terraform-aws-iam icon indicating copy to clipboard operation
terraform-aws-iam copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

EBS CSI Role permissions are too wide

Open huguesalary opened this issue 2 years ago β€’ 3 comments

Description

The example policy, which is used by the iam-role-for-service-accounts-eks module, provided by the official aws-ebs-csi-driver is too lax (https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json).

This policy presents the following issues:

It allows the IAM Role to delete any EBS volume tagged with "CSIVolumeName" OR "ebs.csi.aws.com/cluster" OR "kubernetes.io/cluster/*"
It allows the IAM Role to delete any EBS snapshot tagged with "CSIVolumeSnapshotName" OR "ebs.csi.aws.com/cluster" OR "kubernetes.io/cluster/*"

This means the EBS CSI IAM Role can delete any volume or snapshot from any other cluster.

I am proposing the following PR https://github.com/terraform-aws-modules/terraform-aws-iam/pull/265 which changes this policy and replaces the OR conditions by AND conditions, as well as restricting kubernetes.io/cluster/* to kubernetes.io/cluster/EKS_CLUSTER_ID.

huguesalary avatar Aug 12 '22 18:08 huguesalary

thank you for submitting this! Would you mind opening an issue with the upstream CSI project to see if they would be willing to adopt this spec first? It makes it quite a bit easier to support when the official addon supports it as well. Some addons will have a "general" policy and a "limited"/"strict" policy and then we can follow that strict policy here in the implementation

bryantbiggs avatar Aug 12 '22 18:08 bryantbiggs

No problem! I sent a PR upstream (https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1340).

huguesalary avatar Aug 12 '22 18:08 huguesalary

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Sep 16 '22 00:09 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar Sep 27 '22 00:09 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Nov 08 '22 02:11 github-actions[bot]