-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attach an existing managed policy to node.<cluster> IAM role. #1645
Comments
@ajohnstone absolutely. We are creating an interesting house of cards with identity management, auth and authz. Would be great to understand use cases and community needs. |
I think this is a good idea. @yissachar and I actually discussed this alternative, and we could certainly add it in the model, It is also our hope to get kube2iam up and running, and to encourage that instead. @ajohnstone if we had kube2iam integration, would you still want to attach additional policies? |
@justinsb Kube2iam would solve one set of scenarios. I still think applying a managed policy is a better solution for managing iam policies, rather than attaching inline (assume this is what happens with additional policies presently). Currently I have a number of requirements that require cross account policies to be set. So it's not just the policy that needs to be attached, but also configuring the trust relationship too. |
@ajohnstone The policy attached is a managed policy. So theoretically you could probably achieve what you want under the current system. That being said, I can see it being easier for some workflows to bring your own managed policy to kops, rather than using the one kops creates. |
We have a PR in for some of this. #2139 |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
/assign |
This has been implemented in #7837 and will be included in Kops 1.18 |
@rifelpet: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
It would be ideal to add an existing managed policy to instance groups.
With that said would additionalPolicies be better as a managed policy?
Also relates to #1644
@yissachar @chrislovecnm
The text was updated successfully, but these errors were encountered: