Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Route53 API authorization in EC2 instances #27467

Closed
madhusudancs opened this issue Jun 15, 2016 · 9 comments
Closed

Route53 API authorization in EC2 instances #27467

madhusudancs opened this issue Jun 15, 2016 · 9 comments
Assignees
@justinsb
Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.3

Comments

@madhusudancs
Copy link
Contributor

Either verify that the EC2 VMs that are part of the cluster federation can access Route53 APIs or define the necessary IAM policies to allow these VMs to access Route53 APIs.

Equivalent authorization scopes were added to GCE and GKE in #27357 and #27466

cc @nikhiljindal @quinton-hoole @kubernetes/sig-cluster-federation
@madhusudancs
Copy link
Contributor Author

@justinsb assigning it you. I hope you can help us with this. But please feel free to reassign as necessary.

@nikhiljindal
Copy link
Contributor

Adding to 1.3 milestone

@nikhiljindal nikhiljindal added this to the v1.3 milestone Jun 17, 2016
@nikhiljindal nikhiljindal added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jun 17, 2016
@erictune
Copy link
Member

Let's find another assignee. @quinton-hoole

@erictune
Copy link
Member

Justin has several things he is already working on for 1.3 and this seems like something someone else could tackle.

@goltermann goltermann assigned ghost Jun 21, 2016
@justinsb
Copy link
Member

Sorry this slipped off my plate

We just need to add this to the IAM policy/policies cluster/aws/templates/iam/kubernetes-master-policy.json and cluster/aws/templates/iam/kubernetes-minion-policy.json:

    {
      "Effect": "Allow",
      "Action": ["route53:*"],
      "Resource": ["*"]
    },

Question though - just on the masters, or on master & nodes?

@ghost
Copy link

ghost commented Jun 21, 2016

Thanks @justinsb. The Federation control plane pods run on nodes, so the answer to your question is "on nodes".

@ghost
Copy link

ghost commented Jun 21, 2016

More specifically it runs in pods on nodes.

justinsb added a commit to justinsb/kubernetes that referenced this issue Jun 21, 2016
@justinsb
AWS kube-up: Authorize route53 in the IAM policy
f3cc5f5 
Federation needs this now (on the nodes), and I suspect ingress
controllers will shortly want this also.  Given we're going to authorize
it on the nodes, we should authorize it on the master also (the master
is much more trusted).

Fix kubernetes#27467
@justinsb justinsb mentioned this issue Jun 21, 2016
Merged
@justinsb
Copy link
Member

Fix in #27794 . I did it on the master & on the nodes; I figure the nodes are the ones we are more concerned about security on, and not having it on the master is just going to cause confusion.

@justinsb
Copy link
Member

Also, I just do it across the board, not just in federation. I know a lot of users are excited to have k8s auto-provision DNS with ingress (and get LetsEncrypt working)...

k8s-github-robot pushed a commit that referenced this issue Jun 21, 2016
Merge pull request #27794 from justinsb/fix_27467
62ce669 
Automatic merge from submit-queue

AWS kube-up: Authorize route53 in the IAM policy

Federation needs this now (on the nodes), and I suspect ingress
controllers will shortly want this also.  Given we're going to authorize
it on the nodes, we should authorize it on the master also (the master
is much more trusted).

Fix #27467
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justinsb justinsb

Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v1.3
Development

No branches or pull requests
4 participants
@madhusudancs @justinsb @erictune @nikhiljindal