🌱 Redefine managing IAM resources: Create and Delete #4909
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
needs-priority
size/XL
|
/assign @richardcase @Ankitasw |
|
@Atharva-Shinde Looks like there are CI failures here. Would you mind taking a look at failures in linting and verifying in particular? The linting job should have comments pointing at what to do in order to resolve the issue, such as this message about commenting or un-exporting a symbol. |
|
/retitle 🌱 Redefine managing IAM resources: Create and Delete Updating the title should cause the PR verify job to pass. |
k8s-ci-robot
changed the title
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Atharva-Shinde
force-pushed
the
redefineManagingResources
branch
from
2d73172
to
9bd5db6
Compare
|
Thanks @nrb I've addressed the CI failures :) |
|
|
||
| func attachPoliciesToRole(rolename *string, awsManagedPolicies []string, client *iam.IAM) error { | ||
| if awsManagedPolicies == nil { | ||
| // klog.Warningf("no policies defined to attach to the IAM role \"%s\"", *rolename) // TODO |
There was a problem hiding this comment.
What's the next action here? Just enabling the warning, or something else?
There was a problem hiding this comment.
Reading further, looks like there's a question about outputting the ARNs elsewhere - is this the same?
| klog.Warningf("IAM role \"%s\" is already attached to policy", *rolename) // TODO should we output the policy arn? how safe is it | ||
| continue | ||
| default: | ||
| return errors.Wrapf(err, "failed to attach IAM role \"%s\" to policy", *rolename) // TODO should we output the policy arn? how safe is it |
There was a problem hiding this comment.
Thinking about where this command should be running, I can think of a couple environments:
First, a user's machine, while they set up a management cluster. I think outputting an ARN here is fine. They have some sort credentials on their machine, which are the higher risk asset.
Next, CI, which might be spinning up resources, either for testing or as part of a larger provisioning system. In this case, the ARNs would probably get output into logs. Hopefully, the CI is using short-lived credentials, but again, those would be the more valuable asset.
It's true that policy ARNs could be observed and an attacker could attempt to edit the policy to expand permissions. However, I'm not sure the actual ARN is all that important, since what really matters are the permissions to actually overwrite the policy the ARN points to.
Does that make sense?
| func prioritySet(t go_cfn.Template) (rmap map[string][]go_cfn.Resource, err error) { | ||
| rmap = map[string][]go_cfn.Resource{} | ||
| for _, resource := range t.Resources { | ||
| if resource.AWSCloudFormationType() == configservice.ResourceTypeAwsIamRole { |
There was a problem hiding this comment.
The description says that this PR is looking to move away from CloudFormation, but we're using CloudFormation files here.
Is the intent to use CloudFormation templates as the input still, but introspect them and make our own API calls vs submitting them directly to the CF service endpoints?
What type of PR is this?
/kind feature
/area clusterawsadm
What this PR does / why we need it:
Currently, CAPA manages prerequisites required by AWS through CloudFormation which has caused numerous issues to CAPA end-users. This PR works as a stepping stone in migrating away from the use of AWS CloudFormation and relying on service specific API calls to manage IAM resources and gradually make the process idempotent.
This PR introduces 2 new commands:
clusterawsadm bootstrap iam create: creates IAM resources(roles, instances profiles and policies) from the bootstrap configuration file (uses default bootstrap configuration if not provided)clusterawsadm bootstrap iam deletedeletes IAM resources(roles, instances profiles and policies) created using the bootstrap configuration file (uses default bootstrap configuration if not provided)Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #3715
Special notes for your reviewer:
Screenshots:
Checklist:
Release note: