Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update AWS documentation #1380

Merged
merged 1 commit into from
Jan 19, 2020
Merged

Update AWS documentation #1380

merged 1 commit into from
Jan 19, 2020

Conversation

otterley
Copy link
Contributor

@otterley otterley commented Jan 18, 2020
edited
Loading

Using EC2 Instance Roles to provide Route 53 permissions is overly
permissive and dangerous. Emphasize using alternatives such
as EKS IAM Roles for Service Accounts, kiam, or kube2iam that
limit access to the ExternalDNS pod.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jan 18, 2020
@k8s-ci-robot
Copy link
Contributor

Welcome @otterley!

It looks like this is your first PR to kubernetes-sigs/external-dns 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/external-dns has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@otterley otterley requested a review from Raffo January 18, 2020 04:53
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jan 18, 2020
Raffo
Raffo requested changes Jan 18, 2020
View reviewed changes
Copy link
Contributor

@Raffo Raffo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @otterley , thanks for your PR.
I don't think that the changes that you proposed would be right for our user base. We have many users that use ExternalDNS on AWS by running kops or other tools and not using EKS. Given that this project is a community project not affiliated with any cloud provider, I would love to keep our AWS tutorial as generic as possible.
For that reason, I'd ask you to change what your proposed to instead list the options that are available (i.e. have the node have the "right" permissions, use one between kube2iam, kiam, etc.) or use whatever EKS provides. I would also not mark the EKS option as "recommended" as it is really only recommended if you are running on EKS 😄

docs/tutorials/aws.md
@@ -2,36 +2,62 @@

This tutorial describes how to setup ExternalDNS for usage within a Kubernetes cluster on AWS. Make sure to use **>=0.4** version of ExternalDNS for this tutorial

## IAM Permissions
## IAM Policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's great to use the right terminology, thanks!

docs/tutorials/aws.md Show resolved Hide resolved
@otterley
Copy link
Contributor Author

otterley commented Jan 18, 2020
edited
Loading

Hey @Raffo, thanks for the feedback.

I created this PR after my experience using ExternalDNS for the first time and saw the existing documentation that suggested we apply the IAM Policy to all nodes in the cluster. This is really bad advice -- we need to change that ASAP to tell users to apply the Policy only to the Pod running ExternalDNS.

I went with the IRSA approach because that's the approach I know, and it's the one AWS officially recommends and supports.

I can try to change the verbiage a bit, but I have never used any alternatives to IAM Roles for Service Accounts such as kube2iam. So I wouldn't be able to provide documentation regarding other approaches with the same level of confidence.

Keep in mind, too, that the scope of the PR is limited to the AWS tutorial, so we're not doing anything like recommending AWS over other cloud providers -- but I admit a bias that customers use EKS for their control plane than trying to manage K8S clusters themselves. :)

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 18, 2020
@otterley otterley force-pushed the aws_irsa branch 3 times, most recently from 9801fd5 to cd9596b Compare January 18, 2020 16:47
@otterley
Copy link
Contributor Author

@Raffo I've taken another stab at the PR to make it more neutral-sounding and offer some alternative options, while emphasizing the danger of granting the trust relationship to the entire node. WDYT?

@otterley otterley force-pushed the aws_irsa branch 3 times, most recently from 57956d6 to 3ba7751 Compare January 18, 2020 16:59
@otterley
Update AWS documentation
c1ebc77 
Using EC2 Instance Roles to provide Route 53 permissions is overly
permissive and dangerous.  Emphasize using alternatives such
as EKS IAM Roles for Service Accounts, kiam, or kube2iam that
limit access to the ExternalDNS pod.
Raffo
Raffo approved these changes Jan 19, 2020
View reviewed changes
Copy link
Contributor

@Raffo Raffo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created this PR after my experience using ExternalDNS for the first time and saw the existing documentation that suggested we apply the IAM Policy to all nodes in the cluster. This is really bad advice -- we need to change that ASAP to tell users to apply the Policy only to the Pod running ExternalDNS.

Yes, I understand the security implications of the issue, it's worth noting that the risks still depend on what gets deployed to the cluster and the isolation of the AWS account. That said, it's true that it is generally bad advice.

I've taken another stab at the PR to make it more neutral-sounding and offer some alternative options, while emphasizing the danger of granting the trust relationship to the entire node. WDYT?

The changes look much better from my point of view and I'm happy with how they look like now.

@Raffo
Copy link
Contributor

Raffo commented Jan 19, 2020

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 19, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: otterley, Raffo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 19, 2020
@k8s-ci-robot k8s-ci-robot merged commit 915980a into kubernetes-sigs:master Jan 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Raffo Raffo Raffo approved these changes

@hjacobs hjacobs Awaiting requested review from hjacobs

@njuettner njuettner Awaiting requested review from njuettner

Assignees

@Raffo Raffo

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@otterley @k8s-ci-robot @Raffo