Further tighten IAM permissions for cert-manager DNS01 challenges

kubernetes / kops

Kubernetes Operations (kOps) - Production Grade k8s Installation, Upgrades and Management

https://kops.sigs.k8s.io/

Apache License 2.0

15.66k stars 4.61k forks source link

Further tighten IAM permissions for cert-manager DNS01 challenges #15680

Closed andsens closed 3 months ago

andsens commented 11 months ago

/kind feature

Big thumbs up for already tightening the rather loose policy that cert-manager suggests in their guide by restricting the hosted zone. I have a suggestion for tighten it even further. Split up the ChangeResourceRecordSets and ListResourceRecordSets and restrict any changes to TXT records on _acme-challenge.* subdomains.

{
  "Effect": "Allow",
  "Action": "route53:ChangeResourceRecordSets",
  "Resource": "arn:aws:route53:::hostedzone/XXXXXXXXXXXXXX",
  "Condition": {
    "ForAllValues:StringLike":{
      "route53:ChangeResourceRecordSetsNormalizedRecordNames": ["_acme-challenge.*"]
    },
    "ForAllValues:StringEquals":{
      "route53:ChangeResourceRecordSetsRecordTypes": ["TXT"]
    }
  }
}

I modified the policy kops created with the suggested change and it works like a charm :-)

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

andsens commented 5 months ago

/remove-lifecycle stale

Might send a PR if I get the time.