-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extensible IAM roles in AWS #379
Comments
I need to verify that kops won't detach the policy. What you're doing is the right thing (vs eg editing the kops IAM policy, which would be impossible to preserve), so I want to make sure it works! |
@justinsb Any thoughts of adding this into kops? I'm currently using this approach and it works fine, but it introduces a manual step that I think kops could automate away. |
This should be closed via #1170 |
@chrislovecnm It's a combination of both, the permission extensions from #1170 are necessary for supporting kube2iam correctly. This is working for us at the moment so I have no further needs. Feel free to close! |
closing per above |
Highlights: * Fix arm64 images, which were built with an incorrect base image. * Initial (experimental) Azure support Full change list: * Update Kops dependency for Azure Blob Storage support [kubernetes#372](kopeio/etcd-manager#372) * Exclude gazelle from tools/deb-tools [kubernetes#373](kopeio/etcd-manager#373) * Regenerate bazel in tools/deb-tools [kubernetes#374](kopeio/etcd-manager#374) * Release notes for 3.0.20201202 [kubernetes#375](kopeio/etcd-manager#375) * Remove travis CI [kubernetes#377](kopeio/etcd-manager#377) * Fix vendor generation for tools/deb-tools subproject [kubernetes#376](kopeio/etcd-manager#376) * Add script to verify image hashes [kubernetes#380](kopeio/etcd-manager#380) * Fix some incorrect base image hashes for arm64 [kubernetes#379](kopeio/etcd-manager#379) * Support Azure [kubernetes#378](kopeio/etcd-manager#378) * Add more descriptions to wait loops [kubernetes#383](kopeio/etcd-manager#383) * Rename fields in the azure client struct [kubernetes#382](kopeio/etcd-manager#382) * Fix small typo in code comment [kubernetes#381](kopeio/etcd-manager#381)
Highlights: * Fix arm64 images, which were built with an incorrect base image. * Initial (experimental) Azure support Full change list: * Update Kops dependency for Azure Blob Storage support [kubernetes#372](kopeio/etcd-manager#372) * Exclude gazelle from tools/deb-tools [kubernetes#373](kopeio/etcd-manager#373) * Regenerate bazel in tools/deb-tools [kubernetes#374](kopeio/etcd-manager#374) * Release notes for 3.0.20201202 [kubernetes#375](kopeio/etcd-manager#375) * Remove travis CI [kubernetes#377](kopeio/etcd-manager#377) * Fix vendor generation for tools/deb-tools subproject [kubernetes#376](kopeio/etcd-manager#376) * Add script to verify image hashes [kubernetes#380](kopeio/etcd-manager#380) * Fix some incorrect base image hashes for arm64 [kubernetes#379](kopeio/etcd-manager#379) * Support Azure [kubernetes#378](kopeio/etcd-manager#378) * Add more descriptions to wait loops [kubernetes#383](kopeio/etcd-manager#383) * Rename fields in the azure client struct [kubernetes#382](kopeio/etcd-manager#382) * Fix small typo in code comment [kubernetes#381](kopeio/etcd-manager#381)
Currently the AWS implementation of kops seems to create two IAM roles, one for the master and one for all nodes.
We are using kube2iam to let pods assume IAM roles, to accomplish this we've attached an additional policy to the IAM role used by nodes that grants the necessary permissions.
I'm wondering if this is a stable way to go about it (i.e. will kops notice this change and nuke it in some future run?). Maybe
kops
should have a feature that lets users add additional policies to the roles created?The text was updated successfully, but these errors were encountered: