Table of Contents

Search

  1. Preface
  2. Advanced clusters
  3. Setting up AWS
  4. Setting up Google Cloud
  5. Setting up Microsoft Azure
  6. Setting up a self-service cluster
  7. Setting up a local cluster
  8. Advanced configurations
  9. Troubleshooting
  10. Appendix A: Command reference

Advanced Clusters

Advanced Clusters

Create the cluster operator policy

Create the cluster operator policy

Create an IAM policy for the cluster operator role. Name the policy
cluster_operator_policy
. The cluster operator policy contains the permissions that the cluster operator role needs to create and manage cloud resources for an
advanced cluster
. The cluster operator role is sometimes known as the kubeadm role.
The following image shows how the cluster operator policy might appear in the AWS Management Console:
The AWS Management Console is signed in to the Identity and Access Management (IAM) service. Under Access management, the Policies tab is selected. The summary for the cluster operator policy is open. On the Permissions tab, nine of 315 services are allowed, including EC2, EC2 Auto Scaling, ELB, ELB v2, IAM, KMS, Price List, S3, and STS.
The JSON document below is a template for the cluster operator role policy. Permissions that are not mandatory are flagged as OPTIONAL.
Be sure to remove the 'OPTIONAL' text from any lines that you are keeping.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:GetBucketWebsite", "s3:GetBucketLogging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketVersioning", "s3:GetReplicationConfiguration", "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:GetEncryptionConfiguration", "s3:PutBucketTagging", "s3:GetBucketRequestPayment", "s3:GetBucketCORS", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::discale-qa-east/*", "arn:aws:s3:::discale-qa-west/*", "arn:aws:s3:::discaleqa/*", "arn:aws:s3:::disnext-dev/*", "arn:aws:s3:::discale-qa-east", "arn:aws:s3:::discale-qa-west", "arn:aws:s3:::discaleqa", "arn:aws:s3:::disnext-dev" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "ec2:DescribeInternetGateways", "ec2:AttachInternetGateway", OPTIONAL "ec2:CreateInternetGateway", OPTIONAL "ec2:DetachInternetGateway", OPTIONAL "ec2:DeleteInternetGateway", OPTIONAL "ec2:CreateKeyPair", "ec2:ImportKeyPair", "ec2:DescribeKeyPairs", "ec2:DeleteKeyPair", "ec2:CreateRoute", OPTIONAL "ec2:DeleteRoute", OPTIONAL "ec2:DescribeRouteTables", "ec2:CreateRouteTable", OPTIONAL "ec2:ReplaceRouteTableAssociation", OPTIONAL "ec2:AssociateRouteTable", OPTIONAL "ec2:DisassociateRouteTable", OPTIONAL "ec2:DeleteRouteTable", OPTIONAL "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:CreateVpc", OPTIONAL "ec2:DeleteVpc", OPTIONAL "ec2:ModifyVpcAttribute", OPTIONAL "ec2:DescribeSubnets", "ec2:CreateSubnet", OPTIONAL "ec2:DeleteSubnet", OPTIONAL "ec2:DescribeSecurityGroups", "ec2:CreateSecurityGroup", OPTIONAL "ec2:AuthorizeSecurityGroupIngress", OPTIONAL "ec2:RevokeSecurityGroupIngress", OPTIONAL "ec2:AuthorizeSecurityGroupEgress", OPTIONAL "ec2:RevokeSecurityGroupEgress", OPTIONAL "ec2:DeleteSecurityGroup", OPTIONAL "ec2:CreateTags", "ec2:DescribeTags", "ec2:DeleteTags", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:DeleteVolume", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:ModifyInstanceAttribute", "ec2:RunInstances", "ec2:DescribeInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeInstanceTypes", "ec2:TerminateInstances", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:CreateLaunchTemplate", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DeleteLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DeleteLaunchTemplateVersions", "autoscaling:AttachLoadBalancers", "autoscaling:DescribeTags", "autoscaling:CreateAutoScalingGroup", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeScalingActivities", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup", "elasticloadbalancing:AddTags", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "pricing:GetProducts", OPTIONAL "iam:GetInstanceProfile", "iam:GetContextKeysForPrincipalPolicy", "iam:ListInstanceProfiles", "iam:SimulatePrincipalPolicy", "iam:CreateInstanceProfile", OPTIONAL "iam:DeleteInstanceProfile", OPTIONAL "iam:CreateRole", OPTIONAL "iam:GetRole", "iam:ListRoles", "iam:PassRole", "iam:ListRolePolicies", "iam:CreateServiceLinkedRole", "iam:DeleteRole", OPTIONAL "iam:GetRolePolicy", "iam:AddRoleToInstanceProfile", OPTIONAL "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:RemoveRoleFromInstanceProfile", "iam:PutRolePolicy", OPTIONAL "iam:AttachRolePolicy", OPTIONAL "iam:DetachRolePolicy", OPTIONAL "iam:DeleteRolePolicy", OPTIONAL "iam:GetUser", "kms:DescribeKey", OPTIONAL "kms:Get*", "sts:AssumeRole", OPTIONAL "sts:DecodeAuthorizationMessage" OPTIONAL ], "Resource": "*" } ] }
Add permissions to the template based on your organizational requirements. For information about each permission, see IAM policy reference.
The cluster operator role also requires the following permissions for public Informatica-managed Kubernetes clusters:
{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:GetLaunchTemplateData", "ec2:ModifyLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "arn:aws:ec2:*:543463116864:launch-template/*.k8s.local" }
The actions on Amazon S3 must be specified for all staging, log, and initialization script locations that you provide in
advanced configurations
.
For example, if you use staging location
dev/Staging/
, log location
dev/Logging/
, and initialization script location
dev/InitScript/
, the policy must list the following resources for actions on Amazon S3:
"Resource": [ "arn:aws:s3:::dev", "arn:aws:s3:::dev/Staging/", "arn:aws:s3:::dev/Staging/*", "arn:aws:s3:::dev/Logging/", "arn:aws:s3:::dev/Logging/*", "arn:aws:s3:::dev/InitScript/", "arn:aws:s3:::dev/InitScript/*" ]
If you use a different set of staging, log, and initialization script locations in another
advanced configuration
, you must add those locations as resources to the same policy.
To accommodate S3 locations that change frequently, you can use wildcards. For more information, refer to the AWS documentation.

0 COMMENTS

We’d like to hear from you!