Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM Policy Doc Question #2985

Closed
Azahorscak opened this issue Jul 12, 2024 · 5 comments · Fixed by #2992
Closed

IAM Policy Doc Question #2985

Azahorscak opened this issue Jul 12, 2024 · 5 comments · Fixed by #2992
Labels
needs investigation question

Comments

@Azahorscak
Copy link

Azahorscak commented Jul 12, 2024
edited
Loading

What happened:

By following the iam policy guidelines linked in the readme, we receive the below error and appear to be missing some iam policies when compared to the aws managed policy.

Error message:

Unauthorized operation: failed to call ec2:DescribeSubnets due to missing permissions. Please refer https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md to attach relevant policy to IAM role

The additional permissions don't appear necessary in most situations, and because we tag subnets. But I was wondering if the aws managed policy AmazonEKS_CNI_Policy should be linked in the docs here or if there is other clarifying guidance on this error.

Environment:

  • Kubernetes version (use kubectl version): 1.29.4-eks-036c24b
  • CNI Version: v1.18.0
  • OS (e.g: cat /etc/os-release): N/A
  • Kernel (e.g. uname -a): N/A
@orsenthil
Copy link
Member

We do mention it

The above policy is also available under: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy as a part of AWS managed policies for EKS.

@Azahorscak
Copy link
Author

Ah yes, you do. But the two policies differ and the cni pods are printing errors stating that permissions are missing.

A mention of this error and confirmation that it's safe to ignore as long as you are not looking for automatic subnet discovery would have prevented me from opening this issue. Happy to submit a PR if this is correct.

Or perhaps a better path would be to simply reference the managed policy as the authoritative source of policies required? Is that technically true?

@orsenthil
Copy link
Member

oh, I see. We should update the doc here - https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md with "ec2:DescribeSubnets" as that seems to be missing one from here - https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html#AmazonEKS_CNI_Policy-json

The doc exists to give over view of policies, and importantly how to scope down the policy. So, keeping it seems good. You could submit a PR with adding the ec2:DescribeSubnets to the doc.

@Azahorscak
Copy link
Author

Thanks, i'll have a PR in tomorrow.

@yash97 yash97 mentioned this issue Jul 22, 2024
Merged
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs investigation question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

updating iam doc with subnet policy yash97/amazon-vpc-cni-k8s
2 participants
@orsenthil @Azahorscak