K
Q

kubernetes: kops and IAMFullAccess policy

1/5/2018

According to documentation of both kops and aws, the dedicated kops user needs IAMFullAccess permission to operate properly.

Why is this permission needed?

Is there a way to avoid (i.e. restrict) this, given that it is a bit too intrusive to create a user with such a permission?

edit: one could assume that the specific permission is needed to attach the respective roles to the master(s) and node(s) instances;

therefore perhaps the question / challenge becomes how to:

  • not use IAMFullAccess
  • sync with the node creation / bootstrapping process and attach the above roles; (perhaps create a cluster on pre-configured instances? - no idea if kops provides for that)
-- pkaramol
amazon-web-services
kops
kubernetes

Similar Questions

Global variable not affecting values.yaml file in helm chart of Kubernetes (passing secretName and Domain Name from CLI)
Heapster : Unauthorised, grafana: unauthorised
When a Kubernetes service is created, which one among these watchers is called first 'kube proxy' or 'a custom watcher'
kubectl apply vs kubectl roll-update

1 Answer

1/5/2018

As far as I understand kops design, it's meant to be end to end tool for provisioning you with k8s clusters. If you want to provision your nodes separately and deploy k8s on them I would suggest to use other tool, such as kubespray or kubeadm:

https://github.com/kubernetes-incubator/kubespray

https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/

-- Nebril
Source: StackOverflow