Update the cross-account example with working policy #9019
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest |
Co-Authored-By: Peter Rifel <rifelpet@users.noreply.github.com>
k8s-ci-robot
removed
the
lgtm
| ] | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| Kops will then use that bucket as if it was in the remote account, including creating appropriate IAM policies that limits nodes from doing bad things. | ||
| Note that any user/role with full S3 access will be able to delete any cluster from the state store, but may not delete any instances or other things outside of S3. |
There was a problem hiding this comment.
We are using policy like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<state bucket>",
"Condition": {
"StringEquals": {
"s3:delimiter": "/",
"s3:prefix": ""
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<state bucket>",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:username}/*"
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<state bucket>/${aws:username}/*"
}
]
}
So what we do:
- create new IAM group and attach that policy there (this needs to be done only once)
- When we need new cluster:
- create new IAM user which matches to clustername, example:
mycluster.k8s.local - attach IAM group to user
- use IAM user credentials to authenticate against S3 bucket (env vars
S3_ACCESS_KEY_IDandS3_SECRET_ACCESS_KEYneeds to be defined)
- create new IAM user which matches to clustername, example:
After that each cluster has access to only own state store folder. It makes it possible to also have "root" account which has access to all clusters if needed for ops purposes, but note that all modifying kops commands should be executed using those IAM user credentials.
There was a problem hiding this comment.
This is in addition to the content in the PR, right? So the group is done once per account, and the IAM user is once per cluser? You share this user among everyone that can operate that particular cluster?
Co-Authored-By: John Gardiner Myers <jgmyers@proofpoint.com>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus, rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
No description provided.