-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: add readme about controller's credentials requests
- Loading branch information
1 parent
d791013
commit cf2dcd7
Showing
2 changed files
with
25 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
## Overview | ||
This directory contains `CredentialsRequest`s for the aws-load-balancer-controller, all generated from the same [source IAM policy](../../assets/iam-policy.json). The difference lays in the size of the policies they define. | ||
|
||
## Limits | ||
The Cloud Credential Operator and `ccoclt` generate two different inline policies: | ||
- The Cloud Credential Operator generates a **user** inline policy whose limit is **2048** characters. | ||
- `ccoctl` generates a **role** inline policy which has a limit of **10240** characters. | ||
|
||
Link: [IAM and STS character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). | ||
|
||
## controller-credentials-request.yaml | ||
|
||
This `CrendetialsRequest` is semantically equivalent to the source IAM policy. | ||
The Cloud Credential Operator cannot create a policy defined in this `CredentialsRequest` because it exceeds the limit of the user inline policy. | ||
The recommended way to use this `CrendetialsRequest` is to submit it to `ccoctl` as described in [the post installation instructions](../../docs/install.md#option-1-using-ccoctl). | ||
|
||
## controller-credentials-request-minify.yaml | ||
|
||
This `CrendetialsRequest` is a compact ("minified") version of the source IAM policy. Its goal is to fit within the user inline policy's size limit. | ||
This allows it can be created by both the Cloud Credential Operator and `ccoctl`. | ||
Currently, this `CrendetialsRequest` is only used by [the aws-load-balancer pre-install CI step](https://github.com/openshift/release/blob/master/ci-operator/step-registry/aws-load-balancer/pre-install/aws-load-balancer-pre-install-commands.sh#L14) to create a secret for [some e2e test cases](https://github.com/openshift/aws-load-balancer-operator/blob/main/test/e2e/operator_test.go#L324). | ||
|
||
**Note**: this `CredentialsRequest` has broader permissions than the source IAM policy! |