Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update aws-node clusterrole permissions #2058

Merged
merged 1 commit into from
Aug 10, 2022
Merged

update aws-node clusterrole permissions #2058

merged 1 commit into from
Aug 10, 2022

Conversation

sushrk
Copy link
Contributor

@sushrk sushrk commented Aug 9, 2022

What type of PR is this?
bug, cleanup

Which issue does this PR fix:
N/A

What does this PR do / Why do we need it:
Updates aws-node clusterrole permissions to have the least required permissions

If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
N/A

Testing done on this change:
Ran the relevant integration test:

[9/08/22 10:32:01] ➜  ipamd git:(eaca3fe5) ✗ ginkgo -v -timeout 10m --fail-on-pending -- \
 --cluster-kubeconfig=$KUBECONFIG \
 --cluster-name=$CLUSTER_NAME \
 --aws-region=$AWS_REGION \
 --aws-vpc-id=$VPC_ID \
 --ng-name-label-key=$NG_NAME_LABEL_KEY \
 --ng-name-label-val=$NG_NAME_LABEL_VAL
Running Suite: VPC IPAMD Test Suite - /Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd
=====================================================================================================================
Random Seed: 1660066326

Will run 1 of 26 specs
------------------------------
[BeforeSuite] 
/Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_suite_test.go:32
I0809 10:32:30.451424   48615 request.go:665] Waited for 1.001363345s due to client-side throttling, not priority and fairness, request: GET:https://1C30ABE12DEABC4CBA07E6115710E11D.yl4.us-west-2.eks.amazonaws.com/apis/coordination.k8s.io/v1?timeout=32s
STEP: creating test namespace 08/09/22 10:32:32.241
STEP: removing the environment variables from the ds map[MINIMUM_IP_TARGET:{} WARM_ENI_TARGET:{} WARM_IP_TARGET:{} WARM_PREFIX_TARGET:{}] 08/09/22 10:32:33.083
STEP: getting the aws-node daemon set in namesapce kube-system 08/09/22 10:32:33.083
STEP: updating the daemon set with new environment variable 08/09/22 10:32:33.284
------------------------------
[BeforeSuite] PASSED [25.348 seconds]
[BeforeSuite] 
/Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_suite_test.go:32

  Begin Captured GinkgoWriter Output >>
    STEP: creating test namespace 08/09/22 10:32:32.241
    STEP: removing the environment variables from the ds map[MINIMUM_IP_TARGET:{} WARM_ENI_TARGET:{} WARM_IP_TARGET:{} WARM_PREFIX_TARGET:{}] 08/09/22 10:32:33.083
    STEP: getting the aws-node daemon set in namesapce kube-system 08/09/22 10:32:33.083
    STEP: updating the daemon set with new environment variable 08/09/22 10:32:33.284
  << End Captured GinkgoWriter Output
------------------------------
SSSSSSSSS
------------------------------
[1.11.3] test aws-node pod event when iam role is missing VPC_CNI policy
  unauthorized event must be raised on aws-node pod
  /Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_event_test.go:105
STEP: getting the iam role 08/09/22 10:32:53.513
STEP: detaching VPC_CNI policy and restart aws-node pods 08/09/22 10:32:53.814
STEP: checking aws-node pods not running 08/09/22 10:33:44.627
STEP: attaching VPC_CNI policy and restart aws-node pods 08/09/22 10:33:49.627
STEP: checking aws-node pods are running 08/09/22 10:34:28.062
------------------------------
• [SLOW TEST] [104.551 seconds]
[1.11.3] test aws-node pod event
/Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_event_test.go:33
  when iam role is missing VPC_CNI policy
  /Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_event_test.go:36
    unauthorized event must be raised on aws-node pod
    /Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_event_test.go:105

  Begin Captured GinkgoWriter Output >>
    STEP: getting the iam role 08/09/22 10:32:53.513
    STEP: detaching VPC_CNI policy and restart aws-node pods 08/09/22 10:32:53.814
    STEP: checking aws-node pods not running 08/09/22 10:33:44.627
    STEP: attaching VPC_CNI policy and restart aws-node pods 08/09/22 10:33:49.627
    STEP: checking aws-node pods are running 08/09/22 10:34:28.062
  << End Captured GinkgoWriter Output
------------------------------
SSSSSSSSSSSSSSSS
------------------------------
[AfterSuite] 
/Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_suite_test.go:61
STEP: deleting test namespace 08/09/22 10:34:38.073
------------------------------
[AfterSuite] PASSED [6.436 seconds]
[AfterSuite] 
/Users/ravsushm/go/src/github.com/aws/amazon-vpc-cni-k8s/test/integration/ipamd/ipamd_suite_test.go:61

  Begin Captured GinkgoWriter Output >>
    STEP: deleting test namespace 08/09/22 10:34:38.073
  << End Captured GinkgoWriter Output
------------------------------

Ran 1 of 26 Specs in 136.351 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 25 Skipped
PASS | FOCUSED

Automation added to e2e:
N/A, test already present

Will this PR introduce any new dependencies?:
No.

Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No, upgrade from 1.11.2 tested.

Does this change require updates to the CNI daemonset config files to work?:
Yes, updated.

Does this PR introduce any user-facing change?:
No.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sushrk sushrk requested a review from a team as a code owner August 9, 2022 20:54
jayanthvn
jayanthvn approved these changes Aug 9, 2022
View reviewed changes
Copy link
Contributor

@jayanthvn jayanthvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jayanthvn
Copy link
Contributor

Since it is just a manifest update, overriding arm64 build.

@jayanthvn jayanthvn merged commit 69fa24f into aws:master Aug 10, 2022
@sushrk sushrk deleted the upd-clusterrole branch August 10, 2022 00:13
@sushrk sushrk mentioned this pull request Aug 10, 2022
Merged
4 tasks
jayanthvn added a commit that referenced this pull request Aug 16, 2022
@jayanthvn @M00nF1sh
@sushrk @Downager @jkroepke @a2ush @dependabot @orsenthil @vikasmb @haouc @abhipth @guikcd @vgunapati @mkarakas
Merge master to Release 1.11 for v1.11.4 release (#2064)
303d5ed 
* 1.10.3 release artifacts (#1962)

* Stale PR and issue cleanup wrkflow (#1964)

* fix image name during build (#1968)

* add event recorder utils to raise aws-node pod events (#1536)

* refactor uploader scripts (#1972)

* Fix cni panic due to pod.Annotations is a nil map (#1974)

Co-authored-by: Relk Li <relk@maicoin.com>

* chart: Add extraVolumes and extraVolumeMounts (#1949)

Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

* Add the new command in the section of CNI Plugin Sequence (#1813)

Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

* Bump github.com/containernetworking/cni from 0.8.0 to 0.8.1 (#1966)

Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.8.0 to 0.8.1.
- [Release notes](https://github.com/containernetworking/cni/releases)
- [Commits](containernetworking/cni@v0.8.0...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/cni
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

* Update README to highlight containerd.sock edge case with EKS AMI. (#1884)

* Update README to highlight containerd.sock edge case with EKS AMI.

* Updated Instructions as per review.

* add cni release test script (#1971)

* Multus release manifest (#1984)

* release manifest for Multus v3.8.0-eksbuild.1

* minor change to Readme

* Added Tests for validating Multus Installation (#1811)

* Added Tests for validating Multus Installation

Added missing files

Refactored code
Tried to make it modular and extensible.

* Deleted redundant file

* Fixed compilation issues

* fixed minor error

* Added script to trigger Multus tests (will be used by prow job)

* remove multus installation logic from ginkgo

* remove redundant changes

* Cleaned up run-multus-tests helper script

* Updated Readme for running multus tests
Added few checks in canary helper script

* revert changes to canary.sh

* Pass tag as an argument

* Updated Readme

* Updated tag for multus tests to use latest image

* Port new integration tests (#1928)

* Minor changes to run-integration-tests
Added integration-new framework tests

* Modified run-integration-tests to use new integration tests

* reverted redundant changes

* Merge integration with integration-new

* increase timeout (#1985)

fix syntax for ginkgo-v2

* Added configurable flag to create test nodes with arm64 and containerd runtime (#1977)

