-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Using IAM roles instead of AWS credentials in management cluster #3328
Conversation
@Ankitasw: This issue is currently awaiting triage. If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@@ -0,0 +1,44 @@ | |||
# Using IAM roles in management cluster instead of AWS credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These instructions could also apply to using IRSA with EKS with minimal changes. Should we also cover this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I have a plan to cover it in this PR, that's why still WIP :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome @Ankitasw 🎉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@richardcase I would be covering option 4 in this PR as described in this slack thread. But since you listed IRSA as option 2 in the thread, if it is possible with minimal changes I can do it in this PR itself. It would be really helpful if you could direct me to what steps has to be done in case of IRSA with EKS.
Also, for enforcing use of IAM roles in EKS managed cluster instead of AWS credentials CAPA started with, what additional steps would be required apart from the steps listed in this doc?
P.S I am not aware of these concepts around EKS that's why want some help 😄
cc @sedefsavas
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about listing all options in that thread and If missing some details, could catch up during office hours and fill those.
To summarize all the options we have to go forward with when we pivot to management cluster so that we can document it together and we have covered only 1 scenario in this PR:
|
cc @richardcase @sedefsavas any advice on how to move ahead in this PR and what all to cover? If the content is suffice for using IAM roles, then we could close this PR and then open issue for other options listed here. Wdyt? |
1. Create a workload cluster on existing bootstrap cluster. Refer [quick start guide](https://cluster-api.sigs.k8s.io/user/quick-start.html) for more details. | ||
Control plane nodes on the workload cluster will have IAM roles attached which is enough for the target management cluster to work. We want to move the bootstrap cluster to this workload cluster to turn it to a management cluster. | ||
|
||
> **Note:** A cluster with a single control plane node won’t be sufficient here due to the `NoSchedule` taint. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not seem correct, we specifically want to use control plane nodes as they have the proper IAM permissions.
I added details on how to move the management cluster, feel free to add some details of that sort here:
Since only control-plane nodes have the required IAM roles attached, CAPA deployment should have the necessary tolerations for master (control-plane) node and node selector for master. To modify the CAPA deployment before running clusterctl init, check [cluster api book](https://cluster-api.sigs.k8s.io/clusterctl/commands/init.html).
Run clusterctl init --infrastructure aws on the workload cluster by setting export AWS_B64ENCODED_CREDENTIALS="Cg==" (equivalent to empty string)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have mentioned about zeroing the credentials in point 4 below, just before running clusterctl init. This line makes more sense
Since only control-plane nodes have the required IAM roles attached, CAPA deployment should have the necessary tolerations for master (control-plane) node and node selector for master.
as compared to
Control plane nodes on the workload cluster will have IAM roles attached which is enough for the target management cluster to work. We want to move the bootstrap cluster to this workload cluster to turn it to a management cluster.
Does it make sense if I change this line and then keep rest of the instructions as is?
I think we can merge this one and file an issue that lists all the other options discussed on the slack thread and here for future reference. |
Thanks @sedefsavas i will file an issue for the same. |
Based on the discussion and that #3510 has been created: /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
This PR adds documentation for usage of IAM roles in management cluster instead of using AWS credentials with which the management cluster was created.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #3130
Checklist:
Release note: