kubernetes / kops

Kubernetes Operations (kOps) - Production Grade k8s Installation, Upgrades and Management
https://kops.sigs.k8s.io/
Apache License 2.0
15.93k stars 4.65k forks source link

Make Instance IAM Role Trust Policy Configurable via kOps cluster spec #16194

Closed adeelahmadch closed 10 months ago

adeelahmadch commented 10 months ago

/kind feature

1. Describe IN DETAIL the feature/behavior/change you would like to see. With recent changes done by AWS in IAM role trust policy behavior (1). In specific use cases, You need to allow instance roles to assume themself explicitly. Component like kube2iam (2) relies on this behaviour. However i believe this is currently hardcode in kOps code (3) and its not configurable by additional policies (4).

(1): https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ (2): https://github.com/jtblin/kube2iam (3): https://github.com/kubernetes/kops/blob/v1.28.2/pkg/model/awsmodel/iam.go#L49 (4): https://kops.sigs.k8s.io/iam_roles/#adding-additional-policies

Cloud Provider : AWS kOps Version : v1.28.2

2. Feel free to provide a design supporting your feature request.

adeelahmadch commented 10 months ago

Never mind, I was able to resolve this issue by modifying IAM role(externally) and then i forced kops to ignore the changes to role using;

 kops update cluster --lifecycle-overrides IAMRole=ExistsAndWarnIfChanges