Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tighten IAM Permissions #33

Open
randomvariable opened this issue Feb 26, 2019 · 10 comments
Open

Tighten IAM Permissions #33

randomvariable opened this issue Feb 26, 2019 · 10 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@randomvariable
Copy link
Member

Related to kubernetes-sigs/cluster-api-provider-aws#608

What would you like to be added:
Cluster API Provider AWS attempts to use least privileges whereever possible.

The project maintains a copy of the IAM policies used by cloud-provider-aws, but these are permissive compared to the use of IAM conditions in the Cluster API AWS.

If there is consistent tagging in use, then these permissions can be scoped down.

Why is this needed:

Enhanced security posture.

/kind feature
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 26, 2019
@randomvariable randomvariable mentioned this issue Feb 26, 2019
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 27, 2019
@tdmalone
Copy link

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 27, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2019
@detiber
Copy link
Member

detiber commented Aug 26, 2019

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 26, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 24, 2019
@detiber
Copy link
Member

detiber commented Dec 2, 2019

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 2, 2019
@nckturner
Copy link
Contributor

/assign

@nckturner nckturner added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Feb 18, 2021
@nckturner nckturner removed their assignment Feb 18, 2021
@nckturner nckturner added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Feb 18, 2021
@nckturner nckturner removed the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Mar 19, 2021
@nckturner
Copy link
Contributor

Assuming this means tagging resources on creation, and then limiting the cloud provider to modifying/deleting resources that are tagged -- the difficulty lies in upgrading to a version of the cloud provider that does this, and accounting for resources that were created prior to this feature being implemented. Possibly we can use a command line tool to look for resources by querying kubernetes APIs, i.e. looking at all the service objects to find load balancers to help with migration. This gets away from having to add permissions and complicated logic for a specific upgrade, but still has a pretty negative upgrade experience...

@sftim
Copy link

sftim commented Feb 23, 2022

Is it feasible to enable this improved security initially for clusters created after a flag date, and then document a mechanism to switch the cluster to the new security model?

@gabrielbull
Copy link

I too would like this. It should be simple if we follow @sftim's idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@gabrielbull @tdmalone @detiber @nckturner @randomvariable @k8s-ci-robot @sftim @fejta-bot