Skip to content

feat,fix: eks vault iam permissions,eks autoscaler iam role,#808

Merged
jokestax merged 48 commits intomainfrom
eks-autoscaler
Oct 16, 2024
Merged

feat,fix: eks vault iam permissions,eks autoscaler iam role,#808
jokestax merged 48 commits intomainfrom
eks-autoscaler

Conversation

@jokestax
Copy link
Copy Markdown
Contributor

@jokestax jokestax commented Oct 9, 2024
edited
Loading

Description

This PR -
1) Narrow down permissions for vault iam role
2) Add role for cluster-autoscaler service account
3) fix: variable gpu in Civo gitlab
4) fix: add service account annotation for kubefirst-pro-api
5) update vault image to v1.14.1 refer

How to test

/path/to/kubefirst aws create
--alerts-email
--github-org
--cluster-name
--domain-name
--gitops-template-branch eks-autoscaler

@jokestax jokestax requested a review from johndietz October 9, 2024 21:14
CristhianF7 and others added 23 commits October 11, 2024 05:28
@CristhianF7 @jokestax
feat: kubefirst pro chart (#807)
d5d4921
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc9
acb2f29
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc10
66fb292
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc11
483aed1
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc12
41a9802
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc13
b08ca98
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc14
229833a
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc15
0cb8e19
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc16
0ae54ad
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc17
0a4a4a1
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc18
af8d8e5
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc19
f6316b1
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc20
871b864
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc21
5d0e047
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc22
9d4671b
@CristhianF7 @jokestax
fix: wait label (#809)
70c9ba8
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc23
d5964ec
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc24
cc1d303
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc25
9be9e94
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc26
eca138e
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc27
a6b02cf
@konstruct-bot @jokestax
set next macro chart for kubefirst - 2.6.2-rc28
339e82f
@jokestax
add gpu and ollama
c7b9b22
@jokestax jokestax requested a review from jarededwards October 14, 2024 07:46
muse-sisay
muse-sisay reviewed Oct 15, 2024
View reviewed changes
muse-sisay
muse-sisay reviewed Oct 15, 2024
View reviewed changes
@muse-sisay
Copy link
Copy Markdown
Contributor

muse-sisay commented Oct 15, 2024

Hi @jokestax,

After our call I dug deeper into why we needed to attach two more polices (in this commit) to the default node group instance profile for Vault to unseal. There was a problem with vault 1.14.0 (the version we use) refer here where it wasn't honoring AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variable and fell back to the instance profile. Hence the reason we were getting the following error while vault was starting up

Error initializing storage of type dynamodb: AccessDeniedException: User: 
arn:aws:sts::<account_id>:assumed-role/default_node_group-eks-node-
group-2024000000000000000000001/i-<instance_id> is not authorized to perform: 
dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1:<account_id>:table/vault-
backend-<cluster_name> because no identity-based policy allows the dynamodb:DescribeTable action 
status code: 400, request id: <request_id>

This was fixed in 1.14.1 as per the issue linked above. But, the Vault role we create has a very permissive permission set 😱.

I see you have added two permission policy with narrowed down scope (aws_iam_policy.vault_dynamodb and aws_iam_policy.vault_kms) that we can use instead of these two AWS managed policies. I would would also try to scope it down to just the resources we create.

  role_policy_arns = {
    dynamo = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
    kms    = "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser",
    vault  = aws_iam_policy.vault_server.arn,
  }

Good work Rishi!

@jokestax
Copy link
Copy Markdown
Contributor Author

jokestax commented Oct 16, 2024
edited
Loading

@muse-sisay ohh but i cant find a vault helm chart where it installs 1.14.1 ;-;

muse-sisay
muse-sisay reviewed Oct 16, 2024
View reviewed changes
@jokestax jokestax requested a review from muse-sisay October 16, 2024 21:38
@jokestax jokestax changed the title feat: eks autoscaler feat,fix: eks vault iam permissions,eks autoscaler iam role, Oct 16, 2024
@jokestax jokestax merged commit cabe41a into main Oct 16, 2024
@jokestax jokestax deleted the eks-autoscaler branch October 16, 2024 21:50
jokestax added a commit that referenced this pull request Oct 16, 2024
@jokestax @CristhianF7 @konstruct-bot
feat,fix: eks vault iam permissions,eks autoscaler iam role, (#808)
c2f8b07 
* add eks cluster autoscaler

* add cluster autoscaler name

* add ploicy for defualt node group

* add cluster autoscaler policy

* attach more policies

* add support for gitlab

* feat: kubefirst pro chart (#807)

* set next macro chart for kubefirst - 2.6.2-rc9

* set next macro chart for kubefirst - 2.6.2-rc10

* set next macro chart for kubefirst - 2.6.2-rc11

* set next macro chart for kubefirst - 2.6.2-rc12

* set next macro chart for kubefirst - 2.6.2-rc13

* set next macro chart for kubefirst - 2.6.2-rc14

* set next macro chart for kubefirst - 2.6.2-rc15

* set next macro chart for kubefirst - 2.6.2-rc16

* set next macro chart for kubefirst - 2.6.2-rc17

* set next macro chart for kubefirst - 2.6.2-rc18

* set next macro chart for kubefirst - 2.6.2-rc19

* set next macro chart for kubefirst - 2.6.2-rc20

* set next macro chart for kubefirst - 2.6.2-rc21

* set next macro chart for kubefirst - 2.6.2-rc22

* fix: wait label (#809)

* set next macro chart for kubefirst - 2.6.2-rc23

* set next macro chart for kubefirst - 2.6.2-rc24

* set next macro chart for kubefirst - 2.6.2-rc25

* set next macro chart for kubefirst - 2.6.2-rc26

* set next macro chart for kubefirst - 2.6.2-rc27

* set next macro chart for kubefirst - 2.6.2-rc28

* add gpu and ollama

* add civo ai and ollama

* feat:add ai for gitlab

* add inline ingress and rename ai to gpu

* add sync wave

* fix gpu template

* change k8s version

* add comma

* fix name

* fix irsa for pro api

* add annotation for api

* edit structure of policy

* fix gpu gitlab

* scope down permission policy for vault sa

* fix: update vault version 1.14.1

hashicorp/vault#21478

* add comma

* feat: create irsa for cluster-autoscaler

* add pro to api sa

* add pro to api sa

---------

Co-authored-by: Cristhian Fernández <CristhianF7@gmail.com>
Co-authored-by: konstruct-bot <konstruct-bot@konstruct.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@muse-sisay muse-sisay muse-sisay approved these changes

@johndietz johndietz Awaiting requested review from johndietz

@jarededwards jarededwards Awaiting requested review from jarededwards

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jokestax @muse-sisay @CristhianF7 @konstruct-bot