From d274f391a457f46d44ea451fc3314bd19fe90342 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Sun, 11 Oct 2020 12:26:56 -0700 Subject: [PATCH] Add minimum EKS permissions from PR #2741 --- .../hosted-kubernetes-clusters/eks/_index.md | 280 +++++++++++------- 1 file changed, 178 insertions(+), 102 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md index 74d9e9ef038..d5e7e13ddf0 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/_index.md @@ -19,6 +19,9 @@ Amazon EKS provides a managed control plane for your Kubernetes cluster. Amazon - [Security and Compliance](#security-and-compliance) - [Tutorial](#tutorial) - [Minimum EKS Permissions](#minimum-eks-permissions) + - [Service Role Permissions](#service-role-permissions) + - [VPC Permissions](#vpc-permissions) +- [Syncing](#syncing) # Prerequisites in Amazon Web Services @@ -331,9 +334,15 @@ This [tutorial](https://aws.amazon.com/blogs/opensource/managing-eks-clusters-ra # Minimum EKS Permissions -Documented here is a minimum set of permissions necessary to use all functionality of the EKS driver in Rancher. +Documented here is a minimum set of permissions necessary to use all functionality of the EKS driver in Rancher. Additional permissions are required for Rancher to provision the `Service Role` and `VPC` resources. Optionally these resources can be created **before** the cluster creation and will be selectable when defining the cluster configuration. -Resource targeting uses `*` as the ARN of many of the resources created cannot be known prior to creating the EKS cluster in Rancher. Some permissions (for example `ec2:CreateVpc`) are only used in situations where Rancher handles the creation of certain resources. +Resource | Description +---------|------------ +Service Role | The service role provides Kubernetes the permissions it requires to manage resources on your behalf. Rancher can create the service role with the following [Service Role Permissions](http://localhost:9001/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/#service-role-permissions). +VPC | Provides isolated network resouces utilised by EKS and worker nodes. Rancher can create the VPC resouces with the follwoing [VPC Permissions](http://localhost:9001/rancher/v2.x/en/cluster-provisioning/hosted-kubernetes-clusters/eks/#vpc-permissions). + + +Resource targeting uses `*` as the ARN of many of the resources created cannot be known prior to creating the EKS cluster in Rancher. ```json { @@ -343,92 +352,26 @@ Resource targeting uses `*` as the ARN of many of the resources created cannot b "Sid": "EC2Permisssions", "Effect": "Allow", "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSubnet", - "ec2:CreateKeyPair", - "ec2:AttachInternetGateway", - "ec2:ReplaceRoute", - "ec2:DeleteRouteTable", - "ec2:AssociateRouteTable", - "ec2:DescribeInternetGateways", - "ec2:CreateRoute", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "ec2:DescribeAccountAttributes", - "ec2:DeleteInternetGateway", - "ec2:DescribeKeyPairs", - "ec2:CreateTags", - "ec2:CreateRouteTable", - "ec2:DescribeRouteTables", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "ec2:DeleteKeyPair", - "ec2:DeleteTags", - "ec2:CreateVpc", - "ec2:DescribeAvailabilityZones", - "ec2:CreateSecurityGroup", - "ec2:ModifyVpcAttribute", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:DescribeTags", - "ec2:DeleteRoute", - "ec2:DescribeSecurityGroups", - "ec2:DescribeImages", + "ec2:RevokeSecurityGroupEgress", "ec2:DescribeVpcs", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*" - }, - { - "Sid": "EKSPermissions", - "Effect": "Allow", - "Action": [ - "eks:DeleteFargateProfile", - "eks:DescribeFargateProfile", - "eks:ListTagsForResource", - "eks:UpdateClusterConfig", - "eks:DescribeNodegroup", - "eks:ListNodegroups", - "eks:DeleteCluster", - "eks:CreateFargateProfile", - "eks:DeleteNodegroup", - "eks:UpdateNodegroupConfig", - "eks:DescribeCluster", - "eks:ListClusters", - "eks:UpdateClusterVersion", - "eks:UpdateNodegroupVersion", - "eks:ListUpdates", - "eks:CreateCluster", - "eks:UntagResource", - "eks:CreateNodegroup", - "eks:ListFargateProfiles", - "eks:DescribeUpdate", - "eks:TagResource" - ], - "Resource": "*" - }, - { - "Sid": "IAMPermissions", - "Effect": "Allow", - "Action": [ - "iam:ListRoleTags", - "iam:RemoveRoleFromInstanceProfile", - "iam:CreateRole", - "iam:AttachRolePolicy", - "iam:AddRoleToInstanceProfile", - "iam:DetachRolePolicy", - "iam:GetRole", - "iam:DeleteRole", - "iam:CreateInstanceProfile", - "iam:ListInstanceProfilesForRole", - "iam:PassRole", - "iam:GetInstanceProfile", - "iam:ListRoles", - "iam:ListInstanceProfiles", - "iam:DeleteInstanceProfile" + "ec2:DescribeTags", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeKeyPairs", + "ec2:DescribeInternetGateways", + "ec2:DescribeImages", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeAccountAttributes", + "ec2:DeleteTags", + "ec2:DeleteSecurityGroup", + "ec2:DeleteKeyPair", + "ec2:CreateTags", + "ec2:CreateSecurityGroup", + "ec2:CreateKeyPair", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "*" }, @@ -436,30 +379,67 @@ Resource targeting uses `*` as the ARN of many of the resources created cannot b "Sid": "CloudFormationPermisssions", "Effect": "Allow", "Action": [ - "cloudformation:DescribeStackResource", - "cloudformation:ListStackResources", - "cloudformation:DescribeStackResources", - "cloudformation:DescribeStacks", "cloudformation:ListStacks", + "cloudformation:ListStackResources", + "cloudformation:DescribeStacks", + "cloudformation:DescribeStackResources", + "cloudformation:DescribeStackResource", + "cloudformation:DeleteStack", + "cloudformation:CreateStackSet", "cloudformation:CreateStack" ], "Resource": "*" }, { - "Sid": "AutoScalingPermissions", + "Sid": "IAMPermissions", "Effect": "Allow", "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:CreateOrUpdateTags", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeScalingActivities", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:DeleteLaunchConfiguration" + "iam:PassRole", + "iam:ListRoles", + "iam:ListRoleTags", + "iam:ListInstanceProfilesForRole", + "iam:ListInstanceProfiles", + "iam:ListAttachedRolePolicies", + "iam:GetRole", + "iam:GetInstanceProfile", + "iam:DetachRolePolicy", + "iam:DeleteRole", + "iam:CreateRole", + "iam:AttachRolePolicy" + ], + "Resource": "*" + }, + { + "Sid": "KMSPermisssions", + "Effect": "Allow", + "Action": "kms:ListKeys", + "Resource": "*" + }, + { + "Sid": "EKSPermisssions", + "Effect": "Allow", + "Action": [ + "eks:UpdateNodegroupVersion", + "eks:UpdateNodegroupConfig", + "eks:UpdateClusterVersion", + "eks:UpdateClusterConfig", + "eks:UntagResource", + "eks:TagResource", + "eks:ListUpdates", + "eks:ListTagsForResource", + "eks:ListNodegroups", + "eks:ListFargateProfiles", + "eks:ListClusters", + "eks:DescribeUpdate", + "eks:DescribeNodegroup", + "eks:DescribeFargateProfile", + "eks:DescribeCluster", + "eks:DeleteNodegroup", + "eks:DeleteFargateProfile", + "eks:DeleteCluster", + "eks:CreateNodegroup", + "eks:CreateFargateProfile", + "eks:CreateCluster" ], "Resource": "*" } @@ -467,6 +447,102 @@ Resource targeting uses `*` as the ARN of many of the resources created cannot b } ``` +### Service Role Permissions + +Rancher will create a service role with the following trust policy: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Effect": "Allow", + "Sid": "" + } + ] +} +``` + +This role will also have two role policy attachments with the following policies ARNs: + +``` +arn:aws:iam::aws:policy/AmazonEKSClusterPolicy +arn:aws:iam::aws:policy/AmazonEKSServicePolicy +``` + +Permissions required for Rancher to create service role on users behalf during the EKS cluster creation process. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "IAMPermisssions", + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteInstanceProfile", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfiles", + "iam:ListInstanceProfilesForRole", + "iam:ListRoles", + "iam:ListRoleTags", + "iam:PassRole", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": "*" + } + ] +} +``` + +### VPC Permissions + +Permissions required for Rancher to create VPC and associated resources. + +```json +{ + "Sid": "VPCPermissions", + "Effect": "Allow", + "Action": [ + "ec2:ReplaceRoute", + "ec2:ModifyVpcAttribute", + "ec2:ModifySubnetAttribute", + "ec2:DisassociateRouteTable", + "ec2:DetachInternetGateway", + "ec2:DescribeVpcs", + "ec2:DeleteVpc", + "ec2:DeleteTags", + "ec2:DeleteSubnet", + "ec2:DeleteRouteTable", + "ec2:DeleteRoute", + "ec2:DeleteInternetGateway", + "ec2:CreateVpc", + "ec2:CreateSubnet", + "ec2:CreateSecurityGroup", + "ec2:CreateRouteTable", + "ec2:CreateRoute", + "ec2:CreateInternetGateway", + "ec2:AttachInternetGateway", + "ec2:AssociateRouteTable" + ], + "Resource": "*" +} +``` + + # Syncing Syncing is the feature that causes Rancher to update its EKS clusters' values so they are up to date with their corresponding cluster object in the EKS console. This enables Rancher to not be the sole owner of an EKS cluster’s state. Its largest limitation is that processing an update from Rancher and another source at the same time or within 5 minutes of one finishing may cause the state from one source to completely overwrite the other.