Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Profile controller IAM plugin] Support annotation only #6887

Merged
merged 2 commits into from
Jan 16, 2023
Merged

[Profile controller IAM plugin] Support annotation only #6887

merged 2 commits into from
Jan 16, 2023

Conversation

ryansteakley
Copy link
Contributor

AWS IAM service account profile plugin mutates the trust relationship in the iam role specified in the spec.

Customers have different ways to manage roles and their company policies might not allow Kubeflow profile controller to allow changing the trust relationship.

Adding a boolean variable to the AwsIAMForServiceAccount struct to enable users to specify if they want AnnotateOnly which will cause IAM roles and policy will not be mutated.

This change will not effect existing users who do not have the boolean field in their yaml files.

@ryansteakley
Adds field to struct to disable auto-update of trust policy in case w…
539c9f5 
…here user has security concerns about auto-mutation
@kimwnasptd
Copy link
Member

@surajkota could you also take a look at this or assign someone from AWS to help review?

/assign @surajkota

@kimwnasptd
Copy link
Member

If it's good from AWS' side, since it only touches this functionality, I'm good with merging this

surajkota
surajkota suggested changes Jan 12, 2023
View reviewed changes
Copy link
Contributor

@surajkota surajkota left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, can you add a unit test?

components/profile-controller/controllers/plugin_iam.go Outdated Show resolved Hide resolved
@google-oss-prow google-oss-prow bot added size/M and removed size/S labels Jan 13, 2023
@kimwnasptd
Copy link
Member

Thanks for your time @ryansteakley @surajkota!

/lgtm
/approve

@google-oss-prow google-oss-prow bot added the lgtm label Jan 16, 2023
@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kimwnasptd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 0f57b05 into kubeflow:master Jan 16, 2023
@surajkota
Copy link
Contributor

Thanks

@kimwnasptd kimwnasptd mentioned this pull request Feb 23, 2023
Open
@surajkota surajkota mentioned this pull request Mar 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@surajkota surajkota surajkota requested changes

@elikatsis elikatsis Awaiting requested review from elikatsis

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

Assignees

@kimwnasptd kimwnasptd

@surajkota surajkota

Labels
approved lgtm size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ryansteakley @kimwnasptd @surajkota