Extensible IAM roles in AWS #379
Comments
|
I need to verify that kops won't detach the policy. What you're doing is the right thing (vs eg editing the kops IAM policy, which would be impossible to preserve), so I want to make sure it works! |
|
@justinsb Any thoughts of adding this into kops? I'm currently using this approach and it works fine, but it introduces a manual step that I think kops could automate away. |
|
This should be closed via #1170 |
|
@chrislovecnm It's a combination of both, the permission extensions from #1170 are necessary for supporting kube2iam correctly. This is working for us at the moment so I have no further needs. Feel free to close! |
|
closing per above |
justinsb
added a commit
to justinsb/kops
that referenced
this issue
Dec 9, 2020
Highlights: * Fix arm64 images, which were built with an incorrect base image. * Initial (experimental) Azure support Full change list: * Update Kops dependency for Azure Blob Storage support [kubernetes#372](kopeio/etcd-manager#372) * Exclude gazelle from tools/deb-tools [kubernetes#373](kopeio/etcd-manager#373) * Regenerate bazel in tools/deb-tools [kubernetes#374](kopeio/etcd-manager#374) * Release notes for 3.0.20201202 [kubernetes#375](kopeio/etcd-manager#375) * Remove travis CI [kubernetes#377](kopeio/etcd-manager#377) * Fix vendor generation for tools/deb-tools subproject [kubernetes#376](kopeio/etcd-manager#376) * Add script to verify image hashes [kubernetes#380](kopeio/etcd-manager#380) * Fix some incorrect base image hashes for arm64 [kubernetes#379](kopeio/etcd-manager#379) * Support Azure [kubernetes#378](kopeio/etcd-manager#378) * Add more descriptions to wait loops [kubernetes#383](kopeio/etcd-manager#383) * Rename fields in the azure client struct [kubernetes#382](kopeio/etcd-manager#382) * Fix small typo in code comment [kubernetes#381](kopeio/etcd-manager#381)
hakman
pushed a commit
to hakman/kops
that referenced
this issue
Dec 9, 2020
Highlights: * Fix arm64 images, which were built with an incorrect base image. * Initial (experimental) Azure support Full change list: * Update Kops dependency for Azure Blob Storage support [kubernetes#372](kopeio/etcd-manager#372) * Exclude gazelle from tools/deb-tools [kubernetes#373](kopeio/etcd-manager#373) * Regenerate bazel in tools/deb-tools [kubernetes#374](kopeio/etcd-manager#374) * Release notes for 3.0.20201202 [kubernetes#375](kopeio/etcd-manager#375) * Remove travis CI [kubernetes#377](kopeio/etcd-manager#377) * Fix vendor generation for tools/deb-tools subproject [kubernetes#376](kopeio/etcd-manager#376) * Add script to verify image hashes [kubernetes#380](kopeio/etcd-manager#380) * Fix some incorrect base image hashes for arm64 [kubernetes#379](kopeio/etcd-manager#379) * Support Azure [kubernetes#378](kopeio/etcd-manager#378) * Add more descriptions to wait loops [kubernetes#383](kopeio/etcd-manager#383) * Rename fields in the azure client struct [kubernetes#382](kopeio/etcd-manager#382) * Fix small typo in code comment [kubernetes#381](kopeio/etcd-manager#381)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the AWS implementation of kops seems to create two IAM roles, one for the master and one for all nodes.
We are using kube2iam to let pods assume IAM roles, to accomplish this we've attached an additional policy to the IAM role used by nodes that grants the necessary permissions.
I'm wondering if this is a stable way to go about it (i.e. will kops notice this change and nuke it in some future run?). Maybe
kopsshould have a feature that lets users add additional policies to the roles created?The text was updated successfully, but these errors were encountered: