Skip to content
This repository has been archived by the owner on Sep 30, 2020. It is now read-only.

Too permissive IAM policy for CA associated to controller nodes #903

Closed
mumoshu opened this issue Sep 1, 2017 · 0 comments
Closed

Too permissive IAM policy for CA associated to controller nodes #903

mumoshu opened this issue Sep 1, 2017 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.9.9-rc.1

Comments

@mumoshu
Copy link
Contributor

mumoshu commented Sep 1, 2017

The IAM policy associated to controller nodes is unnecessarily permissive for running CA.

{
                "Effect": "Allow",
                  "Action": [
                    "autoscaling:DescribeAutoScalingGroups",
                    "autoscaling:DescribeAutoScalingInstances",
                    "autoscaling:DescribeTags",
                    "autoscaling:SetDesiredCapacity",
                    "autoscaling:TerminateInstanceInAutoScalingGroup"
                  ],
                  "Resource": "*"
                },

What we actually want instead would look exactly same as the one for worker nodes:

{
                  "Action": [
                    "autoscaling:DescribeAutoScalingGroups",
                    "autoscaling:DescribeAutoScalingInstances",
                    "autoscaling:DescribeTags",
                  ],
                  "Effect": "Allow",
                  "Resource": "*"
                },
                {
                  "Action": [
                    "autoscaling:SetDesiredCapacity",
                    "autoscaling:TerminateInstanceInAutoScalingGroup"
                  ],
                  "Condition": {
                    "Null": { "autoscaling:ResourceTag/kubernetes.io/cluster/{{.ClusterName}}": "false" }
                  },
                  "Effect": "Allow",
                  "Resource": "*"
                },

The latter is better because it prevents any app running on the nodes from terminating EC2 instances outside of the K8S cluster. For instance, it would have prevented a misbehaving CA to terminate EC2 instances outside of the K8S cluster like we experienced in #800.
@mumoshu mumoshu added the kind/bug Categorizes issue or PR as related to a bug. label Sep 1, 2017
@mumoshu mumoshu added this to the v0.9.9-rc.1 milestone Sep 1, 2017
@mumoshu mumoshu changed the title Fix too permissive IAM policy for CA associated to controller nodes Too permissive IAM policy for CA associated to controller nodes Sep 1, 2017
This was referenced Sep 1, 2017
Merged
Closed
mumoshu added a commit to mumoshu/kube-aws that referenced this issue Sep 1, 2017
@mumoshu
Fix too permissive IAM policy for CA associated to controller nodes
868535d 
Fix kubernetes-retired#903
camilb added a commit to camilb/kube-aws that referenced this issue Oct 9, 2017
@camilb
Merge branch 'master' of https://github.com/kubernetes-incubator/kube…
0a28576 
…-aws

* 'master' of https://github.com/kubernetes-incubator/kube-aws: (55 commits)
  Bump default k8s to 1.7.5
  Fix the scheduling and permissions issue of CA by fixing the conditional in stack-template.json for worker and controller stacks, while making configuration easier.
  Fix tests
  Read worker-ca-key.pem instead of ca-key.pem when certs are managed by kube-aws and TLS bootstrapping is enabled. Formerly, ca-key.pem was read to be install on controller nodes to support TLS boostrapping. However, we have the CA dedicated for TLS boootstrapping today, instead of the one used more widely.
  Fix the bug that symlinks under `credentials` were not accessible from anywhere other than the parent of the `credentials` dir
  Fix the bug that the contents of ca-key.pem was that of ca.pem
  Add more informational log messages to the render-credentials command
  Fix a degradation in message ordering As explained in kubernetes-retired#877 (comment)
  Fix the existing CA support It seems to have broken at some point.
  Fix the json parsing error when clusterAutoscalerSupport is enabled on node pools
  Fix too permissive IAM policy for CA associated to controller nodes Fix kubernetes-retired#903
  Add spot fleet support for the `awsNodeLabels` feature Resolves kubernetes-retired#803
  Drop the ability to disable RBAC via cluster.yaml
  Enable RBAC by default Resolves kubernetes-retired#655
  Fix the hard-coded duration until an etcd cert generated by kube-aws expires Fix kubernetes-retired#892
  Fix test timeouts in CI Resolves kubernetes-retired#893
  Fix ca-key.pem handling and tests
  Create symlinks in test helpers
  Dedicated worker CA and Etcd trusted CA bundle
  Fix encrypted files regen tests
  ...
@mumoshu mumoshu mentioned this issue Oct 20, 2017
Closed
@mumoshu mumoshu mentioned this issue Jan 25, 2018
Closed
kylehodgetts pushed a commit to HotelsDotCom/kube-aws that referenced this issue Mar 27, 2018
@mumoshu
Fix too permissive IAM policy for CA associated to controller nodes
e51be23 
Fix kubernetes-retired#903
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
v0.9.9-rc.1
Development

No branches or pull requests
1 participant
@mumoshu