-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Enhance CARM with team-id and service-level isolation #2031
Comments
I'd like to utilize this GitHub issue as a space for brain storming and defining the general UX. Depending on the complexity, we may consider creating a separate design proposal PR for a more detailed discussion and implementation. |
Overall, I like it. One suggestion I have is to reserve the possibility to expand the CM structure without disrupting users in the future. Having one to one mapping between role arn and team-id may prove too restricting.
|
As we discussed in last week meeting. We can developed a v2 CARM map while still supporting the existing The new map will have the
We can easily expend in the future to the key such as |
This patchh updates the feature gates configuration in the Helm values template: - Removes the `CARMv2` feature gate - Adds two new feature gates: - `ServiceLevelCARM`: Enables Service level granularity for CARM - `TeamLevelCARM`: Enables Team level granularity for CARM Both new feature gates are set to `false` by default. See aws-controllers-k8s/community#2031 for more information on these CARM granularity levels.
Context
Currently, all the ACK controllers are shipped with CARM (Cross Account Resource Management) capabilities to extend the scope of controllers to manage resources across multiple AWS Accounts. This is achieved through a ConfigMap and namespace annotations.
The CARM ConfigMap allows users to specify AWS account IDs and the corresponding IAM Role ARNs that the controllers should assume when managing resources in those accounts. For example:
Additionally, users annotate their Kubernetes namespaces with the AWS account ID they want the controllers in that namespace to manage resources for. For example:
When a controller (watching
production
namespace) needs to manage resources, it looks up the CARM ConfigMap (more precisely the CARM Cache) for the accountID specified in the namespace annotation and retires the corresponding IAM Role ARN. The controller then needs to assume this role and pivot the client to start managing resources in that account.Limitations
However, the current implementation has the following limitations:
PS: We've heard of users hacking around this by specifying a different ID than an AWS account ID. While this approach works, it is not intuitive or recommended.
These limitations can lead to overly broad permissions being granted, violating the principle of least privilege and making it challenging to manage resource across teams and services effectively.
Proposals
We propose an extension and backward-compatible solution to the current CARM model to address these limitations and allow users to continue fine-grain/isolating their AWS/Kubernetes environments.
Introduce a new
team-id
annotationThis will allow users to reuse the same account against multiple namespaces, but provide different roles for each team. For example, let's say we have two teams
team-a
andteam-b
both working with resources in the same account (11111111111). Admins could annotate their namespaces wayOn other hand, the ConfigMap would then be updated to use
team-id
as a key and the associated RoleARN as value. For example:Introduce a new service-prefixed-annotation
In addition to the team annotation, we suggest introducing a service-prefixed annotations and CARM entries. These annotations would allow you to specify different IAM roles for different service controllers whitin the same team and AWS Account.
For example, you might want the s3 controller to assume a different IAM Role than the dynamodb controller, even when managing resources in the same team/aws account.
The namespace annotations would look like this:
Then, in the CARM ConfigMap, you can specify the IAM role ARNs for each service controller and team combination:
With this setup, the S3 controller would assume the
team-a-s3-role
when managing S3 resourcesfor team-a
, while the DynamoDB controller would assume theteam-a-dynamodb-role
when managing DynamoDB resources forteam-a
. Any other controller will assumeteam-a
roleThe order of precedence for the controller to pick up the role ARNs would be:
cc @mikestef9 @zicongmei @jlbutler @jose-fully-ported @eadasiak
The text was updated successfully, but these errors were encountered: