From aab79f644cf15cc339e8f66746688a9d05ed2394 Mon Sep 17 00:00:00 2001 From: RA489 Date: Thu, 2 Aug 2018 16:52:48 +0530 Subject: [PATCH 1/5] Create README.md --- README.md | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 00000000..bc07f46f --- /dev/null +++ b/README.md @@ -0,0 +1,62 @@ +# cloud-provider-aws +The AWS cloud provider provides the interface between a Kubernetes cluster and AWS service APIs. This project allows a Kubernetes cluster to provision, monitor and remove resources necessary for operation of the cluster. + +## Flags +The flag `--cloud-provider=external` needs to be passed to kubelet, kube-apiserver, and kube-controller-manager. You should not pass the --cloud-provider flag to `aws-cloud-controller-manager`. + +## IAM Policy +For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you will need to create a few IAM policies for your EC2 instances. The master policy is a bit open and can be scaled back depending on the use case. Adjust these based on your needs. + +1. Master Policy + +``` + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:*", + "elasticloadbalancing:*", + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:BatchGetImage" + ], + "Resource": "*" + } + ] + } + ``` +2. Node Policy + +``` + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:BatchGetImage" + ], + "Resource": "*" + } + ] + } + ``` + +## Proper Node Names +The cloud provider currently uses the instance private DNS name as the node name, but this is subject to change in the future. + +### NOTE +Currently the implementation of the cloud provider is found in https://github.com/kubernetes/kubernetes/tree/master/pkg/cloudprovider/providers/aws, and vendored into this repository. In the future, the implementation will be migrated here and out of Kubernetes core. From 3e8eacbf2f28de42f7a4c9fa6455a4305f83da79 Mon Sep 17 00:00:00 2001 From: RA489 Date: Thu, 9 Aug 2018 00:48:08 +0530 Subject: [PATCH 2/5] Update README.md --- README.md | 154 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 133 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index bc07f46f..53f3f391 100644 --- a/README.md +++ b/README.md @@ -10,27 +10,139 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you 1. Master Policy ``` - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:*", - "elasticloadbalancing:*", - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": "*" - } - ] - } - ``` + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": [ + "*" + ], + }, + { + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup" + ], + "Resource": [ + "*" + ], + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "kms:DescribeKey", + ], + } + ] +} + +``` 2. Node Policy ``` From 805ee91ccc1134b24159223cb77034b076668451 Mon Sep 17 00:00:00 2001 From: RA489 Date: Thu, 9 Aug 2018 02:41:08 +0530 Subject: [PATCH 3/5] Update README.md --- README.md | 82 ++++++++----------------------------------------------- 1 file changed, 11 insertions(+), 71 deletions(-) diff --git a/README.md b/README.md index 53f3f391..6ae89653 100644 --- a/README.md +++ b/README.md @@ -21,28 +21,12 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "ec2:DescribeVolumes", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "ec2:ModifyVolume", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", @@ -50,37 +34,12 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": [ - "*" - ], - }, - { - "Effect": "Allow", - "Action": [ + "ec2:RevokeSecurityGroupIngress", + "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Resource": [ - "*" - ], - }, - { - "Effect": "Allow", - "Action": [ + "autoscaling:DescribeTags", + "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -96,15 +55,7 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", @@ -118,27 +69,16 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:CreateServiceLinkedRole", + + "kms:DescribeKey" ], "Resource": [ "*" ] }, - { - "Effect": "Allow", - "Action": [ - "kms:DescribeKey", - ], - } ] } From d0a6a51d0534e4ece9ef41881f4261a06f00d7d6 Mon Sep 17 00:00:00 2001 From: RA489 Date: Thu, 9 Aug 2018 02:51:43 +0530 Subject: [PATCH 4/5] Update README.md --- README.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 6ae89653..4d6e623b 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,9 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you { "Effect": "Allow", "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeRouteTables", @@ -35,11 +38,6 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress", - - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -70,9 +68,7 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" ], "Resource": [ @@ -92,7 +88,8 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you { "Effect": "Allow", "Action": [ - "ec2:Describe*", + "ec2:DescribeInstances", + "ec2:DescribeRegions", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", From 358656ea41b455247fc89ef48418a004959799bf Mon Sep 17 00:00:00 2001 From: RA489 Date: Thu, 9 Aug 2018 02:55:20 +0530 Subject: [PATCH 5/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4d6e623b..0b4e485d 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -54,7 +55,6 @@ For the aws-cloud-controller-manager to be able to communicate to AWS APIs, you "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup",