-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(docs): Update AWS IAM Policy docs #25078
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice find! Thanks a lot. I think we can document that the permission can be worked around, since it's not strictly required if the user manually specifies ENI GC tags.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM pending Sebastian's suggestion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One non-blocking nit, otherwise LGTM from a docs perspective
83b81fe
to
1b754fd
Compare
Sebastian, I think this looks good now. Let me know if there is something missing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, looks good, thanks a lot!
a74dd48
to
411ab9b
Compare
Update documentation related to configuration on AWS. Certain IAM Policies must be in place if --clustername and --eni-gc-tags are not set. Incomplete docs got introduced after e66ed7f Signed-off-by: Tore S. Loenoey <tore.lonoy@gmail.com>
Required checks for documentation PRs have passed. Marking ready to merge. |
Missing ec2:DescribeTags after e66ed7f got merged. This commit introduced a helper function which would require the AWS IAM Policy
ec2:DescribeTags
to be added to the cilium operator.I'm not sure the full implications of not having this policy present, as it seems to be only used in certain cases. Either way, including this policy seems fair and I don't see any security implications of it.
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: <commit-id>
tag, thenplease add the commit author[s] as reviewer[s] to this issue.
Commit e66ed7f introduced a helper function for looking up EKS cluster name in AWS. This requires the IAM Policy
ec2:DescribeTags
, which is not documented.This PR updates the documentation for required IAM Policy rights needed for Cilium to work in EKS.