Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update example policy, use it in tests, and document it #940

Merged
merged 4 commits into from
Jun 18, 2021
Merged

Update example policy, use it in tests, and document it #940

merged 4 commits into from
Jun 18, 2021

Conversation

wongma7
Copy link
Contributor

@wongma7 wongma7 commented Jun 16, 2021
edited
Loading

Is this a bug fix or adding new feature?

What is this PR about? / Why do we need it? The example policy is a minimal restrictive example so it's not guaranteed to work in all scenarios... but there are is at least one* notable scenario where it breaks, so we should update* the example and documentation to account for this scenario:

  • if migration is enabled, the policy restricts csi from deleting volumes that were created by KCM pre-migration
    • to fix this, i've edited the example policy such that it has permission to delete volumes with tag "aws:RequestTag/kubernetes.io/cluster/<ID of the Kubernetes cluster>": "owned". also add permission to create although it's not totally necessary, maybe redundant, but to be consistent.

What testing is done?

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 16, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wongma7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 16, 2021
@wongma7 wongma7 mentioned this pull request Jun 16, 2021
Merged
6 tasks
@wongma7 wongma7 force-pushed the iampolicy branch 3 times, most recently from 834e030 to 48fdb49 Compare June 16, 2021 23:43
@wongma7 wongma7 changed the title WIP: update example policy, set k8s-tag-cluster-id in tests, documentation, and test it all Update example policy, use it in tests, and document it Jun 16, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 16, 2021
@wongma7
Copy link
Contributor Author

wongma7 commented Jun 16, 2021

/cc @AndyXiangLi
PTAL and ping me when you get some time. thnaks

@k8s-ci-robot k8s-ci-robot requested a review from AndyXiangLi June 16, 2021 23:45
@wongma7
Copy link
Contributor Author

wongma7 commented Jun 17, 2021

/test pull-aws-ebs-csi-driver-e2e-multi-az

nckturner
nckturner reviewed Jun 17, 2021
View reviewed changes
docs/README.md Outdated
"aws:RequestTag/kubernetes.io/cluster/<ID of the Kubernetes cluster>": "owned"
}
}
},
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: do we need this partial example? Seems unnecessary, why not just leave it and let them click the link? Or maybe it should just say: "The driver needs to be able to able to manipulate volumes that were created by the in-tree plugin prior to migration turned on, so it needs to have permissions to volumes with either the deprecated KubernetesCluster=<clusterName> tag or the newer format: kubernetes.io/cluster/<clusterName>: <owned>"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think that's too much detail, I wanted to highlight the specific part of the policy i'm talking about but let me try adding a link to the line instead of including the partial example

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated "
https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/940/files#diff-0b5ca119d2be595aa307d34512d9679e49186307ef94201e4b3dfa079aa89938R200

@nckturner
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 17, 2021
@wongma7
Copy link
Contributor Author

wongma7 commented Jun 18, 2021

/skip

@wongma7
Copy link
Contributor Author

wongma7 commented Jun 18, 2021

/retest

@k8s-ci-robot k8s-ci-robot merged commit 8b6ddd0 into kubernetes-sigs:master Jun 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nckturner nckturner nckturner left review comments

@bertinatto bertinatto Awaiting requested review from bertinatto

@vdhanan vdhanan Awaiting requested review from vdhanan

@AndyXiangLi AndyXiangLi Awaiting requested review from AndyXiangLi

Assignees

@nckturner nckturner

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wongma7 @k8s-ci-robot @nckturner