search

jtblin / kube2iam

kube2iam provides different AWS IAM roles for pods running on Kubernetes
BSD 3-Clause "New" or "Revised" License
1.98k stars 317 forks source link

allowed-roles annotation allows un-prefixed role access #110

Open amoskyler opened 6 years ago

amoskyler commented 6 years ago

I have the following kube2iam ready resources set up in the default namespace:

Namespace:

apiVersion: v1
kind: Namespace
metadata:
  annotations:
    iam.amazonaws.com/allowed-roles: |
      ["dev/*"]
  name: default

kube2iam args

      - args:
        - --app-port=8282
        - --auto-discover-base-arn
        - --auto-discover-default-role
        - --iptables=true
        - --host-ip=$(HOST_IP)
        - --host-interface=cali+

test pod

apiVersion: v1
kind: Pod
metadata:
  name: aws-cli
  labels:
    name: aws-cli
  annotations:
    iam.amazonaws.com/role: arn:aws:iam::12345678912:role/ModifyRoute53
spec:
  containers:
  - image: quay.io/coreos/awscli
    command:
      - "tail"
      - "-f"
      - "/dev/null"
    name: aws-cli

kube2iam is allowing the pod to assume the ModifyRoute53 role, which is not within the allowed-roles of dev/* - I would expect that this attempt should be rejected as it's not within the iam path.

Am I missing something, or is this a bug?

joerx commented 6 years ago

Afaik you need to enable this via --namespace-restrictions. Beware though, this will require allowed-role annotations on all namespaces!

amoskyler commented 6 years ago

Thanks for the response @joerx!

So assuming I deploy my kube2iam daemonset with the --namespace-restrictions argument, I should be able to create namespaces with wildcard IAM roles, however each namespace will need each namespace utilizing kube2iam to use an annotation?