Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM review #376

Closed
justinsb opened this issue Aug 27, 2016 · 3 comments
Closed

IAM review #376

justinsb opened this issue Aug 27, 2016 · 3 comments
Assignees
@justinsb
Labels
area/security
Milestone
1.5.2

Comments

@justinsb
Copy link
Member

We should further review the IAM profile to see if we can lock it down further:

  • can we prevent even listing other clusters in the same bucket without breaking discovery?
  • EC2 permissions
  • Volume restrictions
@justinsb justinsb added this to the 1.3.1 milestone Sep 24, 2016
@chrislovecnm chrislovecnm mentioned this issue Oct 27, 2016
Closed
This was referenced Nov 15, 2016
Closed
Closed
@Amit-PivotalLabs
Copy link

I've got a few questions about the master IAM policy being generated today:

  1. There's a bunch of ecr actions, are those even necessary? Aren't most images pulled down from https://gcr.io, especially for consistency with using kops against GCE? If this is meant to allow users on AWS to leverage Amazon's ECR, perhaps it can be made optional.
  2. Why ec2:*? What EC2 actions does it really even need? I imagine actually creating the cluster (directly or with terraform) will handle all VM and volume creation and volume mounting, why does the master node need to do any EC2 anything?
  3. Can the Route53 permissions be locked down to the provided Hosted Zone? Even better, I suspect kops knows up front exactly what record sets it's going to manage, could it lock the resources down from * to just the record sets it's going to create? Not sure if IAM let's you define policies that way.
  4. Locking down elasticloadbalancing:* to elasticloadbalancing:DescribeLoadBalancers would be nice in the case that you don't want to allow people to create LoadBalancer services. I'd like to create a Kubernetes cluster and allow folks to use it without them creating new things in my AWS account that are going to cost me money. I can stand up my own ELB and associate it with the ASG for nodes. This together with the ability to specify the --service-node-port-range on the Kube API Server means I can get a bit closer to a nice experience where people can run publicly routable apps on the cluster without anyone having to do much manual work.
  5. Why s3:*? Does kops ever write back to the state store bucket? Read-only types of actions should be sufficient, no?

@chrislovecnm
Copy link
Contributor

@justinsb assigning to you.

@justinsb justinsb modified the milestones: 1.5.0, 1.5 Dec 28, 2016
@justinsb justinsb modified the milestones: 1.5.1, 1.5.0 Jan 17, 2017
@zytek zytek mentioned this issue Jan 20, 2017
Closed
@chrislovecnm
Copy link
Contributor

I am closing this because this is open: #1873

justinsb added a commit to justinsb/kops that referenced this issue Dec 9, 2020
@justinsb
Update etcd-manager to 20201209
dc48ca6 
Highlights:

* Fix arm64 images, which were built with an incorrect base image.
* Initial (experimental) Azure support

Full change list:

* Update Kops dependency for Azure Blob Storage support [kubernetes#372](kopeio/etcd-manager#372)
* Exclude gazelle from tools/deb-tools [kubernetes#373](kopeio/etcd-manager#373)
* Regenerate bazel in tools/deb-tools [kubernetes#374](kopeio/etcd-manager#374)
* Release notes for 3.0.20201202 [kubernetes#375](kopeio/etcd-manager#375)
* Remove travis CI [kubernetes#377](kopeio/etcd-manager#377)
* Fix vendor generation for tools/deb-tools subproject [kubernetes#376](kopeio/etcd-manager#376)
* Add script to verify image hashes [kubernetes#380](kopeio/etcd-manager#380)
* Fix some incorrect base image hashes for arm64 [kubernetes#379](kopeio/etcd-manager#379)
* Support Azure [kubernetes#378](kopeio/etcd-manager#378)
* Add more descriptions to wait loops [kubernetes#383](kopeio/etcd-manager#383)
* Rename fields in the azure client struct [kubernetes#382](kopeio/etcd-manager#382)
* Fix small typo in code comment [kubernetes#381](kopeio/etcd-manager#381)
hakman pushed a commit to hakman/kops that referenced this issue Dec 9, 2020
@justinsb
Update etcd-manager to 20201209
c3ca2ac 
Highlights:

* Fix arm64 images, which were built with an incorrect base image.
* Initial (experimental) Azure support

Full change list:

* Update Kops dependency for Azure Blob Storage support [kubernetes#372](kopeio/etcd-manager#372)
* Exclude gazelle from tools/deb-tools [kubernetes#373](kopeio/etcd-manager#373)
* Regenerate bazel in tools/deb-tools [kubernetes#374](kopeio/etcd-manager#374)
* Release notes for 3.0.20201202 [kubernetes#375](kopeio/etcd-manager#375)
* Remove travis CI [kubernetes#377](kopeio/etcd-manager#377)
* Fix vendor generation for tools/deb-tools subproject [kubernetes#376](kopeio/etcd-manager#376)
* Add script to verify image hashes [kubernetes#380](kopeio/etcd-manager#380)
* Fix some incorrect base image hashes for arm64 [kubernetes#379](kopeio/etcd-manager#379)
* Support Azure [kubernetes#378](kopeio/etcd-manager#378)
* Add more descriptions to wait loops [kubernetes#383](kopeio/etcd-manager#383)
* Rename fields in the azure client struct [kubernetes#382](kopeio/etcd-manager#382)
* Fix small typo in code comment [kubernetes#381](kopeio/etcd-manager#381)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justinsb justinsb

Labels
area/security
Projects
None yet
Milestone
1.5.2
Development

No branches or pull requests
3 participants
@justinsb @chrislovecnm @Amit-PivotalLabs