New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AMI snapshot should be public #290

Closed
gekart opened this Issue Aug 10, 2017 · 5 comments

Comments

Projects
None yet
5 participants
@gekart
Contributor

gekart commented Aug 10, 2017

When using AWS it is possible to launch k8s AMIs, but is not possible to copy them - instead getting this error message: "You do not have permission to access the storage of this ami".

Although the AMI itself is public, the underlying snapshot is not public, therefore preventing copying, and preventing the ability to copy the snapshot to an encrypted snapshot in order to enable root volume encryption.

Compare to coreos/bugs#1090

Can be made public manually in the AWS console or in ensurePublic with something like:

request := &ec2.ModifySnapshotAttributeInput{
    Attribute: aws.String("createVolumePermission"),
    GroupNames: []*string{
        aws.String("all"),
    },
    OperationType: aws.String("add"),
    SnapshotId:    aws.String(i.snapshotID),
}

result, err := svc.ModifySnapshotAttribute(request)
@cordoval

This comment has been minimized.

Show comment
Hide comment
@cordoval

cordoval Aug 10, 2017

bump

what is the purpose of keeping this private?

cordoval commented Aug 10, 2017

bump

what is the purpose of keeping this private?

@gekart

This comment has been minimized.

Show comment
Hide comment
@gekart

gekart Aug 22, 2017

Contributor

/assign @justinsb

for a starter it would suffice to make the newest snapshots (#291) public manually.

Contributor

gekart commented Aug 22, 2017

/assign @justinsb

for a starter it would suffice to make the newest snapshots (#291) public manually.

@gekart

This comment has been minimized.

Show comment
Hide comment
@gekart

gekart Sep 19, 2017

Contributor

For the manual steps: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

Condensed:

  1. Select k8s-1.7-debian-jessie-amd64-hvm-ebs-2017-07-28 AMI in AWS console
  2. In Details under Block Devices snapshot is: snap-0e2f1666553d57bf1
  3. In Snapshots search for snap-0e2f1666553d57bf1 and select it
  4. Actions / Modify Permissions, choose Public, Save
Contributor

gekart commented Sep 19, 2017

For the manual steps: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

Condensed:

  1. Select k8s-1.7-debian-jessie-amd64-hvm-ebs-2017-07-28 AMI in AWS console
  2. In Details under Block Devices snapshot is: snap-0e2f1666553d57bf1
  3. In Snapshots search for snap-0e2f1666553d57bf1 and select it
  4. Actions / Modify Permissions, choose Public, Save
@fejta-bot

This comment has been minimized.

Show comment
Hide comment
@fejta-bot

fejta-bot Jan 30, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot commented Jan 30, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@gekart

This comment has been minimized.

Show comment
Hide comment
@gekart

gekart Jan 31, 2018

Contributor

Solved by #295

Contributor

gekart commented Jan 31, 2018

Solved by #295

@gekart gekart closed this Jan 31, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment