Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS: We should lock down the IAM policies (further) #11936

Closed
justinsb opened this issue Jul 28, 2015 · 3 comments
Closed

AWS: We should lock down the IAM policies (further) #11936

justinsb opened this issue Jul 28, 2015 · 3 comments

Comments

@justinsb
Copy link
Member

@justinsb justinsb commented Jul 28, 2015

For example, the master currently has blanket permissions on ec2, and the minion has write access to the s3 bucket, but only needs read access.

This may entail giving objects we create a prefix to enable stricter policies.

@erictune
Copy link
Member

@erictune erictune commented Jul 30, 2015

why is the prefix needed?

@justinsb justinsb self-assigned this Jul 30, 2015
@justinsb
Copy link
Member Author

@justinsb justinsb commented Jul 30, 2015

Not sure whether it's the only way, but the idea would be to do something like we do for S3, where we restrict access to certain buckets by name-prefix: https://github.com/GoogleCloudPlatform/kubernetes/blob/master/cluster/aws/templates/iam/kubernetes-master-policy.json

It looks like AWS expanded the list of "matchers" recently, so it might be we can match on tags or VPC also. This would be much cleaner, I think.

This was more a "we should think about locking the policy down a lot more" than "we have to use prefixes"! And that came out of the AWS doc I'm writing, which I've had a bunch of people bring up as something that needs improvement. I'm trying to make sure that the AWS doc links to issues wherever something isn't 100%.

@justinsb
Copy link
Member Author

@justinsb justinsb commented Nov 15, 2016

We're not going to be making further changes in kube-up, and we have an active issue in kops to figure out further lock-down: kubernetes/kops#376. Closing.

@justinsb justinsb closed this Nov 15, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.