-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the cross-account example with working policy #9019
Update the cross-account example with working policy #9019
Conversation
/lgtm |
/retest |
Co-Authored-By: Peter Rifel <rifelpet@users.noreply.github.com>
] | ||
} | ||
} | ||
] | ||
} | ||
``` | ||
|
||
Kops will then use that bucket as if it was in the remote account, including creating appropriate IAM policies that limits nodes from doing bad things. | ||
Note that any user/role with full S3 access will be able to delete any cluster from the state store, but may not delete any instances or other things outside of S3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are using policy like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<state bucket>",
"Condition": {
"StringEquals": {
"s3:delimiter": "/",
"s3:prefix": ""
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<state bucket>",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:username}/*"
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<state bucket>/${aws:username}/*"
}
]
}
So what we do:
- create new IAM group and attach that policy there (this needs to be done only once)
- When we need new cluster:
- create new IAM user which matches to clustername, example:
mycluster.k8s.local
- attach IAM group to user
- use IAM user credentials to authenticate against S3 bucket (env vars
S3_ACCESS_KEY_ID
andS3_SECRET_ACCESS_KEY
needs to be defined)
- create new IAM user which matches to clustername, example:
After that each cluster has access to only own state store folder. It makes it possible to also have "root" account which has access to all clusters if needed for ops purposes, but note that all modifying kops commands should be executed using those IAM user credentials.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is in addition to the content in the PR, right? So the group is done once per account, and the IAM user is once per cluser? You share this user among everyone that can operate that particular cluster?
Co-Authored-By: John Gardiner Myers <jgmyers@proofpoint.com>
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus, rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
No description provided.