Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Request for improvements to IAM policies set from the nodeGroups.iam.withAddonPolicies.efs parameter #7138

Open
KazuhoShibutani opened this issue Oct 4, 2023 · 2 comments
Labels
area/aws-iam kind/improvement priority/important-longterm Important over the long term, but may not be currently staffed and/or may require multiple releases

Comments

@KazuhoShibutani
Copy link

What feature/behavior/change do you want?

I want to improve the permissions when set from the nodeGroups.iam.withAddonPolicies.efs parameter.
Specifically, isn't it possible to have the same permissions as AmazonEFSCSIDriverPolicy.?
If can't it, I want to know why the current permissions is needed.

Why do you want this feature?

This is to minimize more unnecessary permissions and make it more secure.

I understand that the nodeGroups.iam.withAddonPolicies.efs parameter is a setting for the IAM policy to use the EFS CSI driver add-on like the EBS CSI driver.
IAM policies - eksctl

EBS Policy
The ebs policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver.

Currently, when the parameter is set to true, the following policies are set to the node's IAM role.

if api.IsEnabled(iamConfig.WithAddonPolicies.EFS) {
cfnTemplate.attachAllowPolicy("PolicyEFS", refIR, efsStatements())
cfnTemplate.attachAllowPolicy("PolicyEFSEC2", refIR, efsEc2Statements())
}

func efsStatements() []cft.MapOfInterfaces {
return []cft.MapOfInterfaces{
{
"Effect": effectAllow,
"Resource": resourceAll,
"Action": []string{
"elasticfilesystem:*",
},
},
}
}
func efsEc2Statements() []cft.MapOfInterfaces {
return []cft.MapOfInterfaces{
{
"Effect": effectAllow,
"Resource": resourceAll,
"Action": []string{
"ec2:DescribeSubnets",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaceAttribute",
},
},
}
}

This permission is powerful compared to the AmazonEFSCSIDriverPolicy.
For example, other pods on the node can use permission elasticfilesystem:DeleteFileSystem when the parameter is true.

I open this issue on behalf our customer.

@KazuhoShibutani KazuhoShibutani added the kind/feature New feature or request label Oct 4, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Oct 4, 2023

Hello KazuhoShibutani 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

@TiberiuGC TiberiuGC added kind/improvement area/aws-iam and removed kind/feature New feature or request labels Oct 6, 2023
Copy link
Contributor

github-actions bot commented Nov 6, 2023

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Nov 6, 2023
@cPu1 cPu1 added priority/important-longterm Important over the long term, but may not be currently staffed and/or may require multiple releases and removed stale labels Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/aws-iam kind/improvement priority/important-longterm Important over the long term, but may not be currently staffed and/or may require multiple releases
Projects
None yet
Development

No branches or pull requests

3 participants