kops icon indicating copy to clipboard operation
kops copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Support AWS S3 Access Points for state buckets

Open ari-becker opened this issue 4 years ago • 4 comments

1. Describe IN DETAIL the feature/behavior/change you would like to see.

AWS S3 has a feature called Access Points, which makes it easier to securely control access to state buckets. Instead of having EC2 instances access the state bucket (i.e. s3://example-bucket-name) directly, we'd like to be able to provide instance groups with a specific AWS S3 Access Point (i.e. s3-access-point://example-access-point-name) to access the bucket.

By using access points, we'll be able to ensure that the credentials that are supplied to the master and worker Kubernetes nodes to access the state bucket will only be relevant within the context of their VPC, and cannot be used by an attacker from outside the VPC if the underlying AWS EC2 instance profile credentials are extracted. Without a separate access point for use by the EC2 instances, we cannot effectively restrict the bucket to only be accessible from within the VPC, as operators who are working on the cluster do so from outside the VPC (ideally, operators should also only be able to access the state store through an access point that restricts access to specific IAM principals). (edit: well, we can restrict the bucket as such, with a longer bucket policy, and dealing with very long bucket access policies is exactly the issue which S3 Access Points helps solve).

2. Feel free to provide a design supporting your feature request.

  • Create a new VFS implementation that supports AWS S3 Access Points
  • Allow setting configBase per Cluster and/or InstanceGroup such that operators and instances can access the state bucket through different AWS S3 Access Points

ari-becker avatar Nov 19 '20 11:11 ari-becker

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot avatar Feb 17 '21 11:02 fejta-bot

/remove-lifecycle stale

ari-becker avatar Feb 21 '21 12:02 ari-becker

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot avatar May 22 '21 12:05 fejta-bot

/remove-lifecycle stale /lifecycle frozen

hakman avatar May 22 '21 13:05 hakman

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 03 '22 09:11 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 03 '22 09:12 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Jan 02 '23 10:01 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 02 '23 10:01 k8s-ci-robot