More flexible configuration for IAM and stable naming for roles #607
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
Codecov Report
@@ Coverage Diff @@
## master #607 +/- ##
=========================================
- Coverage 37.99% 37.7% -0.29%
=========================================
Files 50 51 +1
Lines 3277 3302 +25
=========================================
Hits 1245 1245
- Misses 1830 1854 +24
- Partials 202 203 +1
Continue to review full report at Codecov.
|
k8s-ci-robot
added
cncf-cla: yes
| # # managedIamRoleName: "yourManagedRole" | ||
| # # ATTENTION: if you decide to use an existing InstanceProfile you need to ensure it has the needed permissions for kube-aws to run. | ||
| # # kube-aws will not manage and never manage this InstanceProfile. IAM Roles will not be created by kube-aws in this case. | ||
| # # existingInstanceProfile: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID" |
There was a problem hiding this comment.
I guess iam should be iamInstanceProfile so that it is even more clearer that it is used to customize IamInstanceProfile associated to nodes.
If we go that way, iam.existingInstanceProfile could be just iamInstanceProfile.arn. It will correspond more to e.g. subnets[].id or apiEndpoints[].loadBalancer.id which is there for reusing existing AWS resources.
There was a problem hiding this comment.
managedIamRoleName changes an IAM Role not the attached IAM Instance Profile, so renaming it to iamInstanceProfile.roleName might be confusing to people, but i don't have hard feelings about it if that key name looks more appealing, i will rename it.
There was a problem hiding this comment.
@Fsero I think so too. Then, how about iamInstanceProfile.role.name?
My idea is that it will be explicit about:
iamInstanceProfileis used to customize what the instance profile is attached to nodesiamInstanceProfile.roleis used to customize what the role is associated to the instance profileiamInstanceProfile.role.nameis used to customize the name of the role associated to the instance profile
// I neither have hard feelings but just thought a bit of discussions would result in less explanations required to our users afterwards!
There was a problem hiding this comment.
See my comment below.
I like your idea of iam.instanceProfile.
| # # It will have attached a customer Managed Policy that you can modify afterwards if you need more permissions for your cluster. | ||
| # # Be careful with the Statements you modify because an update could overwrite your own. | ||
| # # the Statements included in the ManagedPolicy are the minimun ones required for the Controllers to run. | ||
| # # managedIamRoleName: "yourManagedRole" |
There was a problem hiding this comment.
If we go this way, iam.managedIamRoleName could be iamInstanceProfile.roleName which will correspond more to the RoleName key in Cfn's IAMRole resources.
There was a problem hiding this comment.
See my comment above. I'm now suggesting iamInstanceProfile.role.name
| {{if .Controller.IAMConfig.ManagedIamRoleName }} | ||
| "RoleName": {"Fn::Join": ["",[{"Ref": "AWS::Region"},"-","{{.Controller.IAMConfig.ManagedIamRoleName}}"]]}, | ||
| {{end}} | ||
| "ManagedPolicyArns": [ {"Ref": "IAMManagedPolicyController"} ] |
There was a problem hiding this comment.
Not sure it should be addressed in this PR or not but..
I'd appreciate it if I could have iamInstanceProfile.managedPolicyArns to add "additional managed policy arns" to the ManagedPolicyArns array 😄
Please see #340
cc @c-knowles
There was a problem hiding this comment.
And I just realized that you addressed it in your description of the PR
It also includes a brief improvement for IAM Roles managed by kube-aws supporting customer managed policies (ref #340)
However it doesn't seem to be implemented yet?
There was a problem hiding this comment.
i can change the config block, so instead of being
iam:
managedIamRoleName
existingInstanceProfile
could be:
iam:
role:
iamRoleName: "your role"
managedPolicyArns:
- "arn:aws:iam:YOURACCOUNTID/policy/POLICYID"
instanceProfile:
arn: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID"
that would be better @mumoshu ?
Regarding #340 i now realize is half implemented yes, if we agree on that syntax i can adapt the PR.
Thanks for your comments @mumoshu 😃
There was a problem hiding this comment.
Sounds great. I'm almost convinced to your idea!
Nit but:
- Would you mind renaming
iamRoleNameto justnameso that the whole path would look likeiam.role.namerather thaniam.role.iamRoleName, which results in less duplication? - Which of them do you think clearer,
iam.instanceProfile.roleoriam.role? My motivation to nestroleunderinstanceProfileis based on the fact that the role is associated to the instance profile. However I'd really like to hear your idea.
There was a problem hiding this comment.
i don't mind at all, i like iam.role.name. Regarding your second point,
between
iam:
role:
name: "yourRoleName"
managedPolicyArns:
- "arn:aws:iam:YOURACCOUNTID/policy/POLICYID"
instanceProfile:
arn: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID"
and
iam:
instanceProfile:
role:
name: "yourRoleName"
managedPolicyArns:
- "arn:aws:iam:YOURACCOUNTID/policy/POLICYID"
arn: "arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILEID"
there is a link between the role and the instance profile i like the first slightly more because the option is more clear either you go with a role or either you set an instance profile but you cannot do both.
