eks-prow-bulid-cluster: extract cluster admin IAM role to a module, fine-grained IAM permissions, docs

[xmudrii]

This PR brings the following changes to eks-prow-build-cluster:

• extract cluster admin IAM role to a submodule
  • This allows us to create IAM role and attach needed policies to it before proceeding with the cluster creation
  • Because of that, we can assume the created role and use it to create the cluster
    • Currently, we are creating the cluster using an IAM user, then assume the role only after the cluster is already created. This has some security implications, as the user that created the cluster is cluster administrator and owns all the resources (e.g. KMS keys)
• replace AdministratorAccess with fine-grained IAM permissions
  • Using AdministratorAccess is risky and not recommended
  • @rothgar recommended using iamlive to record required permissions which did the trick 🎉
  • I used the CSM mode to record the permissions
  • We have two different policies: one for maintaining the cluster and one for destroying the cluster
    • The idea behind this is to increase security and give folks ability to maintain the cluster, but not to destroy it
• README is updated with additional explanations and changes introduced in this PR

TODO:

• Try to get even more fine-grained IAM permissions
  • I used the CSM mode, but the proxy mode might give better results, so I'll give it a try
  • This is for a follow up, let's get started with this and then we can iterate later

All changes are applied to the canary cluster. I'll apply changes to the production cluster once the PR is merged.

/assign @pkprzekwas @ameukam @dims @rothgar

[xmudrii]

/hold
for review

[xmudrii]

/assign @sftim

[dims]

looks good @xmudrii thanks for confirming that this is already in the canary cluster. please merge when you are ready.

/approve
/lgtm

[rothgar]

I didn't run the make targets but the IAM looks like it does a good job separating the ability to create/manage a cluster vs delete 👍

[sftim]

Some feedback; hope it helps!

[sftim]

Is this equivalent to TF_ARGS=-destroy make apply?

[xmudrii]

Yes, it should be. For the reference:

  -destroy               Destroy Terraform-managed infrastructure.
                         The command "terraform destroy" is a convenience alias
                         for this option.

[sftim]

It looks like this policy allows escalation to AdministratorAccess. We could use that (AdministratorAccess) policy instead for now; it's simpler, and more obvious that the policy carries a risk.

Longer term, we might want to further limit the privileges that we provide here.

[rothgar]

Can you help me understand how the policy allows it to be escalated to administrator access?

[xmudrii]

We discussed using permissions boundary at KubeCon. @pkprzekwas will follow up on and create tracking issues.

[sftim]

Bear in mind that this can remove deny rules. A comment to that effect might be helpful.

[xmudrii]

A comment will be added.

[pkprzekwas]

/lgtm
I think it's fine to merge it now. IAM concerns will be addressed in a separate issue.

[dims]

thanks @pkprzekwas

/approve
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• infra/aws/terraform/prow-build-cluster/OWNERS [dims,xmudrii]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xmudrii]

I'm applying this PR to the canary cluster, but suddenly Terraform wants to update this resource:

  # module.eks.aws_iam_openid_connect_provider.oidc_provider[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "oidc_provider" {
        id              = "arn:aws:iam::468814281478:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/BE445C1D51F231A55B2A0E3D0140D458"
        tags            = {
            "Name" = "prow-build-canary-cluster-eks-irsa"
        }
      ~ thumbprint_list = [
            # (2 unchanged elements hidden)
            "414a2060b738c635cc7fc243e052615592830c53",
          - "53011a7515ca46ed6233168766a0f1729608be0e",
          + "50879ea7f7c29dd615269e559fb061b46bdd3dbe",
        ]
        # (4 unchanged attributes hidden)
    }

As per this Slack thread, we'll proceed with this update.

[xmudrii]

I had to add some additional permissions in 20d1da9 to be able to reconcile #5113 (comment)

[pkprzekwas]

/lgtm

[pkprzekwas]

Further IAM improvements will be introduced with #5160

[xmudrii]

Applied to both prod and canary
/hold cancel