From 55f4beb2c5fb683fbd794b2d302c3e5af51a3b6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Pawe=C5=82=20G=C5=82azik?= Date: Sun, 12 Feb 2017 18:13:46 +0100 Subject: [PATCH] Update docs regarding IAM roles --- docs/iam_roles.md | 5 ++++- docs/security.md | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/iam_roles.md b/docs/iam_roles.md index 789e715649..e429f5873c 100644 --- a/docs/iam_roles.md +++ b/docs/iam_roles.md @@ -1,7 +1,10 @@ # IAM Roles Two IAM roles are created for the cluster: one for the masters, and one for the nodes. -The permissions are kept to the minimum required to setup and maintain the cluster. + +> Work is being done on scoping permissions to the minimum required to setup and maintain cluster. +> Please not that currently all Pods running on your cluster have access to instance IAM role. +> Consider using projects such as [kube2iam](https://github.com/jtblin/kube2iam) to prevent that. Master permissions: diff --git a/docs/security.md b/docs/security.md index 520c9a92bd..3f69f1da18 100644 --- a/docs/security.md +++ b/docs/security.md @@ -18,6 +18,11 @@ To change the SSH public key on an existing cluster: * `kops update cluster --yes` to reconfigure the auto-scaling groups * `kops rolling-update cluster --name --yes` to immediately roll all the machines so they have the new key (optional) +## IAM roles + +All Pods running on your cluster have access to underlying instance IAM role. +Currently permission scope is quite broad. See [iam_roles.md](iam_roles.md) for details and ways to mitigate that. + ## Kubernetes API