community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon aws-controllers-k8s

Use CARM for namespace based IAM policies

Open awsandy opened this issue 2 years ago • 2 comments

HI,

Use case: With a cluster based installation of the ACK controllers - I want to still use namespace specific IAM roles in my multi-tenant cluster.

If possible? - I'd like to propose being able to use CARM to pass a namespace name rather than an account ID and then use this to map to a specific namespace IAM role within a single account

I've tested this and it does currently work, but it's not what CARM is intended for and of course isn't documented:

eg.

apiVersion: v1 kind: Namespace metadata: name: my-namespace-1 annotations: services.k8s.aws/owner-account-id: "my-namespace-1" services.k8s.aws/default-region: "eu-west-2"

apiVersion: v1 kind: ConfigMap metadata: name: ack-role-account-map namespace: ack-system data: "my-namespace-1": arn:aws:iam::000000000000:role/my-namespaces-1 # map namespace to corresponding role

This may also require the code to check if the annotation services.k8s.aws/owner-account-id is not a 12 digit number (an account number) - and if so set the status.resourceMetadata.OwnerAccountID metadata to the current account number.

Perhaps this would all be better implemented with an alternative new annotation

"services.k8s.aws/owner-namespace-name" and a ConfigMap "ack-role-namespace-map"

?

Thanks

Andy

awsandy avatar Apr 04 '22 14:04 awsandy

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Jul 03 '22 17:07 ack-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle rotten

ack-bot avatar Aug 02 '22 17:08 ack-bot

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

ack-bot avatar Sep 01 '22 17:09 ack-bot

@ack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ack-bot avatar Sep 01 '22 17:09 ack-bot