search

edgelesssys / constellation

Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
GNU Affero General Public License v3.0
929 stars 48 forks source link

Missing permission for AWS Application Load Balancer #3056

Closed wuttke closed 3 months ago

wuttke commented 3 months ago

Issue description

The Control Plane Policy does not have this permission: elasticloadbalancing:DescribeListenerCertificates

This is required for Ingress that create an ALB with Certicates

Steps to reproduce the behavior

No response

Version

No response

Constellation Config

No response

wuttke commented 3 months ago 
Annotations:                alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:905418322627:certificate/658ea803-f7f2-4a4d-bb11-db8e9e480ea8
                            alb.ingress.kubernetes.io/group.name: mesalvo-constellation-ingress-group
                            alb.ingress.kubernetes.io/listen-ports: [{"HTTP": 80}, {"HTTPS": 443}]
                            alb.ingress.kubernetes.io/scheme: internet-facing
                            alb.ingress.kubernetes.io/ssl-redirect: 443
                            alb.ingress.kubernetes.io/success-codes: 200,401
                            alb.ingress.kubernetes.io/target-type: ip
                            meta.helm.sh/release-name: mesalvo-kafka-ui-release-c00d1040
                            meta.helm.sh/release-namespace: kafka
Events:
  Type     Reason             Age   From     Message
  ----     ------             ----  ----     -------
  Warning  FailedDeployModel  54m   ingress  Failed deploy model due to AccessDenied: User: arn:aws:sts::905418322627:assumed-role/mesalvo-cortex-constellation_control_plane_role/i-085b4ad0577f647a8 is not authorized to perform: elasticloadbalancing:DescribeListenerCertificates because no identity-based policy allows the elasticloadbalancing:DescribeListenerCertificates action
           status code: 403, request id: 0131df13-2bc4-4b7d-9c60-5e90bd8923a7
wuttke commented 3 months ago

Yet more permissions, and let's see if I find more:

wuttke commented 3 months ago

That was all I need ;) Normal SuccessfullyReconciled 8m42s ingress Successfully reconciled

burgerdev commented 3 months ago

Hello @wuttke,

Thanks for the bug report, and good to hear that you could apply the missing permissions manually. I'm preparing a fix for this, targeting the next release.

While testing, I found that Ingresses with alb.ingress.kubernetes.io/target-type: ip were not routable, due to the additional requirement on Pod IPs. Switching to target type instance resolved this issue. Did you encounter this problem, too?

Cheers, Markus

P.S.: We usually don't advertise the Ingress capabilities of aws-load-balancer-controller because the application load balancer resides outside Constellation and is thus not suitable for sensitive traffic, for which an Ingress controller hosted inside Constellation would fit best. That being said, using the ALB may be appropriate, depending on the nature of the traffic.

wuttke commented 3 months ago

Thank you very much! Both for the quick reply and the good pointers. This was really helpful.

burgerdev commented 3 months ago

The fix is included in v2.16.4. You can apply the additional permissions with constellation iam upgrade apply.