anthos-service-mesh-packages icon indicating copy to clipboard operation
anthos-service-mesh-packages copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

ASM installation script does not consider IAM roles inherited via group membership

Open alexbrand-au opened this issue 3 years ago • 6 comments

Our organization leverages groups to manage IAM roles instead of granting roles to individual users directly.

The install_asm script performs various checks to determine the user's IAM roles. For example, to determine whether the user is a cluster admin:

  ROLES="$(gcloud projects \
    get-iam-policy "${PROJECT_ID}" \
    --flatten='bindings[].members' \
    --filter="bindings.members:${IAM_USER}" \
    --format='value(bindings.role)' 2>/dev/null)"
  if echo "${ROLES}" | grep -q roles/container.admin; then return; fi

This command filters the IAM policy bindings based on the user ID. Any roles inherited via group memberships are not taken into consideration.

Ideally, the install_asm script should support IAM roles inherited from groups.

alexbrand-au avatar Apr 28 '21 19:04 alexbrand-au

I'm also running into this bug. Considering group membership would be awesome. Another option would be a --skip_validation flag that will just attempt the install without verifying anything (In theory a user would use the --only_validate option prior).

caddac avatar Jun 10 '21 16:06 caddac

Sorry for the late response! Just to acknowledge it, this is a real bug and it's on the backlog to work on, we just haven't had a chance to prioritize it yet.

To unblock things immediately if necessary, if you set _CI_NO_VALIDATE environment variable to 1 before running, it should skip this. That was intended to help testing in our own CI/CD pipelines so I can't guarantee the user experience will be great if there's an error, but it should work.

zerobfd avatar Jun 10 '21 17:06 zerobfd

This is really helpful. I'm running the script with validation and an output directory so I can edit the istio-operator before installation. This will let me move forward without requiring I create user specific IAMs in my projects.

caddac avatar Jun 11 '21 16:06 caddac

@caddac not directly related to the issue, but if you have a few minutes: what sorts of edits are you making on the operator? And is this something you're doing manually, or is it part of a pipeline?

I want to make sure we understand how different customers are using our tools so we can make sure we make all of the use cases intuitive.

zerobfd avatar Jun 11 '21 17:06 zerobfd

At this time I'm either disabling the ingress gateway (for an internal cluster) or updating it to use a static external IP (for an edge cluster). I know the docs indicate I can use overlay files for resources in the options directory, but didn't see anything about editing the istio-operator.yaml file. At this time I'm making the edits manually and applying the manifests manually. I use FluxCD to manage my clusters and would love to manage the ASM installation using this tool, but haven't gotten that working yet.

caddac avatar Jun 11 '21 19:06 caddac

@zerobfd I tried the _CI_NO_VALIDATE env var but still got an error about missing IAM roles. I ended up just adding the --enable_gcp_iam_roles flag and will cleanup IAM after.

caddac avatar Jun 14 '21 20:06 caddac