-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the strict IAM policies to be optional #3210
Allow the strict IAM policies to be optional #3210
Conversation
Hi @KashifSaadat. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/assign @justinsb |
We may yet need this, but I think that pushing a new nodeup (1.7.1.-beta.1) will unbreak master. We should also get brew not building from HEAD :-) |
72532f3
to
a761fa9
Compare
This looks great - I think this is absolutely the right approach. One suggestion, to try to really encourage people to use strict mode. Should it look like this:
And deleting But I think The problem though is that because the field's default value will be false, that isn't what we want for existing clusters - and the answer is defaults in apimachinery, i.e. something like this: https://github.com/kubernetes/kops/pull/3190/files#diff-2809c5296bfde5846dec21103f658f3f (you'll need to do that for both v1alpha1 and v1alpha2, but not internal, because the defaults are applied as part of unmarshalling) Then I also think What do you think @KashifSaadat ? |
/ok-to-test |
4c58c2c
to
f965ebc
Compare
Hey @justinsb. Thanks for the feedback, all sounds sensible and I agree with the changes. :) I've had a go at this:
Manual tests:
It looks like those settings are being pulled from defaults correctly, but not sure why it's complaining. Are all users now required to manually include those settings within their spec, or am I missing something to silently include within the spec file? |
Correction: This is working as expected, my manual test was wrong :) I created a cluster from master, ran edit from my branch and it automatically includes the following within the spec file:
So this PR shouldn't force IAM changes to existing clusters. |
f965ebc
to
0e5c393
Compare
@justinsb by any chance are you able to spot any obvious errors in the work I've done, which may cause the e2e tests to fail? I've tested the cluster creation and operation locally (both with the legacy flag as true and false) and it seems to operate fine. I've gone through the logs for the api server and the other services on the master node, can't see any specific correlation between the logs at the timestamp of the errors occurring. The only major change in this PR is the inclusion of the API flag. The stricter S3 IAM policies have already been deployed, so I don't believe it's related to that. Any pointers would be appreciated! |
e2e tests are a flake I believe @KashifSaadat - I've seen them on docs PRs. There was a suspicious related PR that went in to k8s earlier today, so I suspect that's it, but I haven't yet had time to dig in. I will do it if it continues though! /retest |
/lgtm |
} | ||
|
||
type Assets struct { | ||
ContainerRegistry *string `json:"containerRegistry,omitempty"` | ||
FileRepository *string `json:"fileRepository,omitempty"` | ||
} | ||
|
||
// IAMSpec adds control over the IAM security policies applied to resources | ||
type IAMSpec struct { | ||
Legacy bool `json:"legacy"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My preference is to include omitempty
here (false
is considered empty), but we can add that later - that's not breaking (I believe)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I specified omitempty
initially to have consistency with the other API fields. I was unsure if it may cause some problems with having the cluster creation default to a legacy value of false (not present in spec), and then the apimachinery defaults check for a nil value and set legacy to true. I should have done more validation before pushing up! :D
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: KashifSaadat, justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Flakiness is being tracked in upstream issue: kubernetes/kubernetes#51128, hopefully fixed by kubernetes/kubernetes#51144 |
/retest |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
Great, thanks guys! |
The stricter IAM policies could potentially cause regression for some edge-cases, or may rely on nodeup image changes that haven't yet been deployed / tagged officially (currently the case on master branch since PR #3158 was merged in).
This PR just wraps the new IAM policy rules around a cluster spec flag,
EnableStrictIAM
, so will default to the original behaviour (where the S3 policies were completely open). Could also be used to wrap PR #3186 if it progresses any further.