That said, both can work, so if you feel that the second makes more sense i'll do that.
Thanks @mumoshu 🙇♂️
There was a problem hiding this comment.
@Fsero Thanks for the detailed reply 🙇
i like the first slightly more because the option is more clear either you go with a role or either you set an instance profile but you cannot do both.
It does make sense! Now, I like the first more, too. Let's go ahead with it 👍
|
@Fsero Thanks for your efforts here! I did add some comments but
Definitely. |
Fsero
force-pushed
the
issue/500
branch
2 times, most recently
from
e74ce61
to
2baab1f
Compare
|
@mumoshu i've implemented the proposed changes in syntax for cluster.yaml and included the features from #340. cluster with existing instance profile i did some validation to prevent mistakes writing the cluster.yaml, i hope this is enough to got it merged :) let me know wdyt @mumoshu |
|
@Fsero Really an awesome work! 👍 |
model/node_pool_config.go
Outdated
| @@ -99,6 +101,13 @@ func (c NodePoolConfig) Valid() error { | |||
| fmt.Println(`WARNING: instance types "t2.nano" and "t2.micro" are not recommended. See https://github.com/kubernetes-incubator/kube-aws/issues/258 for more information`) | |||
| } | |||
|
|
|||
| if c.IAMConfig.InstanceProfile.Arn != "" && (c.IAMConfig.Role.Name != "" || c.DeprecatedNodePoolManagedIamRoleName != "") { | |||
| return errors.New("Incompatible options either kube-aws attachs instances to an existing InstanceProfile or manages an IAM Role") | |||
There was a problem hiding this comment.
nit: "incompatible options: kube-aws either attaches ~~ or manages ~~" may be easier to read/consistent with other error messages?
There was a problem hiding this comment.
fixed, setting up an error message more similar to others.
| "IamInstanceProfile": { | ||
| "Ref": "IAMInstanceProfileController" | ||
| "Ref": "IAMInstanceProfileController" |
There was a problem hiding this comment.
nit: redundant whitespace at the end of line?
There was a problem hiding this comment.
fixed, yep it was extra
| return fmt.Errorf("invalid instance profile, your instance profile must match (=arn:aws:iam::YOURACCOUNTID:instance-profile/INSTANCEPROFILENAME), provided (%s)", c.InstanceProfile.Arn) | ||
| } | ||
|
|
||
| } |
There was a problem hiding this comment.
nit: We'd better emit a validation error also when both instanceProfile.arn and managePolicies[].arns are specified.
There was a problem hiding this comment.
Seems like we already had it only for controller nodes above https://github.com/kubernetes-incubator/kube-aws/pull/607/files#diff-75f5c0a1828df862096ed45c755c2990R73
Perhaps we need it for node pools, too?
There was a problem hiding this comment.
you are right, i'd forgot about it. Fixed now
|
Wow, thanks for the quick turnaround @Fsero! |
|
@Fsero Merged. Sry if you've force-pushed one more commit after I've confirmed the build status and merged the PR. If you had further changes, I'd appreciate it if you could open up an another PR! Thanks again for your efforts 🍻 |
|
Thanks for your detailed review @mumoshu and for the efforts for making kube-aws great. See you in another PR 🍻 |
More flexible configuration for IAM and stable naming for roles
this PR aims to fix issue #500 allowing Node Pools to use an existing instance profile. It also includes a brief improvement for IAM Roles managed by kube-aws supporting customer managed policies (ref #340), it also makes IAM Roles fixed and not depending on the stack name if you have configured managedIAMRoleName.
If kube-aws manages the IAM Role it will create a customer managed policy for controllers and for workers, then it will create an IAM Role with this policy attached, that enables policy updates without the need to recreating the whole stack and kube-aws users can tailor the policies to their current needs.
if kube-aws uses an existing InstanceProfile it will not create an IAM Role and the InstanceProfile used should be attached to an IAM Role with the enough level of grants to make the cluster work.
By default if you don't configure an iam block in your worker/controller kube-aws would manage the role for you.
if you set iam.managedIamRoleName, the IAM Role will be created with the name {AWS::Region}-$managedIamRoleName.
if you set iam.existingInstanceProfile, kube-aws will use that instance profile.
if you set both, kube-aws would fail as these options are incompatible.
probably we can expand this to define custom iam policies in cluster.yaml, i think this model brings flexibility without confusing cluster.yaml more, but i'm happy to hear your thoughts.
i will be very glad if this is merged, @jpb (this is related to your #556 work), @c-knowles this is implementing customer managed policies.