-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvements around setting up IAM (also for multiple clusters) #573
Comments
The example in #508 shows: apiVersion: eksctl.io/v1alpha4
kind: ClusterConfig
metadata:
name: test-cluster-c-1
region: eu-north-1
vpc:
securityGroup: "sg-0f2ae54eb340e8191"
sharedNodeSecurityGroup: "sg-02a47cee779b317a7"
subnets:
Private:
eu-north-1c:
id: "subnet-065fe8f12d0910d06"
cidr: "10.1.128.0/19"
eu-north-1b:
id: "subnet-06ebc3649c1321fc5"
cidr: "10.1.96.0/19"
iam:
serviceRoleARN: "arn:aws:iam::123:role/eksctl-test-cluster-a-3-cluster-ServiceRole-5YEWP7CFA24K"
nodeGroups:
- name: ng2-private
instanceType: m5.large
desiredCapacity: 1
privateNetworking: true
securityGroups:
withShared: true
withLocal: false
attachIDs: [sg-0b85ff315ea644478]
iam:
instanceProfileARN: "arn:aws:iam::123:instance-profile/eksctl-test-cluster-a-3-nodegroup-ng2-private-NodeInstanceProfile-Y4YKHLNINMXC"
instanceRoleARN: "arn:aws:iam::123:role/eksctl-test-cluster-a-3-nodegroup-NodeInstanceRole-DNGMQTQHQHBJ" After I create an eks cluster using eksctl, I can see the service role created has attached these managed policies:
And these two inline policies:
PolicyNLB has this: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticloadbalancing:*",
"ec2:CreateSecurityGroup",
"ec2:Describe*"
],
"Resource": "*",
"Effect": "Allow"
}
]
} while PolicyCloudWatchMetrics has this: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Effect": "Allow"
}
]
} It has a trust policy of: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
} Creating a role that matches these would presumably work for the |
The eksctl created nodegroup IAM role gets these managed policies:
It has three inline policies (cluster specific names truncated), depending on
PolicyAutoScaling: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Resource": "*",
"Effect": "Allow"
}
]
} PolicyExternalDNSChangeSet has: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*",
"Effect": "Allow"
}
]
} PolicyExternalDNSHostedZones has: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Resource": "*",
"Effect": "Allow"
}
]
} Presumably a role that was created in advance with these could be set for the |
So AFAICT, when you create a role, you get a default instance profile with the same name, so if you created a role as above, I think you can do this: iam:
instanceProfileARN: "arn:aws:iam::111111:instance-profile/eks-nodes-base-role"
instanceRoleARN: "arn:aws:iam::111111:role/eks-nodes-base-role" I am not as acquainted with instance profiles, so if that doesn't work, I'm documenting my eksctl created instance profile while truncating the cluster specific names/ARNs, so presumably a similar, permanent, shared instance profile could be created for re-use by specifying the
|
So if someone is trying to automate this in a bash script, while there are some minor additional inline policy privileges to add, this looks like it will work pretty well with slight modification |
Here's what worked for me for pre-existing shared vpc and pre-existing, shared iam roles: apiVersion: eksctl.io/v1alpha4
kind: ClusterConfig
metadata:
name: my-test
region: us-east-1
vpc:
id: "vpc-11111"
cidr: "152.28.0.0/16"
subnets:
private:
us-east-1d:
id: "subnet-1111"
cidr: "152.28.152.0/21"
us-east-1c:
id: "subnet-11112"
cidr: "152.28.144.0/21"
us-east-1a:
id: "subnet-11113"
cidr: "152.28.136.0/21"
iam:
serviceRoleARN: "arn:aws:iam::11111:role/eks-base-service-role"
nodeGroups:
- name: my-test-m5-private
labels: {pool: my-test-m5-private}
instanceType: m5.large
desiredCapacity: 3
minSize: 1
maxSize: 15
volumeSize: 50
volumeType: gp2
iam:
instanceProfileARN: "arn:aws:iam::11111:instance-profile/eks-nodes-base-role"
instanceRoleARN: "arn:aws:iam::1111:role/eks-nodes-base-role"
privateNetworking: true
securityGroups:
withShared: true
withLocal: true
attachIDs: ['sg-11111', 'sg-11112']
allowSSH: true
sshPublicKeyName: 'my-instance-key'
tags:
'environment:basedomain': 'example.org' |
Hey! Thanks for your efforts. This definitely helps users who wants to create cluster without huge IAM permission(that allows privilege escalation). I'm going a bit off topic, but for simplicity, I guess we should be able to omit instanceRoleARN when instanceProfileARN is specified:
If it doesn't work, I'd just enhance eksctl to automatically detect the corresponding roleARN for the specified profile. |
Also - I once considered if it would be nice to enhance eksctl to allow creating an instance profile according to the cluster config, something like:
|
Yusuke, I think we should consider 'eksctl create iam --cinfig-file'
really, but the question is which stack it would be part of, what do you
think? Maybe it should a standalone shared IAM stack that multiple clusters
can import? It is kind of similar with VPC.
…On Wed, 6 Mar 2019, 12:43 am KUOKA Yusuke, ***@***.***> wrote:
Also - I once considered if it would be nice to enhance eksctl to allow
creating an instance profile according to the cluster config, something
like:
$ eksctl utils create-instance-profile -f cluster.yaml --nodegroup my-test-m5-private
# Creates `eksctl-test-cluster-a-3-nodegroup-ng2-private-NodeInstanceProfile-Y4YKHLNINMXC` and prints the ARN of it
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#573 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAPWS81occNmfWObd4auBBGxFnsCFrMQks5vTw8lgaJpZM4bOI1J>
.
|
A shared IAM stack per region? Sounds good! Would it implies that we'd have a dedicated config for IAM?
Also, I was thinking if it can be a good starting point to just provide
Could be! Quick thoughts - Maybe we could have a dedicated VPCConfig object that can be consumed by |
Just had a user conversation at reinvent about this 👍 |
I am also in this exact position, and I've been going back and forth with my AWS admin for days trying to figure out how I can have permissions to launch clusters but not hurt anything else. So this thread has been really helpful, and I offer a 👍 if there are features under consideration which would make it easier. |
Closing due to staleness. Feel free to re-open 😄 |
Push amazonlinux target to Docker Hub
Currently, when I launch a cluster using eksctl, I need to have the access rights to create IAM policies, profiles, and roles.
I believe it is possible to have an administrator create these beforehand and then allow users without IAM creation privileges to launch clusters using these pre-existing policies. It would be nice if this was better documented.
Our use case is that we have a pre-existing vpc, and we want developers to be able to spin up an ephemeral eks clusters inside it, but not be able to accidentally modify IAM permissions in a way that leaves us vulnerable.
Related: #508
The text was updated successfully, but these errors were encountered: