update IAM policy sample and add new driver level tag #835
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AndyXiangLi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
Pull Request Test Coverage Report for Build 1844
💛 - Coveralls |
| "Resource": "*", | ||
| "Condition": { | ||
| "StringLike": { | ||
| "ec2:ResourceTag/CSIVolumeName": "*" |
There was a problem hiding this comment.
all existing volumes will have this tag right? meaning this policy is backwards compatible?
There was a problem hiding this comment.
Yeah, it will not break the existing flow
There was a problem hiding this comment.
it does raise the question, why is the new tag necessary then? is it because it's more readable/understandable?
There was a problem hiding this comment.
Yeah, we just want to add a more readable tag and make it same for both volume and snapshot.
There was a problem hiding this comment.
makes sense.
I think we should document somewhere what the tags mean, even if it's in code comments just for maintainers. The current comments are not that useful because they tell us WHAT the tags are, but not what they are FOR.
CSIVolumeName=foo
added to all volumes, for checking if a given volume was already created so that ControllerPublish/CreateVolume is idempotent.
ebs.csi.aws.com/cluster=true
added to all volumes, for allowing users to use a policy to limit csi driver's permission to just its volumes
kubernetes.io/cluster/X=owned*
added to all volumes if clusterId argument is set to X. In in-tree cloudprovider, it's extremely unlikely/impossible for clusterName NOT to be set, so effectively this tag was set on ALL in-tree volumes https://github.com/kubernetes/cloud-provider-aws/blob/5f394ba297bf280ceb3edfc38922630b4bd83f46/pkg/providers/v2/tags.go#L108. In CSI world we have no automatic way to discover the cloud provider's clusterName, so if the user wants their CSI volumes to have these tags like in-tree volumes would, they have to provide clusterId.
extrakey=extravalue
if extraTags argument is set
| @@ -110,6 +110,8 @@ const ( | |||
| KubernetesTagKeyPrefix = "kubernetes.io" | |||
| // AWSTagKeyPrefix is the prefix of the key value that is reserved for AWS. | |||
| AWSTagKeyPrefix = "aws:" | |||
| //AwsEbsDriverTagKey is the tag to identify if a volume/snapshot is managed by ebs csi driver | |||
There was a problem hiding this comment.
As i commented above, could you add some more detail about how we use this tag (to enable users to limit the csi driver's permission.
Otherwise, it is difficult to understand why we tag each volume ~4 different ways, as I detailed above
|
/lgtm |
k8s-ci-robot
added
the
lgtm
Is this a bug fix or adding new feature?
Fixes #571
What is this PR about? / Why do we need it?
Update sample IAM policy to scope down the resource restriction. The sample IAM policy is still open enough to cover all driver use cases, dynamic provisioning/static provisioning/snapshot/volume resizing etc.
It can be scope down further if above use cases are not apply to your cluster at all. (Like only allow driver to attach/detach the volume created by driver if you are not using static provisioning feature)
Add a new tag
ebs.csi.aws.com/clusterto identify all the resources created by driver.What testing is done?
e2e test/ unit test/ manually test