-
Notifications
You must be signed in to change notification settings - Fork 796
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
eks-prow-build-cluster: fix root volume for node groups and setup IAM role with admin access #4989
Conversation
"userarn" = var.root_account_arn | ||
"username" = "root" | ||
"groups" = [ | ||
"system:masters" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure about this? I tend to not trust the root principal for any use.
Perhaps comment about why it's OK here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is to give access to the EKS options via the Web Console. We can later drop this if Web Console access is not needed, but at this stage, it can be useful. I'm not sure we can easily scope this down as I'm not sure what permissions are needed by the Web Console.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about just granting read for now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now using a ClusterRoleBinding/Group with cluster-admin access. We'll probably remove this after the POC phase, so I wouldn't spend too much time trying to scope down permissions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to merge and iterate
# Give administrator access to the admin IAM role so it can be used with Terraform. | ||
resource "aws_iam_role_policy_attachment" "iam_policy_cluster_admin" { | ||
role = aws_iam_role.iam_cluster_admin.name | ||
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is more access than is needed. Consider a permissions boundary or a more specific policy.
For example, this allows organizations:LeaveOrganization
. A deployer should not need to be allowed to do so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem here is how to determine what are needed permissions. This account should be able to deploy those Terraform configs, and it needs quite a lot of access, so going Administrator level made sense. If anyone has any idea how to properly collect needed permissions, it would be appreciated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try https://skildops.com/blog/generate-restricted-aws-iam-policy-via-cloudtrail as a starting point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's do this in a follow up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to merge and iterate
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
db443ed
to
8199e5f
Compare
The latest changes are applied. Remaining action items are documented here: #4686 (comment) |
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
8199e5f
to
bfecd62
Compare
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, xmudrii The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Changes are already applied. |
This PR brings two improvements to the eks-prow-build-cluster:
main.tf
for the first Terraform run/hold for discussing
/assign @ameukam @upodroid