From cf2dcd7ff1f200e8bc9b5f22a85731778fb70e41 Mon Sep 17 00:00:00 2001 From: Andrey Lebedev Date: Tue, 5 Dec 2023 15:36:05 +0100 Subject: [PATCH] docs: add readme about controller's credentials requests --- Makefile | 4 ++-- hack/controller/README.md | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 hack/controller/README.md diff --git a/Makefile b/Makefile index ad0a9a0a..85f733d9 100644 --- a/Makefile +++ b/Makefile @@ -134,11 +134,11 @@ vet: ## Run go vet against code. .PHONY: iamctl-gen iamctl-gen: iamctl-build iam-gen # generate controller's IAM policy without minify. - @# This policy is for STS clusters as it's turned into a role policy which is limited to 10240 by AWS. + @# This policy is for STS clusters as it's turned into a role inline policy which is limited to 10240 by AWS. $(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/iam-policy.json -o $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) -p $(IAMCTL_GO_PACKAGE) -c $(IAMCTL_OUTPUT_CR_FILE) -n -s # generate controller's IAM policy with minify. - @# This policy is for non STS clusters as it's turned into an inline policy which is limited to 2048 by AWS. + @# This policy is for non STS clusters as it's turned into a user inline policy which is limited to 2048 by AWS. $(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/iam-policy.json -o $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_MINIFY_FILE) -p $(IAMCTL_GO_PACKAGE) -f GetIAMPolicyMinify -c $(IAMCTL_OUTPUT_MINIFY_CR_FILE) go fmt -mod=vendor $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_MINIFY_FILE) diff --git a/hack/controller/README.md b/hack/controller/README.md new file mode 100644 index 00000000..b5279fb5 --- /dev/null +++ b/hack/controller/README.md @@ -0,0 +1,23 @@ +## Overview +This directory contains `CredentialsRequest`s for the aws-load-balancer-controller, all generated from the same [source IAM policy](../../assets/iam-policy.json). The difference lays in the size of the policies they define. + +## Limits +The Cloud Credential Operator and `ccoclt` generate two different inline policies: +- The Cloud Credential Operator generates a **user** inline policy whose limit is **2048** characters. +- `ccoctl` generates a **role** inline policy which has a limit of **10240** characters. + +Link: [IAM and STS character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). + +## controller-credentials-request.yaml + +This `CrendetialsRequest` is semantically equivalent to the source IAM policy. +The Cloud Credential Operator cannot create a policy defined in this `CredentialsRequest` because it exceeds the limit of the user inline policy. +The recommended way to use this `CrendetialsRequest` is to submit it to `ccoctl` as described in [the post installation instructions](../../docs/install.md#option-1-using-ccoctl). + +## controller-credentials-request-minify.yaml + +This `CrendetialsRequest` is a compact ("minified") version of the source IAM policy. Its goal is to fit within the user inline policy's size limit. +This allows it can be created by both the Cloud Credential Operator and `ccoctl`. +Currently, this `CrendetialsRequest` is only used by [the aws-load-balancer pre-install CI step](https://github.com/openshift/release/blob/master/ci-operator/step-registry/aws-load-balancer/pre-install/aws-load-balancer-pre-install-commands.sh#L14) to create a secret for [some e2e test cases](https://github.com/openshift/aws-load-balancer-operator/blob/main/test/e2e/operator_test.go#L324). + +**Note**: this `CredentialsRequest` has broader permissions than the source IAM policy!