New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for well known policies with IRSA #3045
Add support for well known policies with IRSA #3045
Conversation
f2b011e
to
27ccd41
Compare
can an example yaml be added please 😄 |
4e61994
to
58f186a
Compare
pkg/cfn/builder/iam_helper.go
Outdated
customPolicy{Name: "PolicyCertManagerGetChange", Statements: certManagerGetChangeStatements()}, | ||
) | ||
if wellKnownPolicies.ExternalDNS { | ||
policies = append(policies, customPolicy{Name: "PolicyCertManagerHostedZones", Statements: certManagerHostedZonesStatements("route53:ListHostedZones", "route53:ListTagsForResource")}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can't be hit, because we're in an else
after if wellKnownPolicies.ExternalDNS
above. (Which is a good reminder that I don't see any tests for this new feature yet...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, missed when going from handling elements of a list of policies to handling this struct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see this has been updated, but I think the logic has drifted slightly.
My understanding of the similar code in createRole
is roughly:
- If CertManager or ExternalDNS,
changeSetStatements
- If Certmanager,
certManagerGetChangeStatements
- If CertManager and ExternalDNS,
certManagerHostedZonesStatements
+ a couple of things ExternalDNS needs that aren't in that - If CertManager but not ExternalDNS,
certManagerHostedZonesStatements
- If ExternalDNS but not CertManager,
externalDNSHostedZonesStatements
.
This logic is currently
- If CertManager or ExternalDNS,
changeSetStatements
- If CertManager,
certManagerGetChangeStatements
- If CertManager and ExternalDNS,
certManagerHostedZonesStatements
+ a couple of things ExternalDNS needs that aren't in that - If CertManager and not ExternalDNS,
certManagerHostedZonesStatements
- If ExternalDNS,
externalDNSHostedZonesStatements
<== Applied even if CertManager.
externalDNSHostedZonesStatements
and certManagerHostedZonesStatements
both contain route53:ListResourceRecordSets
, and the "couple of things" above are the other two statements from externalDNSHostedZonesStatements
. So externalDNSHostedZonesStatements
is a strict subset of "certManagerHostedZonesStatements
+ a couple of things ExternalDNS needs that aren't in that", so the former should only if the latter has not been applied.
To be fair, I don't know why the effort is made to avoid the overlap, unless there's an actual failure on the AWS API when a policy contains multiple statements for the same Effect/Resource/Action tuple? It just makes it harder to read and reason about.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've simplified that code now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TBBle please do take a look over the changes if you get a chance
@@ -25,7 +25,7 @@ type IAMRole struct { | |||
Path string `json:",omitempty"` | |||
|
|||
AssumeRolePolicyDocument MapOfInterfaces `json:",omitempty"` | |||
ManagedPolicyArns []string `json:",omitempty"` | |||
ManagedPolicyArns []interface{} `json:",omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not clear why this is changed. Is it just because we're smuggling the return value from makePolicyARN
out of (rs *IAMServiceAccountResourceSet) AddAllResources()
inside this slice? Would it make sense to just stringify the value before adding it to ManagedPolicyArns
instead?
(I'm not clear on what this gfn
business is all about, so maybe this comment doesn't make sense.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it's kind of a less than ideal situation because we do some cloud formation using our own types and some using goformation. It's here that they're being mixed. makePolicyARN
uses Cloudformation intrinsics, which aren't serialized as strings. Although in this case it's probably not strictly necessary to use the intrinsic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm going to leave the intrinsics because we use them elsewhere (with makePolicyArns
) (and interface{}
is sort of how things are done in cfn/template
right now)
- metadata: | ||
name: aws-load-balancer-controller | ||
namespace: kube-system | ||
wellKnownPolicies: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would attachWellKnownPolicies
be better? I'm still open for WellKnownPolicies
to change, but I think having attach
prefixed helps to describe the intent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's a little odd that this is would be a verb, when the general idea of declarative config suggests using nouns instead, to describe the resulting state, not how you get there.
attachedWellKnownPolicies
perhaps, but that's pretty verbose, and only subtly different, so likely to lead to muscle-memory mistakes.
I think the various uses of attach
in eksctl config stand out as verbs in a sea of nouns, but I guess using attach
specifically is consistent here, e.g., we also have securityGroups.attachIDs
, not securityGroups.attachedIDs
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I was trying to avoid a verb but maybe withWellKnownPolicies
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would I be at risk of ruining everything by saying I am not a fan of WellKnown
? withCommonPolicies
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the one problem with "common" is that it has two meanings, one "well known", the other "shared"...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeh that's totally right. withNamedPolicies
? although I suppose all policies have names.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Struggling to find a better alternative to WellKnownPolicies
so I'm happy to stick with that. I'm still unsure about with
vs attach
. I know that using the word attach
isn't technically correct, but IMO its worth using it to remain consistent with the other fields.
f950aa9
to
4052080
Compare
4052080
to
fa4f8f6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
a78c9c6
to
a0e0b0e
Compare
Description
Fixes #2837
I've only added these 5 for now. I want to confirm the rest of the existing
addonPolicies
make sense with IRSAChecklist
README.md
, or theuserdocs
directory)area/nodegroup
), target version (e.g.version/0.12.0
) and kind (e.g.kind/improvement
)