Add External Policies (AWS managed policy attachments) #7837
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @mattouille! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @mattouille. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
|
I signed it |
k8s-ci-robot
added
cncf-cla: yes
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
I'm having a hard time figuring out how a call to AWS is resulting in a nil pointer dereference: response, err := cloud.IAM().ListAttachedRolePolicies(request)
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "NoSuchEntity" {
return nil, nil
}
return nil, fmt.Errorf("error getting policies for role: %v", err)
}Any help would be appreciated! |
|
I did get my above question figured out. I didn't realize it was throwing a nil pointer dereference because of a missing mock method. That's all fixed now. |
|
/test pull-kops-e2e-kubernetes-aws |
|
As mentioned on the call, this is the integration test that you could update to test this functionality: https://github.com/kubernetes/kops/tree/master/tests/integration/update_cluster/complex Add uses of the new field to the in-*.yaml files and the new tf resources to the .tf file. I also noticed that RenderCloudFormation wasnt updated, if its simple enough we should add cloudformation support for this feature but if not we should at least document that its not supported in cloudformation. |
|
/test pull-kops-verify-staticcheck |
I will start working on those tests. Unfortunately I couldn't come up with a good way to do this in CloudFormation -- someone else might have a better idea of how to do it. I'll make it clear in the docs that this feature is not supported by CloudFormation. |
|
Yeah I think cloudformation support might be a bit more involved. With terraform its just a different resource type ( kops/upup/pkg/fi/cloudup/awstasks/iamrole.go Lines 220 to 223 in 8436a3e but I'm not a big fan of having logic split over different tasks depending on the target :( one short term option in addition to documenting the limitation would be to return an error in RenderCloudFormation if someone is trying to use managed policies with target = cloudformation |
|
@rifelpet I think I may be doing something wrong and require a nudge in the right direction. I'm getting this error: Originally I thought this was because I made some HCLv2 references, but even since changing them back the error has been consistent. The "role" token it's referring to is required under |
|
I wonder if this could be a formatting issue @mattouille, see terraform-aws-modules/terraform-aws-vpc#267 I don't see in my looking but figured I'd post here too. |
docs/iam_roles.md
Outdated
| - aws:arn:iam:123456789000:policy:test-policy | ||
| ``` | ||
|
|
||
| Managed Policy attachments are treated declaritively. Any policies declared will be attached to the role, any policies not specified will be detached _after_ new policies are attached. |
There was a problem hiding this comment.
I'm a little confused as to whether this replaces the built-in kops policies; I think the answer is "no", but I think a sentence that explicitly spells this out would be great.
| cloud := c.Cloud.(awsup.AWSCloud) | ||
|
|
||
| // Handle policy overrides | ||
| if e.PolicyOverrides != nil { |
There was a problem hiding this comment.
Maybe this should be a separate task (e.g. IAMRolePolicyAttachements) - or we should raise an error if we specify PolicyOverrides and PolicyDocument on the same task.
Creating a new task is a trickier thing normally, so I'm happy to do that separately...
There was a problem hiding this comment.
I actually did try! I couldn't quite get it figured out.
| return nil, fmt.Errorf("error getting policies for role: %v", err) | ||
| } | ||
|
|
||
| policies := make([]string, 0) |
There was a problem hiding this comment.
Nit: Normally it's fine just to do var policies []string - unless you're making a distinction between the empty list and nil (which is typically a bad idea, though I'm sure I've done it!)
| @@ -121,6 +158,51 @@ func (_ *IAMRolePolicy) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAMRoleP | |||
| return fmt.Errorf("error rendering PolicyDocument: %v", err) | |||
| } | |||
|
|
|||
| // Handles the full lifecycle of Policy Overrides | |||
| if e.Managed { | |||
There was a problem hiding this comment.
I guess Managed is more "ManageAttachments"?
There was a problem hiding this comment.
