-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add IAM Permissions so nodes can access AWS ECR #3690
Conversation
/assign @chrislovecnm Fixes #3665. This permission set was previously available with the legacy IAM permissions but mistakenly missed when I refactored the IAM Builder code. The access list is Get/List privileges so should be fairly harmless and ok to grant to all nodes. Edit: Rather than blindly adding ECR permissions in the policies, we could make this optional and include |
I've made this optional in 954fae1. |
/test pull-kops-e2e-kubernetes-aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question about name
pkg/apis/kops/cluster.go
Outdated
@@ -180,7 +180,8 @@ type Assets struct { | |||
|
|||
// IAMSpec adds control over the IAM security policies applied to resources | |||
type IAMSpec struct { | |||
Legacy bool `json:"legacy"` | |||
Legacy bool `json:"legacy"` | |||
AllowECR bool `json:"allowECR,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about allowContainerRegistry? Someone more cloud generic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure sounds good, I've just updated this.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. |
Make the ECR IAM Permissions optional in strict mode, via use of the following IAMSpec: