Supporting Parameter to Assume Role in Storage Class Definition

[sarguru]

Problem

Currently, EBS CSI controller has a 1-1 mapping between the SA account and AWS IAM role used for the API operations i.e, all the API operations for the Controller happens using this single role (or credentials supplied alternatively). This is a problem, when different storage classes need to have tighter permission boundaries. The following are some of the use-cases where this problem might arise

• Two storage classes use two different KMS Key IDs but the permission to access them are restricted to only 1 role per Key ID.
• There is a shared/central controller for several Kubernetes clusters and each of the Kubernetes cluster has security requirement to use distinct IAM roles so that the volumes aren't accessible by each other.

Potential Solution

Supporting assumeRoleARN as a parameter along with kmsKeyID and using the mentioned role for operations pertinent to the given storage class definiton.
Eg:

---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: enc-ebs-gp3-3
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
  type: gp3
  encrypted: 'true'
  kmsKeyId: arn:aws:kms:eu-west-1:0123456:key/abcd-1234-efgh-abcd-123456
  assumeRoleARN: arn:aws:iam::0123456:role/ebs-csi-controller-role-1

Alternative Considered

Running multiple controllers in a single cluster but couldn't find much information about this and prior art of doing this.

[sarguru]

/kind feature

[gtxu]

Hi @sarguru Can we have a specific use case for different KMS Key IDs access with two roles? Thank you!

[gnufied]

Will this need different STS token for those different roles also?

(also waves )

[sarguru]

Hi @gtxu !

One of the sample scenarios can be

• Teams A & B share the Kubernetes Cluster
• There are two CMKs (with distinct KeyID/ARNs) each owned by a different team (one by A and one by B in this case).
• Team A has stricter security standards which requires them to not share access to their CMKs with others and use distinct restrictive roles.
• In the current scheme of things, both teams A & B will have to allow access to their keys to role X (the role used by the CSI driver).
• In the potential solution proposed A can satisfy their security requirement by granting access to only role Y which is uniquely mapped to them and later use that in the storage class, while team B can grant access to role Z ( a different one) or X based on their individual requirement.
• This tighter security is one specific use case.

@gnufied (👋 s back!) I believe we will need different set of STS tokens for each role (depending on the storage class definition) if my understanding is correct.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[ConnorJC3]

/remove-lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten