search

awslabs / mountpoint-s3-csi-driver

Built on Mountpoint for Amazon S3, the Mountpoint CSI driver presents an Amazon S3 bucket as a storage volume accessible by containers in your Kubernetes cluster.
Apache License 2.0
213 stars 26 forks source link

Node-Level IAM Permissions and Potential StorageClass-Level Separation #247

Closed ArieLevs closed 2 months ago

ArieLevs commented 2 months ago

Tell us more about this new feature.

Hi, I would like to initiate a discussion—or request additional documentation if available—regarding the separation of permissions at the node level.

During my evaluation of the application, I observed that IAM permissions are granted at the node level. This requires specifying each individual S3 bucket within the policy. Additionally, if we install the app and later need to add more S3 buckets, we must update the policy to include the new buckets.

Is there a way to address this at the StorageClass level?

My goal is to enable us to install the application once on an EKS cluster, after which different teams can extend its functionality. They would do so by creating their own permissions in S3 and defining a dedicated StorageClass that leverages these specific permissions. This approach would allow us to control which StorageClass has access to which bucket, ensuring a clear separation of access rights.

Thanks

muddyfish commented 2 months ago

Hi, it looks like you're using the Mountpoint CSI Driver.

It looks like your feature request is pretty similar to this one: https://github.com/awslabs/mountpoint-s3-csi-driver/issues/111, which you can 👍. Though if you need something on the storage class level, you might want to create a feature request on the CSI Driver repository: https://github.com/awslabs/mountpoint-s3-csi-driver