Add variables needed to access prow-build-cluster on EKS #28951
Conversation
Signed-off-by: Marko Mudrinić <[email protected]>
k8s-ci-robot
added
cncf-cla: yes
|
/lgtm |
k8s-ci-robot
added
do-not-merge/hold
|
This change has no effect till a kubeconfig that is accessing an EKS cluster is loaded |
| @@ -64,6 +64,13 @@ spec: | |||
| # Use KUBECONFIG envvar rather than --kubeconfig flag in order to provide multiple configs to merge. | |||
| - name: KUBECONFIG | |||
| value: "/etc/kubeconfig/config:/etc/kubeconfig-build-test-infra-trusted/kubeconfig:/etc/kubeconfig-build-k8s-prow-builds/kubeconfig:/etc/kubeconfig-build-rules-k8s/kubeconfig" | |||
| # AWS_ variables needed to assume role to access the prow-build-cluster EKS cluster. | |||
| - name: AWS_ROLE_ARN | |||
| value: arn:aws:iam::468814281478:role/Prow-EKS-Admin | |||
There was a problem hiding this comment.
Not for me to judge what is acceptable here, but seems like this could be locked down a bit.
There was a problem hiding this comment.
If you mean not sharing it publicly, that would be more complicated and we also share ARNs for other stuff for some other jobs and components, so it shouldn't be an issue.
There was a problem hiding this comment.
I'd have to dig through the code to see what permissions Prow-EKS-Admin has, but it just seems like deck, hook, etc might not need full root typer permissions. If that has been working in the past, it probably isn't an issue though.
There was a problem hiding this comment.
The tokens used by Prow to access build clusters have always been a service account bound to the cluster-admin role(I agree it is overprivileged).
I have configured it to do the same thing, that role will have cluster-admin permissions.
https://docs.prow.k8s.io/docs/build-clusters/
https://docs.prow.k8s.io/docs/getting-started-deploy/#run-test-pods-in-different-clusters
|
I am not familiar with AWS so maybe @TerryHowe comment needs addressing (although I do not know what is meant by locking down these values). /lgtm |
|
@listx: GitHub didn't allow me to request PR reviews from the following users: is, oncall, who. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Signed-off-by: Marko Mudrinić <[email protected]>
k8s-ci-robot
removed
the
lgtm
|
+1 Deferring LGTM to @chases2. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjwagner, dims, upodroid, xmudrii The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
This PR adds environment variables, volume mounts, and volumes to the needed Prow components to access the
prow-build-clusteron EKS.Part of kubernetes/k8s.io#4686
/assign @upodroid @BenTheElder @ameukam @dims