Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eks-prow-build-cluster: IAM refactoring and improvements #5160

Closed
2 tasks
Tracked by #5169
pkprzekwas opened this issue Apr 24, 2023 · 5 comments
Closed
2 tasks
Tracked by #5169

eks-prow-build-cluster: IAM refactoring and improvements #5160

pkprzekwas opened this issue Apr 24, 2023 · 5 comments
Assignees
@pkprzekwas @xmudrii
Labels
area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.
Milestone
v1.28

Comments

@pkprzekwas
Copy link
Contributor

pkprzekwas commented Apr 24, 2023
edited

  • create IAM roles dedicated for running terraform scripts for provisioning EKS prow build cluster. This can be done with dedicated terraform script or simple bash script with aws cli.
  • introduce permission boundaries to prevent access escalation in roles with assigned IAM actions. We can start small with positions like denying leaving org and removing permission boundary.

ref: #5113

/cc @xmudrii @sftim
@pkprzekwas pkprzekwas added the sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. label Apr 24, 2023
@pkprzekwas pkprzekwas mentioned this issue Apr 24, 2023
Merged
@xmudrii xmudrii mentioned this issue Apr 24, 2023
Open
@xmudrii
Copy link
Member

xmudrii commented Apr 25, 2023

/retitle eks-prow-build-cluster: IAM refactoring and improvements

@k8s-ci-robot k8s-ci-robot changed the title AWS: eks-build-cluster IAM revamp eks-prow-build-cluster: IAM refactoring and improvements Apr 25, 2023
@xmudrii xmudrii mentioned this issue Apr 25, 2023
Closed
@xmudrii
Copy link
Member

xmudrii commented Apr 25, 2023

/milestone v1.28
/sig k8s-infra
/area infra
/area infra/aws
/kind cleanup

@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone Apr 25, 2023
@k8s-ci-robot k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Apr 25, 2023
@xmudrii
Copy link
Member

xmudrii commented Apr 26, 2023

/assign
/assign @pkprzekwas

@xmudrii
Copy link
Member

xmudrii commented May 24, 2023

This is done. 🎉 Boundaries can be extended, but this can be done on demand.
/close

@k8s-ci-robot
Copy link
Contributor

@xmudrii: Closing this issue.

In response to this:

This is done. 🎉 Boundaries can be extended, but this can be done on demand.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkprzekwas pkprzekwas

@xmudrii xmudrii

Labels
area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.
Projects
None yet
Milestone
v1.28
Development

No branches or pull requests
3 participants
@pkprzekwas @xmudrii @k8s-ci-robot