terraform-aws-iam icon indicating copy to clipboard operation
terraform-aws-iam copied to clipboard

Published 20 hours ago • verified publisher icon terraform-aws-modules

feat: Allow access to keypairs for Karpenter controller policy

Open pavlospt opened this issue 3 years ago • 11 comments

When Karpenter provisioners are using a custom LaunchTemplate there is a chance that it includes a custom key-pair.

pavlospt avatar Jun 09 '22 17:06 pavlospt

I'm not sure about this addition since Karpenter relies on the AmazonSSMManagedInstanceCore policy and therefore remote access is available via SSM

bryantbiggs avatar Jun 11 '22 21:06 bryantbiggs

I'm not sure about this addition since Karpenter relies on the AmazonSSMManagedInstanceCore policy and therefore remote access is available via SSM

Since adding a Keypair is a feature of Launch templates why would someone limit this? We usually connect on our instances via SSH if we need to debug something! I mean the fact that there is remote connection through SSM Managed Instance is kind of irrelevant to the fact that one can use a custom keypair!

pavlospt avatar Jun 12 '22 05:06 pavlospt

Understood - but this is not a recommended practice over using something like SSM where credentials are ephemeral and access can be controlled through policies.

I think if you want to add this permission, the route I would suggest today is to add it through a custom policy and attach it to the role using role_policy_arns.

bryantbiggs avatar Jun 12 '22 14:06 bryantbiggs

Understood - but this is not a recommended practice over using something like SSM where credentials are ephemeral and access can be controlled through policies.

I think if you want to add this permission, the route I would suggest today is to add it through a custom policy and attach it to the role using role_policy_arns.

Hello @bryantbiggs , thank you for your feedback!

This is what I am currently doing in order to work around it, but I am not sure why this might not be a feature that could be added. Even if it is not a recommended practice, I certainly believe there are a lot customers out there that will probably migrate from CA to Karpenter and may be using LTs with custom keypairs. 🤔

pavlospt avatar Jun 12 '22 14:06 pavlospt

Identical issue here, was going to make the same PR. It may not be the default but I could suggest making it an optional flag? Arriving at the solution of attaching an additional policy takes some time to hunt down the real issue and come to that conclusion; this difficulty will be multiplied by the number of users migrating from CA to Karpenter using this module, so it might be worth making more explicit at least.

jimbocoder avatar Jun 13 '22 16:06 jimbocoder

Identical issue here, was going to make the same PR. It may not be the default but I could suggest making it an optional flag? Arriving at the solution of attaching an additional policy takes some time to hunt down the real issue and come to that conclusion; this difficulty will be multiplied by the number of users migrating from CA to Karpenter using this module, so it might be worth making more explicit at least.

Indeed, this is my main reasoning as well, of course I am open to changing things to optional if needed, or adding a flag to create an additional policy attachment and not have it included by default!

pavlospt avatar Jun 13 '22 18:06 pavlospt

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

github-actions[bot] avatar Jul 14 '22 00:07 github-actions[bot]

This PR shouldn’t close IMO!

pavlospt avatar Jul 14 '22 06:07 pavlospt

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

github-actions[bot] avatar Aug 15 '22 00:08 github-actions[bot]

This PR still shouldn’t close IMO!

pavlospt avatar Aug 15 '22 15:08 pavlospt

Even if it is not a recommended practice, I certainly believe there are a lot customers out there that will probably migrate from CA to Karpenter and may be using LTs with custom keypairs. 🤔

We are exactly in this category.

dindurthy avatar Sep 02 '22 23:09 dindurthy

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

github-actions[bot] avatar Oct 03 '22 00:10 github-actions[bot]

Nope!

pavlospt avatar Oct 03 '22 09:10 pavlospt

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

github-actions[bot] avatar Nov 04 '22 00:11 github-actions[bot]

This PR was automatically closed because of stale in 10 days

github-actions[bot] avatar Nov 15 '22 00:11 github-actions[bot]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Dec 16 '22 02:12 github-actions[bot]