✨ Support setting role path and permissions boundary on managed IAM roles #5286
Conversation
k8s-ci-robot
added
kind/feature
|
|
k8s-ci-robot
added
the
cncf-cla: no
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @robinkb. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
robinkb
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
k8s-ci-robot
added
cncf-cla: yes
|
@robinkb PermissionsBoundary are required for CloudFormation template rendering for creating roles and permissions. |
|
Hi @pavansokkenagaraj, thanks for the feedback. I've amended my commit. However, I see more roles generated in the template: Do these need to be changed, too? I didn't use the bootstrap proces, so I'm not really familiar with how it works. |
|
We are in the process of testing this on our own environment now. The most recent update includes some shenanigans around pointers. I'm not sure which way I am expected to handle them, as the codebase is inconsistent. The Spec for AWSManagedControlPlane uses pointers to strings for optional values, while the Spec for AWSFargateProfile does not, for example. |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
Yes, roles/permissions which are created in template function for eks need to be updated. The other thing I had to do was to set the permissionsBoundary if it is not nil/empty |
|
@pavansokkenagaraj Thanks for the testing, I will get that fixed. Regarding the failing |
|
@robinkb - we don't need to worry about the apidiff if its outside an |
|
/override pull-cluster-api-provider-aws-apidiff-main |
|
@richardcase: Overrode contexts on behalf of richardcase: pull-cluster-api-provider-aws-apidiff-main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…ane, EKS fargate profile, and managed machine pools Signed-off-by: Robin Ketelbuters <[email protected]>
|
@robinkb: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@richardcase I think that I've resolved all comments. Please take a look. |
|
@robinkb - would you be able to change the release note section to "action required". Normaly when we make changes to the IAM permissions we call it out the release notes to say something like |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Allows setting the role path and permissions boundary on managed IAM roles for EKS control plane, EKS Fargate profile, and managed machine pools. This is typically needed in enterprise environments with more stringent IAM requirements.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #5285
Special notes for your reviewer:
This is my first PR on this repository. I noticed a warning when generating code, and I wasn't sure if this needed to be fixed:
Checklist:
Release note: