Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam: Add autoscaling:DescribeTags #2681

Closed
magnusboman opened this issue Jun 3, 2017 · 6 comments · Fixed by #4051
Closed

aws-iam: Add autoscaling:DescribeTags #2681

magnusboman opened this issue Jun 3, 2017 · 6 comments · Fixed by #4051
Assignees
@robinpercy @chrislovecnm
Labels
area/security

Comments

@magnusboman
Copy link

Latest versions of the cluster-autoscaler can automatically detect the ASG used by the nodes, but it requires that autoscaling:DescribeTags rights are added to the AWS IAM policy.
@chrislovecnm chrislovecnm self-assigned this Jun 4, 2017
@felipejfc
Copy link
Contributor

+1

@chrislovecnm
Copy link
Contributor

I think we have this fixed. Need to check

/assign

@johanneswuerbach
Copy link
Contributor

Looking into kops v1.8.0, autoscaling:DescribeTags seems not be included yet:
Legacy:

kops/pkg/model/iam/tests/iam_builder_master_legacy.json

Lines 17 to 25 in fbfe24a

"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:GetAsgForInstance",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],

Strict:

kops/pkg/model/iam/tests/iam_builder_master_strict_ecr.json

Lines 53 to 81 in fbfe24a

{
"Sid": "kopsK8sASMasterPermsAllResources",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:GetAsgForInstance"
],
"Resource": [
"*"
]
},
{
"Sid": "kopsK8sASMasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local"
}
}
},

@robinpercy
Copy link
Contributor

I think we have this fixed. Need to check

@chrislovecnm I just hit this as well with kops 1.8.0. Do we want to fix it in kops? There's a case to be made for using something like kube2iam instead.

@chrislovecnm
Copy link
Contributor

Yes we need this in kops. We may be missing another perms as well. Really we should have a use autoscalig flag to enable / disable in the api.

@robinpercy
Copy link
Contributor

sounds good. Will open a PR.

/assign

@robinpercy robinpercy mentioned this issue Dec 13, 2017
Merged
k8s-github-robot pushed a commit that referenced this issue Dec 14, 2017
Merge pull request #4051 from robinpercy/autoscaler-perms
bea1291 
Automatic merge from submit-queue.

Adding DescribeTags to masters

/fixes #2681
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robinpercy robinpercy

@chrislovecnm chrislovecnm

Labels
area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding DescribeTags to masters robinpercy/kops
5 participants
@robinpercy @felipejfc @chrislovecnm @johanneswuerbach @magnusboman