New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for extensible IAM permissions #1170
Conversation
Hi @yissacharcw. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with If you have questions or suggestions related to this bot's behavior, please file an issue against the kubernetes/test-infra repository. |
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. Once you've signed, please reply here (e.g. "I signed it!") and we'll verify. Thanks.
If you have questions or suggestions related to this bot's behavior, please file an issue against the kubernetes/test-infra repository. |
I signed it! |
Fixes #379 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does this impact terraform users? Need to do more of a review as well
I am not a IAM expert by any means ... I pinged a couple of outside folks as well. @kris-nova / @justinsb tag. I would like one of our security gurus to take a look as well. |
We are trying to get #1183 in, and it most likely will impact this PR. Appreciate you patience. 1183 is a big change, with huge benefits. |
Can we get a rebase? |
Updating #1206 |
10b91b0
to
10cc292
Compare
@chrislovecnm Rebased and tested - everything is good now. |
We need a rebase |
346e8bd
to
2685d69
Compare
@chrislovecnm Rebased |
I pinged @justinsb about this PR. Would like a review from him. Then we can merge. |
@yissachar my understanding is that you're planning on revisiting this when you have time, to create a second IAM policy without modification, and attach both. Going to mark as WIP so @chrislovecnm stops bugging me about it ;-) |
@justinsb That's correct. Just getting back to work now after the holidays, and catching up on things, but I should have time to work on it this week. I'll post back here once I have something to show. |
2685d69
to
4da8995
Compare
@justinsb @chrislovecnm I've updated the PR with the discussed changes (moving from modifying the existing IAM policy in-place to creating a separate IAM policy that is also mounted to the instances). I've also slightly refactored the cluster spec to have the field be a map instead of hardcoded fields for the masters and nodes. Seeing as we are starting to have more roles than just those two (e.g. bastion), this feels like a more elegant approach. |
78ef172
to
1981f42
Compare
I followed the existing code to delete IAM roles but I believe it's prone to becoming incorrect as more roles are added. Indeed, I see that we've already had an issue where we forgot to update the code to remove the bastion IAM role. I think the code could be updated to iterate through all roles we have and add those to the list of things to be removed. This way, if we add another role in the future, deletion would automatically be handled and we wouldn't have to remember to specifically add it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This LGTM - thanks! |
This is a continuation of #550, now hopefully with CLA issues worked out, and with added tests.
This change is