Allow the re-use of a IAM role that is not created by kops.

[chrislovecnm]

This is the original PR submitted by @sp-borja-juncosa with some tweaks.

1. renamed the API value to match the name of the AdditionalPolicies map.
2. added feature flag
3. removed CLI options

Again thanks @sp-borja-juncosa!! Closing this: #2139

TODO

• E2E Testing by hand
• Fix some typos
• validate bastion
• Documentation
• Update role vs profile

Next Steps

I have various next steps documented here: #2440

When I get past the first two TODOs, this will be ready for merge.

---

This change is 

[justinsb]

No reason to have a pointer to a map, I believe; just use a map.

And should we just have a strongly typed object? i.e.

iam:
  master: override-master
  node: override-node

[justinsb]

If a strongly typed object isn't right, we should use the InstanceGroups roles as the keys, either explicitly (map[Role]string) or just in comments / code.

[chrislovecnm]

I like a typed object

[chrislovecnm]

I was following the custom roles as an example, which probably should be a object as well

[justinsb]

Is there a reason to add these comments in this PR?

[chrislovecnm]

Snuck in

[justinsb]

Any reason to move this?

[chrislovecnm]

Will fix

[justinsb]

Is this string(role) ?

[justinsb]

If the feature flag isn't set, this should be an error, not silently ignored. Probably in validation.

This may not need a feature flag.

[justinsb]

I thought this deleted the role?

[chrislovecnm]

More context please

[justinsb]

I think you need to check the ID here, not reference equality.

[chrislovecnm]

Good catch

[chrislovecnm]

Fixed

[justinsb]

Not sure why we removed this?

[justinsb]

Are MasterIAMRole / NodeIAMRole mapped somewhere?

[justinsb]

Answered how to set a FF. Though a FF might not even be necessary here, particularly if we have validation.

[jordanjennings]

FYI - looks like the code is only matching "Node" and "Master" (first letter capitalized)

[chrislovecnm]

I am going to make it an object

[zyonash]

@chrislovecnm @justinsb Hey guys - we're trying to use this feature to set up our cluster using pre-made IAM roles. We have very limited access to create roles, so this feature seems to fit our needs. However, although it seems to picking up on the roles that our administrator created for us, the cluster creation is still trying to edit the inline policies that we had set, which is failing due to the fact that we have no control at all over IAM resources.

Any ideas? For reference, here's exactly what we're seeing:

W0502 21:03:57.681592 506 executor.go:109] error running task "IAMRolePolicy/nodes.k8s.fscom.clouddev.thermofisher.net" (9m59s remaining to succeed): error creating/updating IAMRolePolicy: AccessDenied: User: arn:aws:sts::066574023230:assumed-role/TFAccountAutomationApp/i-042417434d053d0cb is not authorized to perform: iam:PutRolePolicy on resource: role nodes.k8s.fscom.clouddev.thermofisher.net status code: 403, request id: dbb5ce8d-2f7a-11e7-a3f1-d760f5827906 W0502 21:03:57.681623 506 executor.go:109] error running task "IAMRolePolicy/masters.k8s.fscom.clouddev.thermofisher.net" (9m59s remaining to succeed): error creating/updating IAMRolePolicy: AccessDenied: User: arn:aws:sts::066574023230:assumed-role/TFAccountAutomationApp/i-042417434d053d0cb is not authorized to perform: iam:PutRolePolicy on resource: role masters.k8s.fscom.clouddev.thermofisher.net status code: 403, request id: dbb495b9-2f7a-11e7-bc1a-2b7ba7392c49

[chrislovecnm]

@zyonash take a look at #2497 - the admin policy has the needed perms.

[Vince-Cercury]

Hi what is the status for this? It seems there are multiple PR such as this one #2139

Which one to track? Is that already released in its simplest form?
Our company has a different department for managing roles.

[chrislovecnm]

#2139 was closed, and this will hopefully be merged

[justinsb]

Blocked on #2763

[StevenACoffman]

#2763 was merged, so this is unblocked, and just needs the merge conflict resolved, right?

[k8s-github-robot]

@chrislovecnm PR needs rebase

[k8s-github-robot]

@chrislovecnm PR needs rebase

[chrislovecnm]

@justinsb thanks for the response. I do not understand how your different use cases would allow a user to reuse an IAM instance profile. The kops user IAM perms would not have the capability to make any modifications to IAM. You mention modifying the role in multiple parts of your use case.

Second question 'adding' permissions. IAM roles are very complex with the use of wild cards. How can we tell that we are missing a permission? Parsing the IAM profile information is quite challenging. Maybe we can use the IAM test API, but I am not certain.

The need that we have is that we cannot do any CRUD with IAM. If the name is different we cannot delete the profile. If the permissions are different we cannot update the role. We need to reuse an existing profile instance. How does your design satisfy that need?

[justinsb]

So as discussed in office hours today, a plan for getting this merged (not necessarily in order):

a) ability to change the names of the IAM resources that kops creates (and kops still creates them here)
b) look at the phases behaviour for the IAM phase and determine what changes are needed. The idea being that you can run kops update cluster --phases cluster and you'll be warned/errored if the IAM policies are wrong, but kops won't create them. Hopefully there's not a huge delta here.
c) changes to the IAM policies are separate, I believe (and happening already!)

[chrislovecnm]

Can we make

a) ability to change the names of the IAM resources that kops creates (and kops still creates them here)
a - 1.1 change the name and have kops not create or delete the policy?

[k8s-github-robot]

@chrislovecnm PR needs rebase

[rifelpet]

Just curious what needs to be done to move this forward? My use case is identical to @dcowden's, we need roles and policies managed externally not by Kops and to instead pass the instance profile ARNs to the cluster spec. I can offer to help if its a time/resource issue.

[chrislovecnm]

@rifelpet would welcome the help! I am still working on security groups and file assets.

We have decided to modify the api from how it was implemented here. There is another PR open for the new api. Do you want to chat?