f0390eda29
Dedicated function for ccm permissons
...
Update pkg/model/iam/iam_builder.go
Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
2021-07-16 19:39:57 +02:00
33a7de60a7
Enable IRSA for EBS CSI Driver
2021-06-18 08:05:59 +02:00
b82b129a54
Remove fallback support for legacy IAM
2021-05-30 16:52:42 -07:00
6f8b3647cf
Add support for IRSA in he api
...
Apply suggestions from code review
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
2021-05-01 16:03:42 +02:00
bd80c3f2b4
replace hard coded aws region checks with aws sdk calls
2021-03-24 15:31:05 +00:00
a3a0b91b5f
Order policy document sections alphabetically
2020-11-04 16:15:00 +02:00
6fa8be2716
JSON formatting of IAM: Workaround for optional fields
...
AWS IAM is very strict and doesn't support `Resource: []` for example.
We implement a custom MarshalJSON method to work around that.
2020-09-09 09:57:07 -04:00
a61ecf4c58
Refactor to use interface for iam Subjects
...
Hat-tip to johngmyers for the idea!
2020-09-09 09:57:07 -04:00
8498ac9dbb
Create PublicJWKS feature flag
...
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens. But it shouldn't need a second bucket or anything of that
nature.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
2020-09-09 09:57:06 -04:00
7d9f0a06cf
Update API slice fields to not use pointers
...
This is causing problems with the Kubernetes 1.19 code-generator.
A nil entry in these slices wouldn't be valid anyways, so this should have no impact.
2020-08-24 07:46:38 -05:00
1e559618f5
Ensure we have IAM bucket permissions to other S3 buckets
...
If we are expected to write to other buckets, we need to have suitable
permissions to e.g. determine their location.
2020-06-04 22:37:17 -04:00
bf30b2559f
Update AWS IAM Policy tests following Statement ID removal
2018-04-10 15:33:51 +01:00
5bfb22ac92
Make the IAM ECR Permissions optional, can be specified within the Cluster Spec.
2017-10-24 09:20:17 +01:00
2e6b7eedb9
Revision to IAM Policies created by Kops, and wrapped in Cluster Spec
...
IAM Legacy flag.
2017-09-15 08:05:23 +01:00
7b5510028a
Add CreateSecurityGroup permission
...
Also document the available filtering for the methods we use.
2017-09-10 19:14:41 -04:00
fdce8b4b7b
Merge pull request #3186 from KashifSaadat/limit-master-ec2-policy
...
Automatic merge from submit-queue
Limit the IAM EC2 policy for the master nodes
Related to: https://github.com/kubernetes/kops/pull/3158
The EC2 policy for the master nodes are quite open currently, allowing them to create/delete/modify resources that are not associated with the cluster the node originates from. I've come up with a potential solution using condition keys to validate that the `ec2:ResourceTag/KubernetesCluster` matches the cluster name.
2017-08-28 02:00:46 -07:00
d6e5a62678
Limit the IAM EC2 policy for the master nodes, wrapped in 'Spec.IAM.LegacyIAM' API flag.
2017-08-26 11:46:09 +01:00
0dc4e5e4dc
Kops Secrets on Nodes
...
The current implementation permits nodes access to /secrets/* thought the nodes themselve do [not](https://github.com/gambol99/kops/blob/secrets/nodeup/pkg/model/secrets.go#L77-L79 ) require access. This PR changed the ACL on the iam policy to deny access for nodes to /secrets/*
2017-08-25 19:47:37 +01:00
0e5c393f10
Rename IAM switch to legacy, default to false for new cluster creations.
2017-08-22 13:27:55 +01:00
0aac9b7f8d
Allow the strict IAM policies to be optional, default to original behaviour (not-strict)
2017-08-22 13:27:54 +01:00
fd0ce236dc
Remove node requirement to access private ca and master keys in S3
2017-08-11 16:12:32 +01:00
cd149414df
Tighten down S3 IAM policy statements
2017-08-11 11:51:46 +01:00
dc9a343434
Support string-or-slice in IAM policies
...
Fix #1920
2017-02-16 22:24:28 -05:00
Ole Markus With
John Gardiner Myers
guydog28
Ciprian Hacman
Justin SB
Peter Rifel
Kashif Saadat
chrislovecnm
Justin Santa Barbara
Kubernetes Submit Queue
Rohith