Kops: make it clear about aws permissions
Problem:
It is not clear how many aws permissions we need to create a k8s cluster with kops.
Suggest solutions:
a) Would be good to maintain a list of all required permissions.
b) add dry-run for 'kops create'?
c) generate a service-user iam policy template for review prior to the 'kops create'
qzhuyan
All 11 comments
So @qzhuyan there is a dry run for kops create cluster already. Just neglect to add the --yes flag to the command, and only the meta information is created. A user can use the meta information to apply the changes later.
I do think it would be worthwhile in the long run to get a command built into kops that would generate the IAM policy template, and maybe even have a way to apply the template via kops and create a new kops user.
Just some thoughts
kris-nova
on 8 Dec 2016
We have another issue open about IAM policy ... And opening an issue about IAM user create.
chrislovecnm
on 8 Dec 2016
@kris-nova thanks for quick reply.
I do run kops with dry-run (without --yes) and it failed when create meta data. for example kops need "Iam:getRole" permission while our service user is not allowed to do. I need to explain to our security guy why I need it and we are progressing it slowly since we are doing fail and retry approach. In the end we stop this approach and would try a centralized way of doing it that some team take the responsibility and manage it for all other teams but this is not flexible for us.
qzhuyan
on 8 Dec 2016
@qzhuyan We now have some docs regarding this here. Is this sufficient?
yissachar
on 15 Feb 2017
Adding a dry-run policy creation function would go a long way when working within spaces that require auditing. I would like to be able to generate these on the go and deliver to the infosec team at semi-regular basis.
we can probably cross-link this to here https://github.com/kubernetes/kops/issues/1776
hollowimage
on 15 Feb 2017
@yissachar looks good at least we know 5 aws services (IAM, VPC, ROUTE53, EC2, S3) are involved.
But I am afraid requiring full access is too open. Not sure our security team would approve it.
qzhuyan
on 15 Feb 2017
@hollowimage do you mean generating a list of aws cli commands/API would be used or?
qzhuyan
on 15 Feb 2017
@qzhuyan I'm not 100% sure that we need full access to all of those. If you can test a more minimal set of permissions and contribute back some docs that would be great!
yissachar
on 15 Feb 2017
@qzhuyan I was just thinking a template of "here is what I will need" or "here are the components in the cluster created by k8s/kops and here are their assoaictaed security groups and the permissions they have" so i dont have to scour this manually.
that being said, a pre-generated manifest of aws commands could also be useful i guess? though you get a pretty detailed breakdown of that when you pipe it all to a terraform output anyway.
hollowimage
on 15 Feb 2017
@hollowimage I am totally agree with you! It is the same idea as I wrote in my suggested solution c)
qzhuyan
on 18 Feb 2017
Can we close this because we have https://github.com/kubernetes/kops/issues/1873 open?
chrislovecnm
on 23 Apr 2017
Related issues
minasys
路
3Comments
chrislovecnm
路
3Comments
mikejoh
路
3Comments
endejoli
路
4Comments
justinsb
路
4Comments
Most helpful comment
@qzhuyan I was just thinking a template of "here is what I will need" or "here are the components in the cluster created by k8s/kops and here are their assoaictaed security groups and the permissions they have" so i dont have to scour this manually.
that being said, a pre-generated manifest of aws commands could also be useful i guess? though you get a pretty detailed breakdown of that when you pipe it all to a terraform output anyway.