Split AWS/IAM policies for master and workers #370
Conversation
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", |
There was a problem hiding this comment.
Here are the reduced EC2 permissions.
| AWSEntity | ||
| } | ||
|
|
||
| func (p *Policy) clusterPolicyName() string { | ||
| return fmt.Sprintf("%s-%s", p.ClusterID, PolicyNameTemplate) | ||
| return fmt.Sprintf("%s-%s-%s", p.ClusterID, p.PolicyType, PolicyNameTemplate) |
There was a problem hiding this comment.
AWS identifiers now also contain the policy type.
|
|
||
| policyDocument := fmt.Sprintf(policyTemplate, p.KMSKeyArn, p.S3Bucket, p.S3Bucket) | ||
| clusterRoleName := p.clusterRoleName() |
There was a problem hiding this comment.
clusterRoleName now uses the helper func
| if _, err := p.Clients.IAM.PutRolePolicy(&iam.PutRolePolicyInput{ | ||
| PolicyName: aws.String(clusterPolicyName), | ||
| PolicyName: aws.String(p.clusterPolicyName()), |
There was a problem hiding this comment.
As does the policy name.
service/create/service.go
Outdated
| bucketName := s.bucketName(cluster) | ||
|
|
||
| var policy resources.NamedResource | ||
| var policyErr error | ||
| // Create master IAM policy |
There was a problem hiding this comment.
Here both policies are now created.
There was a problem hiding this comment.
Every time someone writes a sentence without using a full stop a pomsky puppy dies.
| @@ -759,7 +777,7 @@ func (s *Service) addFunc(obj interface{}) { | |||
| securityGroup: mastersSecurityGroup, | |||
| subnet: publicSubnet, | |||
| keyPairName: cluster.Name, | |||
| instanceProfileName: policy.GetName(), | |||
| instanceProfileName: masterPolicy.GetName(), | |||
There was a problem hiding this comment.
Here the master EC2 instance uses the new profile.
| @@ -871,7 +889,7 @@ func (s *Service) addFunc(obj interface{}) { | |||
| securityGroup: workersSecurityGroup, | |||
| subnet: publicSubnet, | |||
| keypairName: cluster.Name, | |||
| instanceProfileName: policy.GetName(), | |||
| instanceProfileName: workerPolicy.GetName(), | |||
There was a problem hiding this comment.
Here the workers launch config uses the new policy.
| "Action": [ | ||
| "s3:ListBucket" | ||
| ], | ||
| "Resource": "arn:aws:s3:::%s" |
There was a problem hiding this comment.
When we add more items that have to be dynamically placed here we should consider making this a real golang template. It is going to be hard to see how many format placeholders are in here.
There was a problem hiding this comment.
Yes I think we should move to golang templates. The templates will need more logic when we make the ECR permissions configurable. We may also need to add templates for Cloud Formation.
service/create/service.go
Outdated
| bucketName := s.bucketName(cluster) | ||
|
|
||
| var policy resources.NamedResource | ||
| var policyErr error | ||
| // Create master IAM policy |
There was a problem hiding this comment.
Every time someone writes a sentence without using a full stop a pomsky puppy dies.
| S3Bucket: bucketName, | ||
| AWSEntity: awsresources.AWSEntity{Clients: clients}, | ||
| masterPolicy = &awsresources.Policy{ | ||
| ClusterID: cluster.Spec.Cluster.Cluster.ID, |
There was a problem hiding this comment.
In some other operators we created key methods for data that is often accessed. That maybe helps at some point reducing the hustle to find out where what data is located within a structure. One day it also might help refactoring or changing the data's location within the structure.
There was a problem hiding this comment.
Good point I've seen the getKeys methods in the other operators. There is much refactoring to be done I'll keep this in mind.
| @@ -824,7 +842,7 @@ func (s *Service) addFunc(obj interface{}) { | |||
| // If the policy couldn't be created and some instances didn't exist before, that means that the cluster | |||
| // is inconsistent and most problably its deployment broke in the middle during the previous run of | |||
| // aws-operator. | |||
| if anyMastersCreated && (kmsKeyErr != nil || policyErr != nil) { | |||
| if anyMastersCreated && (kmsKeyErr != nil || masterPolicyErr != nil || workerPolicyErr != nil) { | |||
There was a problem hiding this comment.
I am wondering why we do not handle all these errors separately. I think these errors should be handled somehow even if there are no masters created. I also do not see where these errors come from, so this could be clearer. I am not into the details here but I think errors should immediately handled when they occur. This might be a candidate for improvements when we move to the operatorkit reconciliation framework.
There was a problem hiding this comment.
There is an issue for whether this check is still needed. I added the new errors here for completeness.
| AWSEntity: awsresources.AWSEntity{Clients: clients}, | ||
| } | ||
| if err := masterPolicy.Delete(); err != nil { | ||
| s.logger.Log("error", fmt.Sprintf("%#v", err)) |
There was a problem hiding this comment.
IMO we should retry on errors and not move forward. This would also come for free with the reconciliation framework.
There was a problem hiding this comment.
At the moment the retry logic has only been added where needed. So I don't think its needed in this case. But using the framework so all resources have retry support would be a big improvement.
|
@xh3b4sd Comments are tidied up :) There were many full stops missing in the add and delete funcs. So the lives of many puppies were saved ;) |
|
Thanks for adding the permissions to pull images from AWS ECR (#364)! |
|
@hobti01 You're welcome and thanks again for your PR! |
Fixes #330
This PR splits the master and worker IAM policies and makes 2 permissions changes. These have been tested on a locally launched cluster.
https://github.com/kubernetes/kubernetes/tree/release-1.5/cluster/aws/templates/iam