Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch AWS NAT Gateway creation to use tags on create #8726

Merged
merged 1 commit into from
Jul 10, 2020
Merged

Switch AWS NAT Gateway creation to use tags on create #8726

merged 1 commit into from
Jul 10, 2020

Conversation

rifelpet
Copy link
Member

@rifelpet rifelpet commented Mar 11, 2020
edited
Loading

AWS has been adding support for "tag on create" to many services. Typically this support also includes referencing tags in IAM policies involving these resources.

This means kops could use a more locked-down IAM policy that only allows creating NAT Gateways if they include cluster-specific tags, for example. Ideally we could use this for as many resource types as possible and have a much more locked down example IAM policy for kops users.

Marking WIP until I get a chance to test this locally since none of our e2e jobs create NAT gateways.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 11, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/aws Issues or PRs related to aws provider labels Mar 11, 2020
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 11, 2020
hakman
hakman reviewed Mar 11, 2020
View reviewed changes
upup/pkg/fi/cloudup/awstasks/tags.go Outdated
@@ -62,3 +62,15 @@ func intersectTags(tags []*ec2.Tag, desired map[string]string) map[string]string
}
return actual
}

func mapToTagSpecification(tags map[string]string, resourceType string) *ec2.TagSpecification {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there are a few other places where TagSpecification is used and this should be used to replace the tag conversion there.

@hakman
Copy link
Member

hakman commented Apr 26, 2020

@rifelpet I just gave this a try and created the NAT GW with tags.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 26, 2020
@rifelpet
Copy link
Member Author

I think i have to update cloudmock with equivalent logic

https://github.com/kubernetes/kops/blob/master/cloudmock/aws/mockec2/natgateway.go

I'm hoping to get to that soon.

@hakman
Copy link
Member

hakman commented Apr 26, 2020

No rush. Just wanted to let you know that it works :).

@rifelpet rifelpet force-pushed the nat-tags branch 2 times, most recently from d3d1aa3 to 9305952 Compare April 29, 2020 12:16
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 10, 2020
@rifelpet
Copy link
Member Author

my other recent PRs have made this much simpler. This will still use ec2.CreateTags for the AssociatedNatgateway tag a few lines below, but we can consider updating or removing that in a separate PR.

@rifelpet rifelpet changed the title WIP Switch AWS NAT Gateway creation to use tags on create Switch AWS NAT Gateway creation to use tags on create Jul 10, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 10, 2020
@hakman
Copy link
Member

hakman commented Jul 10, 2020

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 10, 2020
@johngmyers
Copy link
Member

/retest

@k8s-ci-robot k8s-ci-robot merged commit 7adc760 into kubernetes:master Jul 10, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.19 milestone Jul 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hakman hakman hakman left review comments

@joshbranham joshbranham Awaiting requested review from joshbranham

@robinpercy robinpercy Awaiting requested review from robinpercy

Assignees

@hakman hakman

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/aws Issues or PRs related to aws provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.
4 participants
@rifelpet @k8s-ci-robot @hakman @johngmyers