Security improvements on IAM policies #2497
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
chrislovecnm
changed the title
chrislovecnm
force-pushed
the
iam-tooling
branch
3 times, most recently
from
c1fdb44 to
fb610cd
Compare
chrislovecnm
force-pushed
the
iam-tooling
branch
4 times, most recently
from
38740a0 to
cce6f2e
Compare
|
@justinsb please take a look. As we discussed I have hidden the command till we have life cycles in, once we have lifecycles in I can refactor that code just a bit, and we will have the auth lifecycle. We need GCE as well :) |
|
The one tweak that I may want to make is prune down ECR permission to get the GetAuthToken. Let me know. |
chrislovecnm
force-pushed
the
iam-tooling
branch
2 times, most recently
from
8f6114f to
3bf2778
Compare
| @@ -148,6 +148,7 @@ func NewAWSCloud(region string, tags map[string]string) (AWSCloud, error) { | |||
| c := &awsCloudImplementation{region: region} | |||
|
|
|||
| config := aws.NewConfig().WithRegion(region) | |||
| //config := aws.NewConfig().WithRegion(region).WithLogLevel(aws.LogDebugWithHTTPBody) | |||
There was a problem hiding this comment.
I am going to add it to documentation in the go file, and file an issue to be able to turn on debugging. I will submit another PR.
chrislovecnm
changed the title
|
As @justinsb recommended, I removed the cmd portion of this PR, to limit this PR to just IAM role changes. Once we have lifecycles implemented, we will have a command for generating example security roles. |
| @@ -91,65 +109,30 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) { | |||
| if b.Role == api.InstanceGroupRoleBastion { | |||
| p.Statement = append(p.Statement, &IAMStatement{ | |||
| // We grant a trivial (?) permission (DescribeRegions), because empty policies are not allowed | |||
| Sid: "kopsK8sBastion", | |||
There was a problem hiding this comment.
Not sure about this. We know it's the bastion policy. What is our goal in adding sid to our policies?
There was a problem hiding this comment.
Yes, it was recommended by one of our users to add a side to all of our policies.
There was a problem hiding this comment.
Recommended using the sid so you know the intent as to what each permission is for. Some of these will be obvious, such as the bastion.
If a user looks at the iam policy from the aws console it will help allow people to highlight individual fragments that may need to be modified in future
|
|
||
| if b.HostedZoneID != "" { | ||
| addRoute53Permissions(p, b.HostedZoneID) | ||
| if b.HostedZoneID != "" { |
There was a problem hiding this comment.
This is a behaviour change, right? We are no longer adding route53 permissions to the nodes? That should be called out - we've broken people before with this!
There was a problem hiding this comment.
Yes this is a breaking change. A lot of these changes can be breaking changes. Should we have old and new policies?
There was a problem hiding this comment.
I think we're going to have to. We should probably prioritize the kube2iam work.
| hostedZoneID = strings.TrimPrefix(hostedZoneID, "/") | ||
| hostedZoneID = strings.TrimPrefix(hostedZoneID, "hostedzone/") | ||
| // BuildAWSIAMPolicyNode generates a custom policy for a Kubernetes master. | ||
| func (b *IAMPolicyBuilder) BuildAWSIAMPolicyMaster() (*IAMPolicy, error) { |
| // We shouldn't be running lots of pods on the master, but it is perfectly reasonable to run | ||
| // a private logging pod or similar. | ||
| // At this point we allow all regions with ECR, since ECR is region specific. | ||
| p.Statement = append(p.Statement, &IAMStatement{ |
There was a problem hiding this comment.
Moving these around makes them tricky to review. But if we don't end up having the duplicate function, we might not need to move them (or we can move them in a set of small PRs)
|
So some good stuff here, but why did we duplicate the IAM generation function? That seems to then require moving everything into a function, which makes this PR much bigger than it otherwise needs to be |
|
So the newer functions are due to how I refactored for the cli tool that use to be in this PR. I can refactor with just one method. |
|
Everything is back to one method. Please review :) |
|
I'm after the minimum policies to get my security department to review. Thanks for your code. Is that a comprehensive minimum required list? Node:
Master:
I'm going to make a cloud formation out of that. Would be good to have that documented on wiki to get security folks comfortable with kub and kops |
|
@justinsb what about we add these changes behind a feature flag? That way we don't introduce breaking changes, but allow for better security? |
chrislovecnm
force-pushed
the
iam-tooling
branch
from
c6d1e38 to
4516ff8
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm Associated issue: 1103 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
@chrislovecnm PR needs rebase |
k8s-github-robot
added
the
needs-rebase
|
@KashifSaadat thoughts on this PR? I am wondering if we get this in using an API value, or a feature flag. Not going to rebase since @KashifSaadat has a PR inbound as well around IAM. |
|
This is excellent! Must have taken a while to work through all the permissions. It's quite a significant change to the policy documents so there is some risk in odd behaviour / edge case scenarios occurring. As @justinsb suggested in PR #3186, we could wrap these changes around an API flag to get it in earlier and have some more user testing around it (we're keen to use this ASAP). I've added a strict IAM flag in PR #3210 which could be used. I think for API methods that create resources, it would be good to enforce condition keys (where they are supported). For example, specifying |
|
We're right in the process of testing a provided AWS account in a project for our customer, so I'm really looking forward to see this in master. :) I'm going to do a local rebase/merge anyway since it's kinda time-critical. :D |
|
You many be interested in this #2440 as well. @bechtoldt |
|
A quick update on this PR. I need to refactor it into a feature flag in order to have this merged. If anyone else wants to fork my branch please feel free |
|
I'll fork off of this and refactor, will raise a PR shortly. |
| Resource: wildcard, | ||
| }) | ||
| } | ||
| addECRPermissions(p) |
There was a problem hiding this comment.
Should this be:
if b.CreateECRPerms {
addECRPermissions(p)
}
|
Closing since we have #3343 |
Automatic merge from submit-queue Revision to IAM Policies created by Kops Based off of the work done by @chrislovecnm in PR #2497. This PR tightens down the IAM policies created for Master & Node instance groups. The Cluster Spec `IAMSpec.Legacy` flag is used to control application of stricter policy rules, which is defaulted to true for existing clusters (to limit potential regression impact), and false for new cluster creation.
Fixes: #1103
This PR continues the work on #1873 for an end user to have the capability to create specific policies that will be used by kops.
Capability
Custom IAM policies can be a complicated, and maintaining those policies create technical debt. To automate the maintenance of these policies, kops can now create its own fine grain IAM policies.
The current IAM policies have been given a much shorter hair cut. Permissions such as
ec2:*ands3:*no longer exist. Also, the nodes had Route53 permissions, which they should not have. The node permissions are now very limited.TODO
Testing
I have tested the following different installs with 1.6.3.
I have not tested ECR, but I have not changed those permissions. I have not tested the new IAM permissions for working with SSL certs and ELBs, as I do not have an SSL cert with AWS.
E2E is happy as well.
This change is