Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Scope CloudFormation Permissions #3948

Merged
merged 9 commits into from
Jun 27, 2023
Merged

chore: Scope CloudFormation Permissions #3948

merged 9 commits into from
Jun 27, 2023

Conversation

jonathan-innis
Copy link
Contributor

@jonathan-innis jonathan-innis commented May 26, 2023
edited
Loading

Fixes #

Description

Updates CloudFormation permissions in the "Getting Started Guide" to be scoped to sufficiently restrict the tags that can be used when provisioning nodes with Karpenter. It also enforce tag-based authz on the karpenter controller by default.

Note that the CloudFormation file and the permissions that are provided there-in only serve as a starting point for users. The permissions will most likely have to be extended to some degree for most use-cases.

How was this change tested?

  • /karpenter snapshot

Does this change impact docs?

  • Yes, PR includes docs updates
  • Yes, issue opened: #
  • No

Release Note

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@netlify
Copy link

netlify bot commented May 26, 2023
edited
Loading

Deploy Preview for karpenter-docs-prod canceled.

Name Link
🔨 Latest commit 1d67741
🔍 Latest deploy log https://app.netlify.com/sites/karpenter-docs-prod/deploys/64960fd8bd5b9f000894eda7

@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch 2 times, most recently from d7f4de4 to 1ff134e Compare May 26, 2023 22:17
@jonathan-innis jonathan-innis changed the title chore: Start scoping cloudformation permissions [DRAFT] chore: Scope CloudFormation Permissions May 26, 2023
jonathan-innis
jonathan-innis commented May 26, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-1ff134ec63873d1ffe7be3e6c5427d72d327e2a3. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch from 1ff134e to 1f05812 Compare May 26, 2023 22:48
jonathan-innis
jonathan-innis commented May 26, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-1f058123e1f8e5727009a973ffcb2ce65467a6bc. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch from 1f05812 to b292a35 Compare May 26, 2023 23:11
jonathan-innis
jonathan-innis commented May 26, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-b292a3509cff30ec45a42da54025d9f2eae688dd. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch 3 times, most recently from 0df15aa to 498a4bf Compare May 27, 2023 03:19
@FernandoMiguel
Copy link
Contributor

I wonder if it is too much to ask that once you finish the cloudformation policy updates, if you wouldnt mind also updating the terraform ones?
https://github.com/terraform-aws-modules/terraform-aws-iam/blob/9cda42890147ee5c29c2c8eea3352e7f8d7446b9/modules/iam-role-for-service-accounts-eks/policies.tf#L586

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/f741db1b2c7c4ef0409d7c2e4f588bbc639cbaf2/modules/karpenter/main.tf#L70

https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/80bd3b92e0f82f45a187805d6d847db320a01c31/modules/kubernetes-addons/karpenter/data.tf#L3

cc @bryantbiggs

@jonathan-innis
Copy link
Contributor Author

if you wouldnt mind also updating the terraform ones

@bryantbiggs There may be some room to align here. There are some cluster-scoped tags that Karpenter already uses by default that might be good to use as part of the default policy rather than asking the user to pass through an IRSA tag that they would also have to pass through to their AWSNodeTemplate.

@jonathan-innis jonathan-innis changed the title [DRAFT] chore: Scope CloudFormation Permissions chore: Scope CloudFormation Permissions May 30, 2023
jonathan-innis
jonathan-innis commented May 30, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-e62c0f74d611fe5d17e117a9cfbf3bae634ed6b1. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

@jonathan-innis jonathan-innis marked this pull request as ready for review May 30, 2023 21:38
@jonathan-innis jonathan-innis requested a review from a team as a code owner May 30, 2023 21:38
@jonathan-innis jonathan-innis requested a review from bwagner5 May 30, 2023 21:38
@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch from e62c0f7 to d52d192 Compare May 30, 2023 21:44
@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch 2 times, most recently from ee2e43f to 4da472f Compare June 1, 2023 07:24
jonathan-innis
jonathan-innis commented Jun 23, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-f561954506fc31963a3ab53fa3ea72f4f61d97b3. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch from f561954 to 7accfa7 Compare June 23, 2023 16:51
jonathan-innis
jonathan-innis commented Jun 23, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-7accfa79fec61a78510ee954e127b36c4da50dcc. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch from 7accfa7 to d4a2316 Compare June 23, 2023 18:39
jonathan-innis
jonathan-innis commented Jun 23, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-d4a2316d7ebdeabecfcaa69ef8d6dc0978129721. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

@jonathan-innis jonathan-innis force-pushed the scope-getting-started-cf branch from d4a2316 to 1d67741 Compare June 23, 2023 21:34
jonathan-innis
jonathan-innis commented Jun 23, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-1d6774142896ca27b785fda51ef59a2790a7cba7. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

jonathan-innis
jonathan-innis commented Jun 26, 2023
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@github-actions
Copy link
Contributor

Snapshot successfully published to oci://public.ecr.aws/karpenter/karpenter:v0-1d6774142896ca27b785fda51ef59a2790a7cba7. Find the image tag and installation instructions at https://gallery.ecr.aws/karpenter/karpenter/

bwagner5
bwagner5 approved these changes Jun 27, 2023
View reviewed changes
Copy link
Contributor

@bwagner5 bwagner5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jonathan-innis jonathan-innis enabled auto-merge (squash) June 27, 2023 18:01
@jonathan-innis jonathan-innis merged commit 49642f0 into aws:main Jun 27, 2023
@jonathan-innis jonathan-innis deleted the scope-getting-started-cf branch June 27, 2023 18:02
@jonathan-innis jonathan-innis mentioned this pull request Jun 29, 2023
Closed
@mbarrien mbarrien mentioned this pull request Oct 21, 2023
Closed
3 tasks
This was referenced Oct 31, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@micahhausler micahhausler micahhausler left review comments

@bwagner5 bwagner5 bwagner5 approved these changes

@njtran njtran njtran left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jonathan-innis @FernandoMiguel @micahhausler @bwagner5 @njtran