Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eks-prow-build-cluster: fix root volume for node groups and setup IAM role with admin access #4989

Merged
merged 2 commits into from
Mar 27, 2023
Merged

eks-prow-build-cluster: fix root volume for node groups and setup IAM role with admin access #4989

merged 2 commits into from
Mar 27, 2023

Conversation

xmudrii
Copy link
Member

@xmudrii xmudrii commented Mar 20, 2023

This PR brings two improvements to the eks-prow-build-cluster:

  • Root volume is now properly defined, so Terraform is going to modify the default root volume instead of creating a new one
  • Create an IAM role with the administrator privileges
    • The idea is that IAM users are supposed to assume that role instead of giving permissions to each IAM user
    • That IAM role is also specified in the aws-auth ConfigMap
    • That IAM role is also specified as service user for the KMS key so it can be used with Terraform
    • Additionally, that IAM role is Administrator in AWS, so it can be used to run Terraform
    • The only problem with this IAM role is upon creating the cluster for the first time. In that case, assume role must be commented in main.tf for the first Terraform run

/hold for discussing
/assign @ameukam @upodroid

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 20, 2023
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure labels Mar 20, 2023
@k8s-ci-robot k8s-ci-robot added sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 20, 2023
sftim
sftim suggested changes Mar 20, 2023
View reviewed changes
infra/aws/terraform/prow-build-cluster/eks.tf Outdated
"userarn" = var.root_account_arn
"username" = "root"
"groups" = [
"system:masters"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure about this? I tend to not trust the root principal for any use.
Perhaps comment about why it's OK here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to give access to the EKS options via the Web Console. We can later drop this if Web Console access is not needed, but at this stage, it can be useful. I'm not sure we can easily scope this down as I'm not sure what permissions are needed by the Web Console.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about just granting read for now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now using a ClusterRoleBinding/Group with cluster-admin access. We'll probably remove this after the POC phase, so I wouldn't spend too much time trying to scope down permissions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to merge and iterate

infra/aws/terraform/prow-build-cluster/eks.tf Outdated Show resolved Hide resolved
infra/aws/terraform/prow-build-cluster/eks.tf Outdated
# Give administrator access to the admin IAM role so it can be used with Terraform.
resource "aws_iam_role_policy_attachment" "iam_policy_cluster_admin" {
role = aws_iam_role.iam_cluster_admin.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is more access than is needed. Consider a permissions boundary or a more specific policy.

For example, this allows organizations:LeaveOrganization. A deployer should not need to be allowed to do so.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem here is how to determine what are needed permissions. This account should be able to deploy those Terraform configs, and it needs quite a lot of access, so going Administrator level made sense. If anyone has any idea how to properly collect needed permissions, it would be appreciated.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try https://skildops.com/blog/generate-restricted-aws-iam-policy-via-cloudtrail as a starting point.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's do this in a follow up.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to merge and iterate

infra/aws/terraform/prow-build-cluster/main.tf Show resolved Hide resolved
infra/aws/terraform/prow-build-cluster/terraform.tfvars Outdated Show resolved Hide resolved
infra/aws/terraform/prow-build-cluster/eks.tf Outdated Show resolved Hide resolved
infra/aws/terraform/prow-build-cluster/eks.tf Outdated Show resolved Hide resolved
@pkprzekwas pkprzekwas mentioned this pull request Mar 24, 2023
Merged
@xmudrii
eks-prow-build-cluster: expand the root volume
45d901c 
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
@xmudrii xmudrii mentioned this pull request Mar 27, 2023
Closed
@xmudrii
Copy link
Member Author

xmudrii commented Mar 27, 2023

The latest changes are applied. Remaining action items are documented here: #4686 (comment)

@xmudrii
Create IAM role and delegate admin permissions to it
bfecd62 
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
@dims
Copy link
Member

dims commented Mar 27, 2023

/approve
/lgtm
/hold please go ahead remove hold when ready to apply this change.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 27, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 27, 2023
@xmudrii
Copy link
Member Author

xmudrii commented Mar 27, 2023

Changes are already applied.
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 27, 2023
@k8s-ci-robot k8s-ci-robot merged commit d2ae54e into kubernetes:main Mar 27, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone Mar 27, 2023
@xmudrii xmudrii deleted the eks-improvements branch March 27, 2023 14:25
@pkprzekwas pkprzekwas mentioned this pull request Mar 27, 2023
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TerryHowe TerryHowe TerryHowe left review comments

@ameukam ameukam ameukam left review comments

@pkprzekwas pkprzekwas pkprzekwas left review comments

@sftim sftim sftim requested changes

@dims dims Awaiting requested review from dims

@thockin thockin Awaiting requested review from thockin

Assignees

@dims dims

@ameukam ameukam

@sftim sftim

@upodroid upodroid

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.28
Development

Successfully merging this pull request may close these issues.
8 participants
@xmudrii @dims @k8s-ci-robot @TerryHowe @ameukam @pkprzekwas @sftim @upodroid