Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict IAM Policy in AWS Setup Instructions #507

Closed
ellistarn opened this issue Jul 8, 2021 · 4 comments
Closed

Restrict IAM Policy in AWS Setup Instructions #507

ellistarn opened this issue Jul 8, 2021 · 4 comments
Labels
feature New feature or request operational-excellence

Comments

@ellistarn
Copy link
Contributor

The AWS Setup instructions should use https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html to ensure that cross-cluster resource launching is not possible. Canonical tagkey format: kubernetes.io/cluster/$CLUSTER_NAME.
@ellistarn ellistarn added documentation Improvements or additions to documentation feature New feature or request v0.3 labels Jul 8, 2021
@ellistarn
Copy link
Contributor Author

Restrict pass role as well: https://aws.amazon.com/blogs/security/granting-permission-to-launch-ec2-instances-with-iam-roles-passrole-permission/

@ellistarn ellistarn removed the v0.3 label Aug 23, 2021
@bwagner5 bwagner5 added this to the v0.5.0 milestone Sep 23, 2021
@johngmyers
Copy link

Should also limit ec2:TerminateInstances to instances tagged for the cluster and correspondingly limit the ability to add tags to instances to only upon launch.

@geoffcline
Copy link
Contributor

geoffcline commented Dec 15, 2021
edited
Loading

<removed - outdated>

@geoffcline
Copy link
Contributor

sample-policy-karpenter-restrict-controller-role-14DEC2021.json.txt

here is a sample policy that currently only works for deletes, not create instances. so, a work in progress.

@chrisnegus chrisnegus added burning Time sensitive issues and removed documentation Improvements or additions to documentation labels Dec 16, 2021
@ellistarn ellistarn mentioned this issue Dec 23, 2021
Closed
@rtripat rtripat mentioned this issue Dec 29, 2021
Merged
@ellistarn ellistarn removed the burning Time sensitive issues label Jan 20, 2022
@ellistarn ellistarn mentioned this issue Feb 7, 2022
Closed
@ellistarn ellistarn mentioned this issue Feb 14, 2022
Merged
3 tasks
@bryantbiggs bryantbiggs mentioned this issue Mar 25, 2022
Closed
@njtran njtran removed this from the v0.5.0 milestone Apr 21, 2022
gfcroft pushed a commit to gfcroft/karpenter-provider-aws that referenced this issue Nov 25, 2023
@jonathan-innis
chore: Rename directories to v1beta1 naming (aws#507)
681045f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request operational-excellence
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@johngmyers @ellistarn @bwagner5 @geoffcline @njtran @chrisnegus