aws-load-balancer-controller icon indicating copy to clipboard operation
aws-load-balancer-controller copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Tighten example IAM policy

Open johngmyers opened this issue 3 years ago • 5 comments

Issue

N/A

Description

This tightens the example IAM policy by removing a policy statement that is redundant except for lacking a condition requiring an ownership tag.

This has not been tested.

Checklist

  • [ ] Added tests that cover your change (if possible)
  • [x] Added/modified documentation as required (such as the README.md, or the docs directory)
  • [ ] Manually tested
  • [x] Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! :exploding_head:

  • [ ] Backfilled missing tests for code in same general area :tada:
  • [ ] Refactored something and made the world a better place :star2:

johngmyers avatar Feb 14 '22 23:02 johngmyers

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: johngmyers To complete the pull request process, please assign kishorj after the PR has been reviewed. You can assign the PR to them by writing /assign @kishorj in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Feb 14 '22 23:02 k8s-ci-robot

@johngmyers: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-aws-load-balancer-controller-e2e-test 6e2bf2b04188912abc5a1eef9f21e7ce325840ed link true /test pull-aws-load-balancer-controller-e2e-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot avatar Feb 15 '22 01:02 k8s-ci-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 16 '22 02:05 k8s-triage-robot

/remove-lifecycle stale

bryantbiggs avatar May 16 '22 12:05 bryantbiggs

@johngmyers: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 05 '22 05:08 k8s-ci-robot

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: johngmyers Once this PR has been reviewed and has the lgtm label, please assign kishorj for approval by writing /assign @kishorj in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Oct 23 '22 03:10 k8s-ci-robot

/retest

johngmyers avatar Oct 23 '22 17:10 johngmyers

/retest

johngmyers avatar Oct 23 '22 19:10 johngmyers

This is documentation-only, so no idea why the e2e test is failing. /retest

johngmyers avatar Oct 23 '22 21:10 johngmyers

@johngmyers: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-aws-load-balancer-controller-e2e-test e283f519d55c2c8c9e1cadfdc0dae144cab389a4 link true /test pull-aws-load-balancer-controller-e2e-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot avatar Oct 23 '22 23:10 k8s-ci-robot

This is documentation-only, so no idea why the e2e test is failing.

The e2e test configures the IAM policies from the docs/install/iam_policy.json file. Since your changes removes the AuthorizeSecurityGroupIngress permission, controller is no longer able to configure access from the ALB to your application pods - hence the 503 error.

kishorj avatar Oct 24 '22 17:10 kishorj

Perhaps what is needed is a script that takes the cluster name and generates the policy with permissions scoped to that cluster?

johngmyers avatar Oct 24 '22 19:10 johngmyers