I was using this so I didn't have to check if the slice was nil and then check it's length. It just looked cleaner.
|
Some nits / thoughts - mostly about naming & structure. Figuring out the API field names are blockers because we can't change them, the task structure is internal so we can iterate on those and thus they aren't blockers. So two blocking questions:
On the error, I ran Note the empty By changing these to It might be cleaner to have a separate The tests almost passed because I guess that complex uses CloudFormation, and then I hit: Two options there - we can split complex into |
|
Oh - we already have the same problem in the load balancer task, so I just copied the hack-around: https://github.com/justinsb/kops/pull/new/tests_for_7837 (In particular e90b40d ) |
|
On the second "blocker" - I've changed my mind - I don't think we should define this per IG, because we'd then also need to split the profile name per IG, and we do have the ability to override the profile already, and the interactions would get complicated. So what you've got here is great, and we should just make sure we're happy with the name of the field in the API! |
|
Alright, so I've got some updates. Naming |
k8s-ci-robot
added
size/XXL
matt0x6F
force-pushed
the
policy-overrides
branch
from
09dea2e
to
90289a4
Compare
k8s-ci-robot
added
the
needs-rebase
matt0x6F
force-pushed
the
policy-overrides
branch
from
90289a4
to
28a9c55
Compare
k8s-ci-robot
removed
the
needs-rebase
tests/integration/update_cluster/externalpolicies/in-legacy-v1alpha2.yaml
Outdated
Show resolved
Hide resolved
matt0x6F
changed the title
|
/retest |
1 similar comment
|
/retest |
| master: | ||
| - aws:arn:iam:123456789000:policy:test-policy | ||
| bastion: | ||
| - aws:arn:iam:123456789000:policy:test-policy |
There was a problem hiding this comment.
I dont see this policy arn referenced in the terraform output at all.
I'd expect to see something like:
resource "aws_iam_role_policy_attachment" "node-externalpolicy-test-policy" {
role = "${aws_iam_role.nodes-complex-example-com.name}"
policy_arn = "aws:arn:iam:123456789000:policy:test-policy"
}somewhere in kubernetes.tf below.
There was a problem hiding this comment.
ah, I misunderstood how this worked. I'll fix that.
| Role: e.Role.TerraformLink(), | ||
| PolicyArn: s(policy), | ||
| } | ||
| return t.RenderResource("aws_iam_role_policy_attachment", *e.Name, tf) |
There was a problem hiding this comment.
This might be related to the resource not showing up in kubernetes.tf, but I think we dont want to return here. We want to render both this aws_iam_role_policy_attachment and the aws_iam_role_policy resource below. I think we may also need to make the resource name (currently *e.Name unique so that multiple aws_iam_role_policy_attachment resources dont conflict. Perhaps the name can include a normalized version of the policy arn?
There was a problem hiding this comment.
Let me know if this is working the way it should now. My understanding of how this function was called was wrong.
tests/integration/update_cluster/externalpolicies/kubernetes.tf
Outdated
Show resolved
Hide resolved
|
@mattouille can you squash these commits? I think thats the last blocker to getting this merged (and I remember we have a thread in slack explaining how to do that) |
matt0x6F
force-pushed
the
policy-overrides
branch
from
02708c2
to
157f04c
Compare
Done! Sorry for the delay. |
matt0x6F
force-pushed
the
policy-overrides
branch
from
157f04c
to
f025ff0
Compare
|
Perfect, thanks! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mattouille, rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This feature was renamed during its [development](kubernetes#7837) and a remnant of that original name was in the docs.
This feature was renamed during its [development](kubernetes#7837) and a remnant of that original name was in the docs.
This feature was renamed during its [development](kubernetes#7837) and a remnant of that original name was in the docs.
This feature allows Managed Policies to be attached to Instance Group Roles. It will manage the full lifecycle of all Managed Policies attached to
master,node, andbastionby first adding new managed policies followed by removing unspecified policies (policies not present in the config) in order to avoid service disruption.