-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only apply external policies when these are defined #9867
Only apply external policies when these are defined #9867
Conversation
Welcome @kesor! |
Hi @kesor. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
The usual process is to PR into master branch, then cherry-pick into a release branch. Please send a PR into master branch instead. |
@johngmyers I don't think this PR is correct, or in any case has nothing to do with the original issue. PS: sorry for breaking the tests, but should be easy to fix. |
rebased on master |
Which "original issue"? The one I describe in the PR description?
Which initial issue? |
/retest |
This is unrelated. The bug in #9852 talks about the issue of shared This issue is talking about, if and when |
/remove-label do-not-merge/contains-merge-commits |
@kesor: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general it would be helpful if you would open first an issue with an easy way to reproduce.
For this case, the proposed change indeed skips the AddTask
for externalPolicies
which seems reasonable at first sight. Except that the pattern used by kops for tasks is to reuse them for deleting and updating the resources and skipping the task will make it impossible to disable the external policies once they are applied.
IMHO the correct solution would be to check if the IAM profile is not shared (meaning is overridden in the IG spec) and add the task only for the kops managed profile.
One more thing, would you mind adding the same condition for the next code block? I think there is a similar issue there. Lines 265 to 267 in 036ea69
|
@hakman We are using |
From my point of view, additional policies should not be combined with existing IAM profiles. Could you maybe explain what would be the use case for it? |
Maybe it shouldn't ... but it does, and that means that closing it off behind a condition will break things. The idea is that even though the IAM profile was created before the IG, it doesn't mean that the person managing the cluster should loose the ability to affect ALL IAM ROLES OF ALL IGs from one central location - which is the cluster In any case, its another issue and doesn't really have to do with |
I understand your point of view, but the external/shared policies should only be modified externally. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman, kesor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
We experience fatal errors with this new feature (that we are not using) because some of the instance groups in our clusters include
spec.iam.profile
while others use the managednodes
role/profile. TheExternalPolicies
feature is broken, and this makes it go away when not specifically asked for in the cluster configuration.At the moment, without this patch, the
kops update cluster
operation results in -With this patch, everything works correctly without fatal errors.