: "yourManagedRole" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we go this way, iam.managedIamRoleName
could be iamInstanceProfile.roleName
which will correspond more to the RoleName
key in Cfn's IAMRole resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment above. I'm now suggesting iamInstanceProfile.role.name
{{if .Controller.IAMConfig.ManagedIamRoleName }} | ||
"RoleName": {"Fn::Join": ["",[{"Ref": "AWS::Region"},"-","{{.Controller.IAMConfig.ManagedIamRoleName}}"]]}, | ||
{{end}} | ||
"ManagedPolicyArns": [ {"Ref": "IAMManagedPolicyController"} ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure it should be addressed in this PR or not but..
I'd appreciate it if I could have iamInstanceProfile.managedPolicyArns
to add "additional managed policy arns" to the ManagedPolicyArns
array 😄
Please see #340
cc @c-knowles
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And I just realized that you addressed it in your description of the PR
It also includes a brief improvement for IAM Roles managed by kube-aws supporting customer managed policies (ref #340)
However it doesn't seem to be implemented yet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i can change the config block, so instead of being
iam:
managedIamRoleName
existingInstanceProfile
could be:
iam:
role:
iamRoleName: "your role"
managedPolicyArns:
- "arn:aws:iam:YOURACCOUNTID/policy/POLICYID"
instanceProfile:
arn: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID"
that would be better @mumoshu ?
Regarding #340 i now realize is half implemented yes, if we agree on that syntax i can adapt the PR.
Thanks for your comments @mumoshu 😃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds great. I'm almost convinced to your idea!
Nit but:
- Would you mind renaming
iamRoleName
to justname
so that the whole path would look likeiam.role.name
rather thaniam.role.iamRoleName
, which results in less duplication? - Which of them do you think clearer,
iam.instanceProfile.role
oriam.role
? My motivation to nestrole
underinstanceProfile
is based on the fact that the role is associated to the instance profile. However I'd really like to hear your idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i don't mind at all, i like iam.role.name
. Regarding your second point,
between
iam:
role:
name: "yourRoleName"
managedPolicyArns:
- "arn:aws:iam:YOURACCOUNTID/policy/POLICYID"
instanceProfile:
arn: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID"
and
iam:
instanceProfile:
role:
name: "yourRoleName"
managedPolicyArns:
- "arn:aws:iam:YOURACCOUNTID/policy/POLICYID"
arn: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID"
there is a link between the role and the instance profile i like the first slightly more because the option is more clear either you go with a role or either you set an instance profile but you cannot do both.
That said, both can work, so if you feel that the second makes more sense i'll do that.
Thanks @mumoshu 🙇♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Fsero Thanks for the detailed reply 🙇
i like the first slightly more because the option is more clear either you go with a role or either you set an instance profile but you cannot do both.
It does make sense! Now, I like the first more, too. Let's go ahead with it 👍
@Fsero Thanks for your efforts here! I did add some comments but
Definitely. |
e74ce61
to
2baab1f
Compare
@mumoshu i've implemented the proposed changes in syntax for cluster.yaml and included the features from #340. cluster with existing instance profile i did some validation to prevent mistakes writing the cluster.yaml, i hope this is enough to got it merged :) let me know wdyt @mumoshu |
@Fsero Really an awesome work! 👍 |
model/node_pool_config.go
Outdated
@@ -99,6 +101,13 @@ func (c NodePoolConfig) Valid() error { | |||
fmt.Println(`WARNING: instance types "t2.nano" and "t2.micro" are not recommended. See https://github.com/kubernetes-incubator/kube-aws/issues/258 for more information`) | |||
} | |||
|
|||
if c.IAMConfig.InstanceProfile.Arn != "" && (c.IAMConfig.Role.Name != "" || c.DeprecatedNodePoolManagedIamRoleName != "") { | |||
return errors.New("Incompatible options either kube-aws attachs instances to an existing InstanceProfile or manages an IAM Role") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:`s/attachs/attaches/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "incompatible options: kube-aws either attaches ~~ or manages ~~" may be easier to read/consistent with other error messages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed, setting up an error message more similar to others.
"IamInstanceProfile": { | ||
"Ref": "IAMInstanceProfileController" | ||
"Ref": "IAMInstanceProfileController" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: redundant whitespace at the end of line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed, yep it was extra
return fmt.Errorf("invalid instance profile, your instance profile must match (=arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILENAME), provided (%s)", c.InstanceProfile.Arn) | ||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: We'd better emit a validation error also when both instanceProfile.arn
and managePolicies[].arn
s are specified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like we already had it only for controller nodes above https://github.com/kubernetes-incubator/kube-aws/pull/607/files#diff-75f5c0a1828df862096ed45c755c2990R73
Perhaps we need it for node pools, too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are right, i'd forgot about it. Fixed now
Wow, thanks for the quick turnaround @Fsero! |
@Fsero Merged. Sry if you've force-pushed one more commit after I've confirmed the build status and merged the PR. If you had further changes, I'd appreciate it if you could open up an another PR! Thanks again for your efforts 🍻 |
Thanks for your detailed review @mumoshu and for the efforts for making kube-aws great. See you in another PR 🍻 |
More flexible configuration for IAM and stable naming for roles
this PR aims to fix issue #500 allowing Node Pools to use an existing instance profile. It also includes a brief improvement for IAM Roles managed by kube-aws supporting customer managed policies (ref #340), it also makes IAM Roles fixed and not depending on the stack name if you have configured managedIAMRoleName.
If kube-aws manages the IAM Role it will create a customer managed policy for controllers and for workers, then it will create an IAM Role with this policy attached, that enables policy updates without the need to recreating the whole stack and kube-aws users can tailor the policies to their current needs.
if kube-aws uses an existing InstanceProfile it will not create an IAM Role and the InstanceProfile used should be attached to an IAM Role with the enough level of grants to make the cluster work.
By default if you don't configure an iam block in your worker/controller kube-aws would manage the role for you.
if you set iam.managedIamRoleName, the IAM Role will be created with the name {AWS::Region}-$managedIamRoleName.
if you set iam.existingInstanceProfile, kube-aws will use that instance profile.
if you set both, kube-aws would fail as these options are incompatible.
probably we can expand this to define custom iam policies in cluster.yaml, i think this model brings flexibility without confusing cluster.yaml more, but i'm happy to hear your thoughts.
i will be very glad if this is merged, @jpb (this is related to your #556 work), @c-knowles this is implementing customer managed policies.