Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

modules/iam-role-for-service-accounts-eks - wrong condition string in IAM policy for EBS driver #325

Closed
prysmakou-sa opened this issue Jan 12, 2023 · 5 comments
Closed

modules/iam-role-for-service-accounts-eks - wrong condition string in IAM policy for EBS driver #325

prysmakou-sa opened this issue Jan 12, 2023 · 5 comments

Comments

@prysmakou-sa
Copy link
Contributor

Description

The condition string for DeleteVolume action has changed in the example policy of the aws-ebs-csi-driver and in the (AWS managed) AmazonEBSCSIDriverPolicy.

It must be:

{
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteVolume"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
        }
      }
    },

compare it to the current:

statement {
    actions   = ["ec2:DeleteVolume"]
    resources = ["*"]

    condition {
      test     = "StringLike"
      variable = "ec2:ResourceTag/kubernetes.io/cluster/*"
      values   = ["owned"]
    }
  }

EKS 1.23

aws-ebs-csi-driver-2.11.1 chart (the driver version 1.11.3)

Steps to reproduce

create PVC following https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes/dynamic-provisioning

Delete the resources

Expected behavior

Volume deletion without errors

Actual behavior

EBS controller logs like "DeleteDisk could not delete volume: UnauthorizedOperation: You are not authorized to perform this operation. "

Example tags:
Screenshot 2023-01-12 at 13 51 54
@prysmakou-sa prysmakou-sa changed the title Wrong condition string in IAM policy for EBS driver modules/iam-role-for-service-accounts-eks - wrong condition string in IAM policy for EBS driver Jan 12, 2023
@prysmakou-sa
Copy link
Contributor Author

For the sake of truth I'm able to reproduce the error only on some of my clusters. But the policy in this repo is definitely different from what we have in AWS managed policy and from what we can find in example policy in aws-ebs-csi-driver repo (they also use it for testing purposes)

@bryantbiggs
Copy link
Member

Yes, it should be updated since the upstream policy was updated (what we intended to track) kubernetes-sigs/aws-ebs-csi-driver#1450

@prysmakou-sa prysmakou-sa mentioned this issue Jan 16, 2023
Merged
1 task
@github-actions
Copy link

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Feb 12, 2023
@github-actions
Copy link

This issue was automatically closed because of stale in 10 days

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 23, 2023
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @prysmakou-sa