Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get rid of eksctl produced cloud-user-sa #3273

Closed
2 of 11 tasks
yuvipanda opened this issue Oct 16, 2023 · 7 comments · Fixed by #3842
Closed
2 of 11 tasks

Get rid of eksctl produced cloud-user-sa #3273

yuvipanda opened this issue Oct 16, 2023 · 7 comments · Fixed by #3842
Labels
allocation:internal-eng nominated-to-be-resolved-during-q4-2023 Nomination to be resolved during q4 goal of reducing the technical debt

Comments

@yuvipanda
Copy link
Member

yuvipanda commented Oct 16, 2023
edited
Loading

The following three hubs use a cloud-user-sa service account provisioned by eksctl to give hub users full S3 access:

  • uwhackweeks
  • carbonplan
  • openscapes

This predates our more modern terraform based service accounts. We should get rid of these eksctl generated accounts and bring these hubs in line with the rest.

Action items

Stop using the cloud-user-sa service account

  • Stop using cloud-user-sa serviceaccount by removing jupyterhub.singleuser.serviceAccountName under config/clusters/openscapes/common.yaml. Make a PR, get this deployed.
  • Test to make sure you can still access $SCRATCH_BUCKET S3 bucket, by running aws s3 ls $SCRATCH_BUCKET in a jupyterlab terminal in the hub. This should not error out.

Remove the IAM service account from AWS

  • Render the .jsonnet file into a .yaml file with the jsonnet command in https://infrastructure.2i2c.org/hub-deployment-guide/new-cluster/aws/#create-and-render-an-eksctl-config-file
  • Delete the iamserviceaccount with eksctl delete iamserviceaccount -f openscapes.eksctlyaml --name cloud-user-rsa
  • Repeat the test from earlier to make sure that aws s3 ls $SCRATCH_BUCKET still works inside a terminal in the jupyterhub.
  • Remove namespaces variable in eksctl/openscapes.jsonnet
  • Remove iam.serviceAccounts in the main cluster definition in eksctl/opencsapes.jsonnet
  • Make this into a PR, get it merged

Celebrate

This is a celebration of the fact that we've been serving openscapes so long that they're using deprecated features! When done, we can close this issue :)
@yuvipanda yuvipanda added the nominated-to-be-resolved-during-q4-2023 Nomination to be resolved during q4 goal of reducing the technical debt label Oct 16, 2023
@consideRatio
Copy link
Contributor

consideRatio commented Oct 19, 2023
edited
Loading

uwhacksweeks is removed already via #2173, I opened #3291 to finalize the cleanup.

Related code

infrastructure/eksctl/carbonplan.jsonnet

Lines 70 to 82 in 682ef1f

iam: {
withOIDC: true,
serviceAccounts: [{
metadata: {
name: "cloud-user-sa",
namespace: namespace
},
attachPolicyARNs:[
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
],
} for namespace in namespaces],
},

Issue scope question

@yuvipanda is the issue's scope narrowed specifically to replace how the permissions are granted? Currently carbonplan and openscapes has arn:aws:iam::aws:policy/AmazonS3FullAccess which includes permission for them to create their own buckets etc.

A wider scope could include:

  • setup of scratch buckets
  • reducing permissions granted (to not create/manage their own buckets, but only scratch buckets for example)

I suggest we avoid the expanded issue scope of also reducing permissions - as it requires community engagement as well, possibly making us blocked.

@yuvipanda
Copy link
Member Author

@consideRatio makes sense to just have it be 'remove cloud-user-sa and replicate it in terraform`.

@consideRatio consideRatio moved this from Needs Shaping / Refinement to Ready to work in DEPRECATED Engineering and Product Backlog Oct 19, 2023
@GeorgianaElena
Copy link
Member

makes sense to just have it be 'remove cloud-user-sa and replicate it in terraform`

@yuvipanda, by "replicate it in terraform", do you mean replicate the buckets in https://s3.console.aws.amazon.com/s3/buckets?region=us-east-1# for example (carbonplan) in the terraform config?

If so, I understand that the the service account that we create via terraform will not have full access to the buckets like the old cloud-user-sa. Is this correct?

Do we wish to retain such access for the existing buckets to not introduce a breaking change? If so, should extra_iam_policy be enough?

Also, @consideRatio said "arn:aws:iam::aws:policy/AmazonS3FullAccess which includes permission for them to create their own buckets etc." Do we wish to retain such permission in the future? Is this possible via our current terraform infra or do we need to tweak it to allow this.

I am trying to understand how complicated it would be to could get rid of cloud-user-sa together with #3224. Thank you!

@yuvipanda
Copy link
Member Author

@GeorgianaElena yeah, we would have to communicate with the affected communities about it. Primary differences would be that they would not be able to create buckets, and there may be a change in how they can access buckets in other projects as well (am no sure).

I don't think this should be resolved along with #3224, that is a big enough project by itself I think.

@GeorgianaElena
Copy link
Member

I don't think this should be resolved along with #3224, that is a big enough project by itself I think.

Ok, makes sense! Thanks @yuvipanda!

@GeorgianaElena GeorgianaElena mentioned this issue Nov 13, 2023
Closed
4 tasks
@yuvipanda yuvipanda mentioned this issue Feb 3, 2024
Closed
@yuvipanda
Copy link
Member Author

This can just simply be removed, as they are currently not using this functionality at all.

@yuvipanda
Copy link
Member Author

I've updated this issue with action items left to do very specifically.

@yuvipanda yuvipanda mentioned this issue Feb 13, 2024
Open
yuvipanda added a commit to yuvipanda/pilot-hubs that referenced this issue Mar 25, 2024
@yuvipanda
Remove use of cloud-user-sa from openscapes hub
9513b56 
Without this, 2i2c-org#3694
does not quite take, as the `user-sa` service account is not
attached to the user pod.

This unifies all our infrastructure so nobody is using service
accounts created by `eksctl`. Since openscapes is *just about*
to start using S3, this is a good time to make sure it's
set up in a standard way.

Fixes 2i2c-org#3273
@yuvipanda yuvipanda mentioned this issue Mar 25, 2024
Merged
yuvipanda added a commit to yuvipanda/pilot-hubs that referenced this issue Mar 25, 2024
@yuvipanda
Remove use of cloud-user-sa from openscapes hub
cfd5ac1 
Without this, 2i2c-org#3694
does not quite take, as the `user-sa` service account is not
attached to the user pod.

This unifies all our infrastructure so nobody is using service
accounts created by `eksctl`. Since openscapes is *just about*
to start using S3, this is a good time to make sure it's
set up in a standard way.

Fixes 2i2c-org#3273
@github-project-automation github-project-automation bot moved this from Ready to work to Complete in DEPRECATED Engineering and Product Backlog Mar 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
allocation:internal-eng nominated-to-be-resolved-during-q4-2023 Nomination to be resolved during q4 goal of reducing the technical debt
Projects
No open projects
DEPRECATED Engineering and Product Backlog
Status: Complete
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove use of cloud-user-sa from openscapes hub yuvipanda/pilot-hubs
3 participants
@yuvipanda @consideRatio @GeorgianaElena