Reputation: 19402
kubernetes: kops and IAMFullAccess policy
According to documentation of both kops and aws, the dedicated kops user needs IAMFullAccess permission to operate properly.
Why is this permission needed?
Is there a way to avoid (i.e. restrict) this, given that it is a bit too intrusive to create a user with such a permission?
edit: one could assume that the specific permission is needed to attach the respective roles to the master(s) and node(s) instances;
therefore perhaps the question / challenge becomes how to:
- not use
IAMFullAccess - sync with the node creation / bootstrapping process and attach the above roles; (perhaps create a cluster on pre-configured instances? - no idea if kops provides for that)
Upvotes: 3
Views: 447
Answers (1)
Reputation: 3273
As far as I understand kops design, it's meant to be end to end tool for provisioning you with k8s clusters. If you want to provision your nodes separately and deploy k8s on them I would suggest to use other tool, such as kubespray or kubeadm:
https://github.com/kubernetes-incubator/kubespray
https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
Upvotes: 1
Related Questions
- Kubernetes ingress in AWS
- eks iam roles for services account not working
- kubectl : error: You must be logged in to the server (Unauthorized)
- Access remote EKS cluster from an EKS pod, using an assumed IAM role
- deployment of the pod in the aws kops cluster
- AWS EKS - Create cluster minimum IAM permissions (AccessDenied)
- aws-iam-authenticator & EKS
- Allow kubernetes application to access other AWS resources?
- Kubernetes Service Access in AWS
- Kubernetes on AWS using Kops - kube-apiserver authentication for kubectl