Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attach an existing managed policy to node.<cluster> IAM role. #1645

Closed
ajohnstone opened this issue Jan 26, 2017 · 9 comments
Closed

Attach an existing managed policy to node.<cluster> IAM role. #1645

ajohnstone opened this issue Jan 26, 2017 · 9 comments
Assignees
@chrislovecnm
Labels
area/security lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Milestone
1.5.2

Comments

@ajohnstone
Copy link
Contributor

ajohnstone commented Jan 26, 2017
edited
Loading

It would be ideal to add an existing managed policy to instance groups.

With that said would additionalPolicies be better as a managed policy?

Also relates to #1644

@yissachar @chrislovecnm
@chrislovecnm
Copy link
Contributor

@ajohnstone absolutely. We are creating an interesting house of cards with identity management, auth and authz. Would be great to understand use cases and community needs.

@krisnova krisnova mentioned this issue Jan 27, 2017
Closed
@justinsb justinsb modified the milestone: 1.5.0 Jan 28, 2017
@justinsb
Copy link
Member

I think this is a good idea. @yissachar and I actually discussed this alternative, and we could certainly add it in the model,

It is also our hope to get kube2iam up and running, and to encourage that instead. @ajohnstone if we had kube2iam integration, would you still want to attach additional policies?

@justinsb justinsb modified the milestones: 1.5.1, 1.5.0 Jan 28, 2017
@ajohnstone
Copy link
Contributor Author

@justinsb Kube2iam would solve one set of scenarios.

I still think applying a managed policy is a better solution for managing iam policies, rather than attaching inline (assume this is what happens with additional policies presently).

Currently I have a number of requirements that require cross account policies to be set. So it's not just the policy that needs to be attached, but also configuring the trust relationship too.

@yissachar
Copy link
Contributor

@ajohnstone The policy attached is a managed policy. So theoretically you could probably achieve what you want under the current system. That being said, I can see it being easier for some workflows to bring your own managed policy to kops, rather than using the one kops creates.

@chrislovecnm
Copy link
Contributor

We have a PR in for some of this. #2139

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 23, 2017
@chrislovecnm
Copy link
Contributor

/assign
/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Dec 23, 2017
@rifelpet
Copy link
Member

This has been implemented in #7837 and will be included in Kops 1.18
/close

@k8s-ci-robot
Copy link
Contributor

@rifelpet: Closing this issue.

In response to this:

This has been implemented in #7837 and will be included in Kops 1.18
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrislovecnm chrislovecnm

Labels
area/security lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
1.5.2
Development

No branches or pull requests
7 participants
@justinsb @ajohnstone @chrislovecnm @rifelpet @yissachar @k8s-ci-robot @fejta-bot