Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fill Role names in kops-controller-config instead of instance profile names when it is specified #10728

Merged
merged 1 commit into from
Feb 11, 2021
Merged

Fill Role names in kops-controller-config instead of instance profile names when it is specified #10728

merged 1 commit into from
Feb 11, 2021

Conversation

h3poteto
Copy link
Contributor

@h3poteto h3poteto commented Feb 4, 2021
edited
Loading

refs: #10719

The role names are checked in node bootstrap. If profile names are provided, bootstrap will fail. Because profile name and role name do not always mactch in AWS IAM. So I fixed nodesRoles in kops-controller-config to store IAM Role names associated with specified IAM Instance Profile.

I think that this should be cherry-picked to 1.19.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 4, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @h3poteto. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 4, 2021
@k8s-ci-robot k8s-ci-robot added the area/provider/aws Issues or PRs related to aws provider label Feb 4, 2021
@h3poteto h3poteto marked this pull request as ready for review February 4, 2021 16:26
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 4, 2021
@olemarkus
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 4, 2021
@rifelpet
Copy link
Member

rifelpet commented Feb 4, 2021

/cc @johngmyers if you have time to review this.

I'm debating the pros and cons of having kops-controller fetch the list of roles for each instance profile at startup time vs having the kops CLI get that list and populate the configmap with the list of roles.

I'll admit I don't fully understand how having multiple roles associated with an instance profile and having that instance profile attached to an instance affects credentials provided via instance metadata, specifically when nodeup creates an sts.GetCallerIdentity request. How is the role chosen between all of the roles associated with the instance's instance profile?

@h3poteto
Copy link
Contributor Author

h3poteto commented Feb 5, 2021

I'm debating the pros and cons of having kops-controller fetch the list of roles for each instance profile at startup time vs having the kops CLI get that list and populate the configmap with the list of roles.

First I considered it, that is the kops CLI gets IAM Roles and fill it in kops-controller-config. But it is difficult because kops-controller-config is generated in template functions:

kops/upup/pkg/fi/cloudup/template_functions.go

Line 454 in 0271f0e

NodesRoles: nodesRoles.List(),

So it is difficult to call AWS API in this function.

How is the role chosen between all of the roles associated with the instance's instance profile?

OK, I'll check it.

@johngmyers
Copy link
Member

johngmyers commented Feb 5, 2021
edited
Loading

Per AWS documentation, an instance profile can contain at most one IAM role. (I admit to being baffled as to why instance profiles exist, as opposed to assigning roles directly.)

The role in an instance profile can change, but I don't think kops needs to support noticing this change without an apply_cluster. I would prefer early binding of the permitted role, during apply_cluster. I would accept binding upon kops-controller startup, but think doing an API query on every token verify like the code appears to do is questionable.

I think we need to add a field of type fi.Cloud to TemplateFunctions. Then it would be possible to call the AWS IAM API from within KopsControllerConfig.

@h3poteto
Copy link
Contributor Author

h3poteto commented Feb 5, 2021

Indeed, if TemplateFunctions has fi.Cloud, it is possible.

Which do you think is better, to get IAM Roles in kops-controller or to get IAM Roles in template functions and write it in configmap?

@h3poteto
Copy link
Contributor Author

h3poteto commented Feb 5, 2021

Per AWS documentation, an instance profile can contain at most one IAM role.

Thank you.
I also tried, but can't assign multiple role to a instance profile.

@rifelpet
Copy link
Member

rifelpet commented Feb 5, 2021

My mistake, I was remembering incorrectly and was thrown off by the Roles field here being a list. I agree in preferring the lookup happen in TemplateFunctions and providing the role list in the config file. We will need to provide a fi.Cloud to template functions. TemplateFunctions is setup in apply_cluster.go which already has a fi.Cloud so it should be straight forward to pass in.

@h3poteto
Copy link
Contributor Author

h3poteto commented Feb 5, 2021

I see. I will rewrite this changes.

@k8s-ci-robot k8s-ci-robot added area/provider/alicloud Issues or PRs related to alicloud provider area/provider/azure Issues or PRs related to azure provider area/provider/digitalocean Issues or PRs related to digitalocean provider area/provider/openstack Issues or PRs related to openstack provider size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 5, 2021
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 6, 2021
@h3poteto h3poteto force-pushed the iss-10719 branch 3 times, most recently from 684cfc7 to 8c5dc5f Compare February 6, 2021 07:02
@h3poteto h3poteto changed the title Compare node roles and identity instead of InstanceProfile in aws verifier Fill Role names in kops-controller-config instead of instance profile names when it is specified Feb 6, 2021
@h3poteto
Copy link
Contributor Author

h3poteto commented Feb 6, 2021

/retest

@h3poteto
Copy link
Contributor Author

h3poteto commented Feb 6, 2021

@rifelpet I rewrote this pull request, please review this again.

rifelpet
rifelpet reviewed Feb 11, 2021
View reviewed changes
upup/pkg/fi/cloudup/awsup/aws_cloud.go Outdated Show resolved Hide resolved
upup/pkg/fi/cloudup/template_functions.go Outdated Show resolved Hide resolved
upup/pkg/fi/cloudup/template_functions.go Outdated Show resolved Hide resolved
upup/pkg/fi/cloudup/template_functions.go Outdated Show resolved Hide resolved
@h3poteto
Fill Role names in kops-controller-config instead of instance profile…
36acadc 
… names when it is specified

The role names are checked in node bootstrap.
If profile names are provided, bootstrap will fail.
Because profile name and role name do not always mactch in AWS IAM
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 11, 2021
@h3poteto
Copy link
Contributor Author

/retest

@rifelpet
Copy link
Member

This looks good, thanks!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 11, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: h3poteto, rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2021
@h3poteto
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot merged commit c7f312c into kubernetes:master Feb 11, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Feb 11, 2021
This was referenced Feb 11, 2021
Merged
Merged
k8s-ci-robot added a commit that referenced this pull request Feb 11, 2021
@k8s-ci-robot
Merge pull request #10794 from rifelpet/automated-cherry-pick-of-#107…
86bea66 
…28-origin-release-1.20

Automated cherry pick of #10728: Fill Role names in kops-controller-config instead of instance
k8s-ci-robot added a commit that referenced this pull request Feb 11, 2021
@k8s-ci-robot
Merge pull request #10795 from rifelpet/automated-cherry-pick-of-#107…
418b1d0 
…28-origin-release-1.19

Automated cherry pick of #10728: Fill Role names in kops-controller-config instead of instance
@h3poteto h3poteto mentioned this pull request Mar 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rifelpet rifelpet rifelpet left review comments

@hakman hakman Awaiting requested review from hakman

@zetaab zetaab Awaiting requested review from zetaab

Assignees

@rifelpet rifelpet

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/alicloud Issues or PRs related to alicloud provider area/provider/aws Issues or PRs related to aws provider area/provider/azure Issues or PRs related to azure provider area/provider/digitalocean Issues or PRs related to digitalocean provider area/provider/openstack Issues or PRs related to openstack provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.20
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@h3poteto @k8s-ci-robot @olemarkus @rifelpet @johngmyers