Enhancements: IAM integration (primarily AWS)

Created on 23 Jan 2017 · 16Comments · Source: kubernetes/enhancements

Description

Pod-level IAM policies, so that a pod gets the IAM permissions (and only those permissions) that are configured. This is widely achieved today via kube2iam, but we want to investigate baking this more deeply, either into kops or kubernetes itself (or both!)

Progress Tracker

[ ] Alpha
- [ ] Write and maintain draft quality doc
  - [ ] During development keep a doc up-to-date about the desired experience of the feature and how someone can try the feature in its current state. Think of it as the README of your new feature and a skeleton for the docs to be written before the Kubernetes release. Paste link to Google Doc: DOC-LINK
- [ ] Design Approval
  - [ ] Design Proposal. This goes under design-proposals. Doing a proposal as a PR allows line-by-line commenting from community, and creates the basis for later design documentation. Paste link to merged design proposal here: PROPOSAL-NUMBER
  - [ ] Decide which repo this feature's code will be checked into. Not everything needs to land in the core kubernetes repo. REPO-NAME
  - [ ] Initial API review (if API). Maybe same PR as design doc. PR-NUMBER
  - Any code that changes an API (/pkg/apis/...)
  - cc @kubernetes/api
  - [ ] Identify shepherd (your SIG lead and/or [email protected] will be able to help you). My Shepherd is: _replace.[email protected]_ (and/or GH Handle)
  - A shepherd is an individual who will help acquaint you with the process of getting your feature into the repo, identify reviewers and provide feedback on the feature. They are _not_ (necessarily) the code reviewer of the feature, or tech lead for the area.
  - The shepherd is _not_ responsible for showing up to Kubernetes-PM meetings and/or communicating if the feature is on-track to make the release goals. That is still your responsibility.
  - [ ] Identify secondary/backup contact point. My Secondary Contact Point is: _replace.[email protected]_ (and/or GH Handle)
- [ ] Write (code + tests + docs) then get them merged. ALL-PR-NUMBERS
  - [ ] Code needs to be disabled by default. Verified by code OWNERS
  - [ ] Minimal testing
  - [ ] Minimal docs
  - cc @kubernetes/docs on docs PR
  - cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  - New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
  - [ ] Update release notes
[ ] Beta
- [ ] Testing is sufficient for beta
- [ ] User docs with tutorials
  - Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
  - cc @kubernetes/docs on docs PR
  - cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
- [ ] Thorough API review
- cc @kubernetes/api
[ ] Stable
- [ ] docs/proposals/foo.md moved to docs/design/foo.md
  - cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
- [ ] Soak, load testing
- [ ] detailed user docs and examples
- cc @kubernetes/docs
- cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
and sometimes http://github.com/kubernetes/contrib, or other repos.
When you are done with the code, apply the "code-complete" label.
When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
testing. They won't do detailed code review: that already happened when your PRs were reviewed.
When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

[ ] Write user docs and get them merged in.
User docs go into http://github.com/kubernetes/kubernetes.github.io.
When the feature has user docs, please add a comment mentioning @kubernetes/docs.
When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.

areprovideaws kinfeature lifecyclrotten stagbeta trackeno

Source

justinsb

🎉4 👍2

Most helpful comment

@justinsb Following the discussion, and happy to jump in. We've been using kube2iam heavily, but if we can have something "native" I guess all AWS users will benefit.

Raffo on 31 Jan 2017

👍3

All 16 comments

@kubernetes/sig-auth-feature-requests

erictune on 23 Jan 2017

@justinsb Following the discussion, and happy to jump in. We've been using kube2iam heavily, but if we can have something "native" I guess all AWS users will benefit.

Raffo on 31 Jan 2017

👍3

@justinsb are you expecting any progress for 1.7?

idvoretskyi on 9 May 2017

Yes

justinsb on 9 May 2017

@justinsb please, update the feature description so.

idvoretskyi on 9 May 2017

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

fejta-bot on 24 Dec 2017

/remove-lifecycle stale

erictune on 28 Dec 2017

@erictune @justinsb any progress here is expected?

idvoretskyi on 22 Jan 2018

Maybe it is helpful for others: We're using kube2iam together with a service to manage IAM roles based on Kubernetes ThirdPartyResources: https://github.com/Collaborne/kubernetes-aws-resource-service

ankon on 22 Jan 2018

@justinsb Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

Description
Milestone
Assignee(s)
Labels:
- stage/{alpha,beta,stable}
- sig/*
- kind/feature

cc @idvoretskyi

justaugustus on 17 Apr 2018

This feature current has no milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12.

If so, please ensure that this issue is up-to-date with ALL of the following information:

One-line feature description (can be used as a release note):
Primary contact (assignee):
Responsible SIGs:
Design proposal link (community repo):
Link to e2e and/or unit tests:
Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
Approver (likely from SIG/area to which feature belongs):
Feature target (which target equals to which milestone):
- Alpha release target (x.y)
- Beta release target (x.y)
- Stable release target (x.y)

Set the following:

Description
Assignee(s)
Labels:
- stage/{alpha,beta,stable}
- sig/*
- kind/feature

Once this feature is appropriately updated, please explicitly ping @justaugustus, @kacole2, @robertsandoval, @rajendar38 to note that it is ready to be included in the Features Tracking Spreadsheet for Kubernetes 1.12.

Please note that Features Freeze is tomorrow, July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

Docs deadline (open placeholder PRs): 8/21
Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

P.S. This was sent via automation

justaugustus on 31 Jul 2018

Hi
This enhancement has been tracked before, so we'd like to check in and see if there are any plans for this to graduate stages in Kubernetes 1.13. This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:

Docs (open placeholder PRs): 11/8
Code Slush: 11/9
Code Freeze Begins: 11/15
Docs Complete and Reviewed: 11/27

Please take a moment to update the milestones on your original post for future tracking and ping @kacole2 if it needs to be included in the 1.13 Enhancements Tracking Sheet

Thanks!

kacole2 on 8 Oct 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 6 Jan 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 5 Feb 2019

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 7 Mar 2019

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.