* Cleanup binary file (#1987)

* log error in ipamd on api server timeout (#1988)

* Refactored code and Added cni addon upgrade/downgrade regression test (#1861)

* Refactored code
Addon upgrade/downgrade test similar to #1795

Added tests for addon upgrade/downgrade

Changed DEFAULT version
Added addon status checks

Fetch latest addon version for given K8s Cluster

Update kops cluster config used in weekly tests (#1862)

* Change to kops cluster creation scripts

* Add logging for retry attempt

* Switch kops cluster to use docker container runtime

Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

Renamed package name for adddon tests

removed unnecessary changes
Fixed replica count for MTU and Veth test in host networking

Updated ENI/IP limits file for newly added instances (#1864)

* Added new instances

* Updated test readme

* needed rebase

* formatting

* remove all references to integration-new
migrate to ginkgo v2 in addon test files

* fix maxIPPerInterface count on pod_networking_suite

* Increase default deployment ready timeout

Co-authored-by: Vikas Basavaraj <5373156+vikasmb@users.noreply.github.com>

* Remove generation of calico manifests (#1905)

* cni manifest upgrade downgrade test (#1863)

* Added upgrade/downgrade script template

Refactored code
Addon upgrade/downgrade test similar to #1795

Added tests for addon upgrade/downgrade

Changed DEFAULT version
Added addon status checks

Fetch latest addon version for given K8s Cluster

Update kops cluster config used in weekly tests (#1862)

* Change to kops cluster creation scripts

* Add logging for retry attempt

* Switch kops cluster to use docker container runtime

Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

Added upgrade/downgrade test for custom cni-manifest-file

Added missing files

remove upgrade-downgrade.sh

* Add eks.go file , deleted by mistake

* Extract apply manifest logic in common
Remove redundant code

* Add PD traffic test for cni upgrade downgrade test

* Update golang to Go 1.18 (#1991)

* Update CNI Plugins to v1.1.1 (#1997)

* Update release manifests for VPC CNI v1.11.2 (#2001) (#2002)

* Enable Calico on ARM64 and add configureable flags for Calico installation (#2004)

* Enable Calico on ARM64 and add configureable flags for Calico
installation

* Add v to Calico version in release test script

* fix integration test script (#1998)

* Updated dependencies (#2012)

* Fix readme (#2013)

* Added upgrade/downgrade script template

Refactored code
Addon upgrade/downgrade test similar to #1795

Added tests for addon upgrade/downgrade

Changed DEFAULT version
Added addon status checks

Fetch latest addon version for given K8s Cluster

Update kops cluster config used in weekly tests (#1862)

* Change to kops cluster creation scripts

* Add logging for retry attempt

* Switch kops cluster to use docker container runtime

Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

Added upgrade/downgrade test for custom cni-manifest-file

Added missing files

remove upgrade-downgrade.sh

* Add eks.go file , deleted by mistake

* Extract apply manifest logic in common
Remove redundant code

* Add PD traffic test for cni upgrade downgrade test

* Updated Readme

* Merge fix-ginkgo to master (#2014)

* fix path failure

* seperate makefile for test

Co-authored-by: abhipth <abhipth@amazon.com>

* Multus manifest for release v3.9.0-eksbuild.1 (#2016)

* Updating new instances - p4de (#2018)

* Updating new instances

* fix formatting

* Fix go build failure with v6 networking suite. (#2020)

* Update README.md (#2021)

* Fix Go build for ipamd test package. (#2023)

* Fix Go build for ipamd test package.

* Fix format with make format

* Fix go build for cni test package. (#2024)

* Prevent allocate/free ENIs when node is marked noSchedule (#1927)

* Prevent allocate/free ENIs when node is marked noSchedule

* Update UTs

* Re-use logger instance (#2029)

* Re-use logger instance

- Existing logger initialization constructed different logger
  instances upon call to Get() method.
- Fixed the initailiation logic to re-use the logger instance.

