IAM policy changes required for kube-router #3792

drobinson123 · 2017-11-08T01:43:18Z

What kops version are you running? use kops version

Version 1.8.0-beta.1 (git-9b71713)

What Kubernetes version are you running?

1.8.2 -- I bumped kubernetesVersion

What cloud provider are you using?

AWS

What commands did you execute and what happened after commands executed?

kops create cluster \
  --zones=${cluster} \
  --name=${cluster}.${domain} \
  --vpc=${vpc} \
  --authorization=RBAC \
  --dns private \
  --node-size=m4.xlarge \
  --master-size=m3.medium \
  --node-count=${node_count} \
  --master-zones=${cluster} \
  --target=terraform \
  --topology private \
  --networking kube-router \
  --ssh-public-key ~/.ssh/kube_aws_rsa.pub

kops edit cluster --name=${CLUSTER_NAME}
# changed
kubernetesVersion: 1.8.2

kops edit instancegroup...
# changed tme image for nodes and masters:
image: 595879546273/CoreOS-stable-1520.8.0-hvm

What you expected to happen:

A working cluster.

How can we to reproduce it (as minimally and precisely as possible):
Anything else do we need to know:

The IAM node policy doesn't grant access to the kube-router path in S3 (eg s3://mycluster.example.com-state-store/mycluster.example.com/pki/private/kube-router/blah.key). S3 returns a 403. Node logs show nodeup failing w/ access denied.

I was able to work around the problem by manually editing the IAM policy (adding "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/private/kube-router/*")

        {
            "Sid": "kopsK8sS3NodeBucketSelectiveGet",
            "Effect": "Allow",
            "Action": [
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/addons/*",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/cluster.spec",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/config",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/instancegroup/*",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/issued/*",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/private/kube-proxy/*",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/private/kube-router/*",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/private/kubelet/*",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/pki/ssh/*",
                "arn:aws:s3:::us-west-2a.token.io-state-store/us-west-2a.token.io/secrets/dockerconfig"
            ]
        },

The commit that tightened access is here.

The text was updated successfully, but these errors were encountered:

chrislovecnm · 2017-11-08T01:51:20Z

You can add a policy as well to the cluster as a work around.

chrislovecnm · 2017-11-08T01:51:42Z

More details. Kops supports adding another policy to your cluster as well

Automatic merge from submit-queue. Add Node IAM permissions to access kube-router key in S3. Fixes #3792 An additional S3 IAM permission is added to the nodes policy when `Networking.Kuberouter` is specified.

KashifSaadat mentioned this issue Nov 8, 2017

Add Node IAM permissions to access kube-router key in S3. #3795

Merged

k8s-github-robot closed this as completed in #3795 Nov 10, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IAM policy changes required for kube-router #3792

IAM policy changes required for kube-router #3792

drobinson123 commented Nov 8, 2017

chrislovecnm commented Nov 8, 2017

chrislovecnm commented Nov 8, 2017

IAM policy changes required for kube-router #3792

IAM policy changes required for kube-router #3792

Comments

drobinson123 commented Nov 8, 2017

chrislovecnm commented Nov 8, 2017

chrislovecnm commented Nov 8, 2017