Skip to content

[DO NOT MERGE] Testing Minimal Policy #2807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mdzraf wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[DO NOT MERGE] Testing Minimal Policy #2807

mdzraf wants to merge 2 commits into from
+608 −130

Conversation

@mdzraf
Copy link
Member

@mdzraf mdzraf commented Dec 11, 2025
edited
Loading

What type of PR is this?

Testing CI with Minimal Policy & review new proposed minimal policy.

Manual Tests Completed:

* Create Volume (With Tags)
* Modify Volume (Changed volume type, iops, and deleted tag)
* Attach Volume
* Detach Volume
* Delete Volume 
* Resize Volume
* Create Snapshot From Volume (snapshot with tags, and FSR enabled)
* Restore Volume From Snapshot
* Delete snapshot
* Copy Volume (with tags)
* Create Snapshot with Lock
* Cannot Create/consume PV from pre-existing volume
* Can create/consume PV from pre-existing volume that had tags manually added

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 11, 2025

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Dec 11, 2025
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 11, 2025
@github-actions
Copy link

github-actions bot commented Dec 11, 2025
edited
Loading

Code Coverage Diff

This PR does not change the code coverage

@mdzraf mdzraf force-pushed the minimalPolicyChanges branch from 7275322 to 84e80d8 Compare December 11, 2025 16:59
mdzraf
mdzraf commented Dec 12, 2025
View reviewed changes
docs/example-iam-policy.json
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
Copy link
Member Author

@mdzraf mdzraf Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not actually call this anywhere in the driver besides in a testing function that does not actually need it:

aws-ebs-csi-driver/pkg/cloud/cloud_test.go

Line 3666 in 33be568

mockEC2.EXPECT().DescribeTags(gomock.Any(), gomock.Any()).Return(&ec2.DescribeTagsOutput{}, nil).AnyTimes()

So I have removed it from the policy.

docs/example-iam-policy.json
Comment on lines 7 to 13
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus"
Copy link
Member Author

@mdzraf mdzraf Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These calls have * permissions because they only have ec2:Region as an allowed condition key, therefore we cannot pass in any condition key that would clearly identify a resource managed by the driver (I.e. tags on resource) see: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

hack/e2e/eksctl/cluster.yaml
Copy link
Member Author

@mdzraf mdzraf Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only made changes here to test CI, feel free to skip review.

hack/e2e/kops/patch-cluster.yaml
Copy link
Member Author

@mdzraf mdzraf Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only made changes here to test CI, feel free to skip review.

mdzraf
mdzraf commented Dec 12, 2025
View reviewed changes
docs/example-iam-policy.json Outdated
Comment on lines 55 to 107
"Effect" : "Allow",
"Action" : [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource" : "arn:aws:ec2:*:*:instance/*"
},
Copy link
Member Author

@mdzraf mdzraf Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Necessary for the EBS CSI Driver to perform the privileged task of attaching/detaching volumes on a host on behalf of the user.

@mdzraf
Copy link
Member Author

mdzraf commented Dec 12, 2025

/retest

Trying to see if it was a flake, the pre-provisioned tests should all pass since we actually do add the required tags.

ElijahQuinones
ElijahQuinones reviewed Dec 12, 2025
View reviewed changes
@mdzraf mdzraf force-pushed the minimalPolicyChanges branch from 84e80d8 to fc23e74 Compare December 12, 2025 16:28
torredil
torredil reviewed Dec 12, 2025
View reviewed changes
torredil
torredil reviewed Dec 12, 2025
View reviewed changes
@mdzraf mdzraf force-pushed the minimalPolicyChanges branch from fc23e74 to 6240ca8 Compare December 12, 2025 20:35
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 12, 2025
torredil
torredil reviewed Dec 16, 2025
View reviewed changes
@mdzraf mdzraf force-pushed the minimalPolicyChanges branch from 6240ca8 to 43c91d9 Compare December 16, 2025 19:02
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2026
ElijahQuinones
ElijahQuinones approved these changes Jan 8, 2026
View reviewed changes
Copy link
Member

@ElijahQuinones ElijahQuinones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 16, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 2, 2026

This PR has multiple commits, and the default merge method is: merge.
You can request commits to be squashed using the label: tide/merge-method-squash

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 2, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 2, 2026

New changes are detected. LGTM label has been removed.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 2, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from elijahquinones. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Feb 2, 2026
@mdzraf mdzraf force-pushed the minimalPolicyChanges branch from b0c8909 to c938b47 Compare February 2, 2026 19:23
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Feb 2, 2026
@mdzraf
Copy link
Member Author

mdzraf commented Feb 2, 2026

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 2, 2026
@mdzraf mdzraf force-pushed the minimalPolicyChanges branch from c938b47 to 234896f Compare February 5, 2026 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@torredil torredil torredil approved these changes

@ElijahQuinones ElijahQuinones ElijahQuinones approved these changes

Assignees

@torredil torredil

@ElijahQuinones ElijahQuinones

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mdzraf @k8s-ci-robot @torredil @ElijahQuinones