Renaming IAM Phase to Security #3639
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/approve |
k8s-github-robot
added
the
approved
|
So how does this work now? Who runs the various phases, and in which order? |
|
Securitygroups are in cluster and elbs are in network
We need
Edited: added IAM |
|
Where does IAM fit in? Where does a locked down IAM fit in? Can we put SG & ELB into one of the existing phases? |
|
ELBs depend on SG, so they could be in Cluster, but I think it is cleaner to break them out. I have had pushback from clients on creating ELBs since they can open API to the world. They cannot be in the network because they depend on ASG. We have discussed breaking out SGs, because of the SG PR I have. Since they are really network related and not IAM perm related, they look and feel better to be broken out. ELB is the only one that we could move into Cluster. We could move SGs an IAM together, but perms for IAM are really huge. I could see a company giving SG perms but not IAM perms. What is your concern? We have discussed exactly this breakout unless I was confused. |
|
My concern is that we now have a 5 step process.
That's bad enough, but the bigger problem is that the problem you're describing might be solved by granting permissions to create an ELB only with certain Security Groups, for example. Which then puts the security group phase as a pre-requisite of the IAM phase. I'm thinking security groups might actually belong in the IAM phase, although we'd have to rename IAM to "security" |
|
We only have a 5 step process for users that need it. We can put sec groups in iam. Can I get a lgtm to
Or we can put cluster and elb together. Then
I am not concerned about 5 phases, because they will be transparent to the majority of the users. Who else is using phases? Who else can chime in? Five or four phases? Which one do you like? |
|
If we can do:
I think that's great. As you say, for most people most of those phases will be collapsed. I also like the order, in that advanced IAM policies will likely rely on security group & VPC ids, so network first makes sense. Also the network will likely be shared soon. I think the biggest challenge will be splitting out the ELB creation from the ELB attachment, because I suspect you want ELB in network-phase, but that doesn't have to happen right away. And it's never what I expect :-) |
chrislovecnm
force-pushed
the
new-phases
branch
from
adccaad to
384c74d
Compare
chrislovecnm
changed the title
|
Done @justinsb PTAL |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm, justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. |
Automatic merge from submit-queue. Fixing phases for security groups and elbs Please only review chrislovecnm@dc338c4 and chrislovecnm@0dc7a6e This PR depends on #3639
Adding new phases for security group and load balancers lifecycles. PRs that follow will wire this in