You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How can we to reproduce it (as minimally and precisely as possible):
Anything else do we need to know:
The IAM node policy doesn't grant access to the kube-router path in S3 (eg s3://mycluster.example.com-state-store/mycluster.example.com/pki/private/kube-router/blah.key). S3 returns a 403. Node logs show nodeup failing w/ access denied.
I was able to work around the problem by manually editing the IAM policy (adding "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/private/kube-router/*")
Automatic merge from submit-queue.
Add Node IAM permissions to access kube-router key in S3.
Fixes#3792
An additional S3 IAM permission is added to the nodes policy when `Networking.Kuberouter` is specified.
kops version
Version 1.8.0-beta.1 (git-9b71713)
1.8.2 -- I bumped kubernetesVersion
AWS
A working cluster.
How can we to reproduce it (as minimally and precisely as possible):
Anything else do we need to know:
The IAM node policy doesn't grant access to the kube-router path in S3 (eg s3://mycluster.example.com-state-store/mycluster.example.com/pki/private/kube-router/blah.key). S3 returns a 403. Node logs show nodeup failing w/ access denied.
I was able to work around the problem by manually editing the IAM policy (adding "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/private/kube-router/*")
The commit that tightened access is here.
The text was updated successfully, but these errors were encountered: