Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(docs): Update AWS IAM Policy docs #25078

Merged
merged 1 commit into from
Apr 25, 2023
Merged

fix(docs): Update AWS IAM Policy docs #25078

merged 1 commit into from
Apr 25, 2023

Conversation

toredash
Copy link
Contributor

@toredash toredash commented Apr 24, 2023
edited by gandro

Missing ec2:DescribeTags after e66ed7f got merged. This commit introduced a helper function which would require the AWS IAM Policy ec2:DescribeTags to be added to the cilium operator.

I'm not sure the full implications of not having this policy present, as it seems to be only used in certain cases. Either way, including this policy seems fair and I don't see any security implications of it.

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Commit e66ed7f introduced a helper function for looking up EKS cluster name in AWS. This requires the IAM Policy ec2:DescribeTags, which is not documented.

This PR updates the documentation for required IAM Policy rights needed for Cilium to work in EKS.

Update the documentation for required IAM policy rights needed for Cilium to work in EKS.

@toredash toredash requested review from a team as code owners April 24, 2023 08:50
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 24, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Apr 24, 2023
@gandro gandro added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/misc This PR makes changes that have no direct user impact. labels Apr 24, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 24, 2023
gandro
gandro reviewed Apr 24, 2023
View reviewed changes
Copy link
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find! Thanks a lot. I think we can document that the permission can be worked around, since it's not strictly required if the user manually specifies ENI GC tags.

Documentation/network/concepts/ipam/eni.rst Show resolved Hide resolved
@gandro gandro added the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Apr 24, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.3 Apr 24, 2023
christarazi
christarazi approved these changes Apr 24, 2023
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending Sebastian's suggestion

zacharysarah
zacharysarah approved these changes Apr 24, 2023
View reviewed changes
Copy link
Contributor

@zacharysarah zacharysarah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One non-blocking nit, otherwise LGTM from a docs perspective

Documentation/network/concepts/ipam/eni.rst Show resolved Hide resolved
@toredash toredash force-pushed the patch-1 branch 2 times, most recently from 83b81fe to 1b754fd Compare April 25, 2023 10:24
@toredash
Copy link
Contributor Author

Sebastian, I think this looks good now. Let me know if there is something missing.

gandro
gandro approved these changes Apr 25, 2023
View reviewed changes
Copy link
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, looks good, thanks a lot!

@toredash toredash force-pushed the patch-1 branch 5 times, most recently from a74dd48 to 411ab9b Compare April 25, 2023 12:57
@toredash
docs: Update AWS IAM policy for cilium-operator
52d12dd 
Update documentation related to configuration on AWS. Certain
IAM Policies must be in place if --clustername and --eni-gc-tags
are not set.

Incomplete docs got introduced after e66ed7f

Signed-off-by: Tore S. Loenoey <tore.lonoy@gmail.com>
@gandro
Copy link
Member

gandro commented Apr 25, 2023

Required checks for documentation PRs have passed. Marking ready to merge.

@gandro gandro added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 25, 2023
@michi-covalent michi-covalent merged commit 16e4b68 into cilium:main Apr 25, 2023
35 checks passed
@sayboras sayboras mentioned this pull request Apr 26, 2023
Merged
7 tasks
@sayboras sayboras added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Apr 26, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.3 Apr 26, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.3 Apr 26, 2023
@sayboras sayboras added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Apr 28, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.3 Apr 28, 2023
@thorn3r thorn3r mentioned this pull request May 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gandro gandro gandro approved these changes

@zacharysarah zacharysarah zacharysarah approved these changes

@christarazi christarazi christarazi approved these changes

Assignees
No one assigned
Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.13.3
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@toredash @gandro @zacharysarah @christarazi @sayboras @michi-covalent