Skip to content
This repository has been archived by the owner on Mar 5, 2024. It is now read-only.

Support External ID #255

Closed
wants to merge 2 commits into from
Closed

Support External ID #255

wants to merge 2 commits into from

Conversation

randomvariable
Copy link

@randomvariable randomvariable commented Jun 13, 2019
edited
Loading

Fixes #236

This supports External ID via annotations as per updated readme.

@pingles
Copy link
Contributor

pingles commented Jun 13, 2019

Exciting, thanks for working on this @randomvariable

@harishspqr
Copy link

@pingles Could you please share whats blocking this PR and why the checks have failed ? I am unable to open the details about this failure.

@randomvariable randomvariable changed the title [WIP] - Support External ID Support External ID Jul 24, 2019
@randomvariable
Copy link
Author

@harishspqr I hadn't finished it previously, but have done now via the annotations.

Have had a look to see if we could support external ID via a reference to a secret or some other thing.

One of the issues is that if we leveraged a SecretRef, kiam's server would need RBAC permissions to potentially read all secrets in all namespaces, which is less than ideal.

Could get around this by introducing a new CRD, as in this branch: https://github.com/randomvariable/kiam/tree/external-id-crd
(definition)

Then kiam can have an RBAC policy to be able to inspect only those CRD types.

The approach in the branch is pretty much that of PodSecurityPolicies - read all the IAM CRDs, find the service account of the pod, and find the first IAM object that passes SubjectAccessReview when ordered alphabetically. To finish that branch, someone would need to continue to rework the interfaces and the cache behaviour to make it work. Potentially a big enough change it should be in a different repository.

That said, this PR is ready in terms of a simple extension via an annotation.

@harishspqr
Copy link

@randomvariable Awesome!
Thanks for the details.

@harishspqr
Copy link

@randomvariable Can we create a secret in a particular namespace and create Role that is limited to the secrets resource in that namespace alone ? Is it possible ?

@randomvariable
Copy link
Author

@harishspqr Maybe, if it's done as a SecretReference. I probably won't have any time to do anything like that, but if you want to run with it in a separate PR, feel free.

@danmx
Copy link

danmx commented Aug 12, 2019

@randomvariable are you proposing moving kiam towards an operator?

.gitignore: Add .env
c21e321 
Signed-off-by: Naadir Jeewa <[email protected]>
@randomvariable
Copy link
Author

@pingles @Joseph-Irving I've rebased this on master. Ready for merge.

@randomvariable randomvariable mentioned this pull request Jan 16, 2020
Closed
@randomvariable
Copy link
Author

Replaced by #360

@randomvariable randomvariable deleted the support-external-id branch January 16, 2020 08:58
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

External_ID Support for Cross account IAM Role
4 participants
@randomvariable @pingles @harishspqr @danmx