-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow master to touch volumes tagged with kubernetes.io/cluster/<clusterName>:owned #11729
Allow master to touch volumes tagged with kubernetes.io/cluster/<clusterName>:owned #11729
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johngmyers The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
"ec2:CreateRoute", // aws.go | ||
"ec2:DeleteRoute", // aws.go |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These aren't related to volumes and the EBS CSI driver so I'm curious why they're being included here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a mistake to me. But I am planning on moving the EBS specific stuff into a dedicated function to support IRSA. Can remove it as part of that PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes I just copied the existing KubernetesCluster policy without questioning it
I believe we add legacy tags to volumes provisioned by the CSI driver as well. |
We should be moving away from depending on the legacy tags. In a release we should probably drop the old policy statement. |
@olemarkus , the CSI driver needs this patch to add legacy tags kubernetes-sigs/aws-ebs-csi-driver#932. The CSI driver installed by kops will need to have the --k8s-tag-cluster-id argument set on it if not already, I'll check |
We pass it in through |
This fixes a specific situation where CSIMigrationAWS gets enabled then disabled, step by step details are below.
Basically, kops KCM in-tree EBS plugin and CSI EBS plugin need to agree on what tags to add to provisioned volumes and what IAM policies to ship with such that those provisioned volumes can be managed by either KCM or CSI. Otherwise when migration gets toggled, KCM/CSI won't be allowed to Attach/Delete volumes that were provisioned by CSI/KCM before the toggle. For more details, see: kubernetes-sigs/aws-ebs-csi-driver#927 (comment)
k8s-tag-cluster-id
flag. This tells it to create volumes with the kubernetes.io/cluster/:owned tag, to partially mimic KCM volume creation behavior. Partially because KCM creates volumes with the legacy KubernetesCluster: tag too.So to fix step 6, this PR grants master instance on which KCM is running permission to touch volumes tagged with kubernetes.io/cluster/:owned in addition to the legacy KubernetesCluster: tag.