* Added unit tests for logger initialization fix

* fix addOn version api for beta (#2034)

* Update yaml.v3 package dependency (#2036)

* Update yaml.v3 package dependency

* Increase cpu requests limit (#2038)

- Porting changes from release-1.10 branch made in PR #1749

* fix ipamd integration failures and cleanup (#2039)

* fix integration test failures and cleanup

* README update

* cleanup info logs in event recorder and test script (#2043)

* add nodeSelector to cni-metrics-helper test deployment and update image tag (#2047)

* fix makefile path in canary test script (#2051)

* disable arm build (#2052)

* Updated changelog for 1.11.3 release (#2053)

Co-authored-by: Vikas Basavaraj Mallapura <“5373156+vikasmb@users.noreply.github.com”>

* Updating master branch config files to release 1.11.3 (#2055)

* Updated changelog for 1.11.3 release

* Image tag and chart version update for 1.11.3 release (#2050)

Co-authored-by: Vikas Basavaraj Mallapura <“5373156+vikasmb@users.noreply.github.com”>
(cherry picked from commit ff42a83)

Co-authored-by: Vikas Basavaraj Mallapura <“5373156+vikasmb@users.noreply.github.com”>

* update aws-node clusterrole permissions (#2058)

* Fix minor typo on documentation (#2059)

s/varibales/variables/

* multus manifest for release v3.9.0-eksbuild.2 (#2057)

* Setting AWS_VPC_K8S_CNI_RANDOMIZESNAT to the default value (#2028)

Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

* Fixing prefixes per ENI value in example (#2060)

Prefixes per ENI in row 6 should be 1 not 3.

Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com>

* IPAMD optimizations and makefile changes (#1975)

* IPAMD optimizations and makefile changes

* Minor comments

* Removed IMDS dependency

* fix test

* fix test

* fix test-format

* Updated new instances (#2062)

* Updated new instances

* fix format

Co-authored-by: M00nF1sh <yyyng@amazon.com>
Co-authored-by: Sushmitha Ravikumar <58063229+sushrk@users.noreply.github.com>
Co-authored-by: Relk Li <YiJiun.Li.C@gmail.com>
Co-authored-by: Relk Li <relk@maicoin.com>
Co-authored-by: Jan-Otto Kröpke <github@jkroepke.de>
Co-authored-by: Shuntaro Azuma <azush.work@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Senthil Kumaran <senthilx@amazon.com>
Co-authored-by: cgchinmay <cgadgil@amazon.com>
Co-authored-by: Vikas Basavaraj <5373156+vikasmb@users.noreply.github.com>
Co-authored-by: Hao Zhou <haouc@users.noreply.github.com>
Co-authored-by: abhipth <abhipth@amazon.com>
Co-authored-by: Prasad Jivane <prasad.jivane@walchandsangli.ac.in>
Co-authored-by: Vikas Basavaraj Mallapura <“5373156+vikasmb@users.noreply.github.com”>
Co-authored-by: Guillaume Delacour <guillaume.delacour@gmail.com>
Co-authored-by: Venkata Gunapati <gvsukumar@gmail.com>
Co-authored-by: Muhammed Karakas <karakas@amazon.com>
@rifelpet rifelpet mentioned this pull request Sep 13, 2022
Merged
@moshevayner moshevayner mentioned this pull request Sep 13, 2022
Merged
@dudicoco
Copy link

@sushrk list permissions also grant permissions to get the object contents, just like get permissions: https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb

k8s-ci-robot pushed a commit to kubernetes/kops that referenced this pull request Sep 13, 2022
@moshevayner
remove 'get' from aws-cni clusterRole to reflect aws/amazon-vpc-cni-k…
03bc54e 
…8s#2058
hakman pushed a commit to hakman/kops that referenced this pull request Sep 14, 2022
@moshevayner @hakman
remove 'get' from aws-cni clusterRole to reflect aws/amazon-vpc-cni-k…
9c089c7 
…8s#2058
@hakman hakman mentioned this pull request Sep 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jayanthvn jayanthvn jayanthvn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sushrk @jayanthvn @dudicoco