-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dedicated function for ccm permissons #11991
Conversation
/cc @rifelpet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments, otherwise looks good to me though it does seem to increase the policy document size substantially so I worry users will hit size limits more frequently with additionalPolicies
pkg/model/iam/iam_builder.go
Outdated
|
||
p.unconditionalAction.Insert( | ||
"autoscaling:DescribeAutoScalingGroups", | ||
"autoscaling:DescribeLaunchConfigurations", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we still need this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. I couldn't see CCM use this. It is mentioned here, but this is probably dated https://cloud-provider-aws.sigs.k8s.io/prerequisites.html
Looking at the strict json golden output, it will increase the size from roughly 5k to 6k. So substantially, but still a way to go before the limit is hit. The added bytes come from improving the cluster isolation, which I think is worth it. |
Update pkg/model/iam/iam_builder.go Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
/test pull-kops-e2e-cni-amazonvpc |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The refactoring work from #11818