feat: Add load_balancer_controller targetgroup binding only role #199
Conversation
cdhesse
changed the title
cdhesse
changed the title
In extensive testing, I realized the documentation had missed the permission "ec2:DescribeVpcs" so the aws-load-balancer-controller was throwing unauthorized errors as a result. After adding "ec2:DescribeVpcs" everything is working as expected.
|
kubernetes-sigs/aws-load-balancer-controller#2542 was also created to address the missing describevps iam permission. |
Issue 2542 has been closed as of today in the aws-load-balancer-controller repo. |
| "ec2:DescribeVpcs", | ||
| "elasticloadbalancing:DescribeTargetGroups", | ||
| "elasticloadbalancing:DescribeTargetHealth", | ||
| "elasticloadbalancing:ModifyTargetGroup", |
There was a problem hiding this comment.
For the Modify*/Register*/Deregeister* actions, should we not break these permissions out to avoid the wildcard, similar to the full controller policy. Something like
statement {
actions = [
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
]
resources = ["*"]
}
statement {
actions = [
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
]
resources = ["*"]
condition {
test = "Null"
variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
values = ["false"]
}
}
statement {
actions = [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
]
resources = ["arn:${local.partition}:elasticloadbalancing:*:*:targetgroup/*/*"]
}With that we could even go one step further and allow users to restrict which target groups with
statement {
actions = [
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
]
resources = ["*"]
}
statement {
actions = [
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
]
resources = ["*"]
condition {
test = "Null"
variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
values = ["false"]
}
}
statement {
actions = [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
]
resources = [for name in var.load_balancer_controller_targetgroup_names :
"arn:${local.partition}:elasticloadbalancing:*:*:targetgroup/${name}/*"
]
}Where the variable load_balancer_controller_targetgroup_names defaults to *. What do you think?
There was a problem hiding this comment.
The use case for TargetGroupBinding only mode, vs. full ALB, is that you want to create (or already have pre-existing) TargetGroups outside of the kubernetes environment. This change would require the TargetGroup in question to have the elbv2.k8s.aws/cluster tag. While on one hand this solution ensures that at least the owner/creator of the TargetGroup intended for it to be updated from a load-balancer-controller, the downside is there may be valid reasons for that tag to not exist.
The second thought - your proposed change is a better version than what is documented as part of the load-balancer-controller intro guide. A person trying for the first time to use this module would quickly realize it didn't work, until they reverse engineer looking at this policy, then see that they need to go back and tag their TargetGroups with this k8s tag. I suggest that if you implement it this way, the ideal would be that the TargetBingingOnly documentation should include this more restricted version of the role vs. their more permissive one. The load-balancer-controller documentation could then describe the requirement to tag the TargetGroup.
However, the Register/Deregister change I think is brilliant. We could make an option as well for var.load_balancer_controller_targetgroup_arns if we wanted to, and then you could pass name or arn...?
There was a problem hiding this comment.
For now we'll proceed with what is defined by the upstream documentation. We can revisit later for any additional policy scoping
|
@cdhesse if you could make the requested tweaks, update your branch with the latest, and re-run |
Co-authored-by: Bryant Biggs <[email protected]>
Co-authored-by: Bryant Biggs <[email protected]>
I've done as you requested, should be ready to merge now, thank you! |
There was a problem hiding this comment.
thanks again for the PR @cdhesse - good to go @antonbabenko 👍🏽
## [4.16.0](v4.15.1...v4.16.0) (2022-03-25) ### Features * Add load_balancer_controller targetgroup binding only role ([#199](#199)) ([e00526e](e00526e))
|
This PR is included in version 4.16.0 🎉 |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
This implements a least privilege role for load_balancer_controller when using TargetGroup binding only as documented here.
Motivation and Context
The current module has a role for load_balancer_controller, but it is the full set of permissions, which are not required when implementing TargetGroup binding only.
Breaking Changes
No
How Has This Been Tested?
examples/*projectsI tested the changes by executing the examples/iam-role-for-service-accounts-eks, and added a module call there to create the new role.