-
Notifications
You must be signed in to change notification settings - Fork 543
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
controller.tags does not work with AmazonEFSCSIDriverPolicy #1335
Comments
Hi @emboss64 , we cannot modify the AmazonEFSCSIDriverPolicy policy to allow arbitrary tags on the access point. This could be a security risk and lead to privilege escalation, as tags are often used for controlling access to resources. If you choose to do this, you'll need to create a separate policy. |
I know, that's why I suggested adding proper documentation that adding tags also requires the use of an additional policy |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/kind bug
What happened?
When deploying the latest version of the helm chart (probably happening with any other version as well) and specifying any additional tags for
controller.tags
this tags are added to the AccessPoint.As the
AmazonEFSCSIDriverPolicy
only allows theelasticfilesystem:TagResource
andelasticfilesystem:CreateAccessPoint
for the tagefs.csi.aws.com/cluster
you get an AccessDenied.If you then add an additional custom policy to the role with the following permissions it works:
What you expected to happen?
Make the policy allow this actions or document the need of a custom policy if tags are specified
How to reproduce it (as minimally and precisely as possible)?
Just add a custom tag to the controller:
Please also attach debug logs to help us better diagnose
In the pod you get:
In cloudtrail for the
CreateAccessPoint
event you get:and once sort that that you get:
The text was updated successfully, but these errors were encountered: