document and minimize IAM rule policy for CSI (#19)

We document the minimal IAM rule policy needed for the CSI to operate. Co-authored-by: Arnaud Geiser <[email protected]>
exoscale · Mar 7, 2024 · f40ebce · f40ebce
1 parent 96b5084
commit f40ebce
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@
 *.dll
 *.so
 *.dylib
+/bin
 
 # Test binary, built with `go test -c`
 *.test

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 * go.mk: remove submodule and initialize through make #15
 * integ-tests: use IAMv3 API key #13 
+* document and minimize IAM rule policy for CSI #19 
 
 ## 0.29.2
 

diff --git a/README.md b/README.md
@@ -6,7 +6,25 @@ Exoscale Block Storage Container Storage Interface Driver.
 
 * Make sure you have the [CCM](https://github.com/exoscale/exoscale-cloud-controller-manager) deployed and running in your cluster.
 
-* Create secret with [exoscale-secret.sh](./deployment/exoscale-secret.sh).
+* An API key associated to an IAM role with at least those permissions:
+``` json
+{
+  "default-service-strategy": "deny",
+  "services": {
+    "compute": {
+      "type": "rules",
+      "rules": [
+        {
+          "expression": "operation in ['list-zones', 'get-block-storage-volume', 'list-block-storage-volumes', 'create-block-storage-volume', 'delete-block-storage-volume', 'attach-block-storage-volume-to-instance', 'detach-block-storage-volume', 'update-block-storage-volume-labels', 'resize-block-storage-volume', 'get-block-storage-snapshot', 'list-block-storage-snapshots', 'create-block-storage-snapshot', 'delete-block-storage-snapshot']",
+          "action": "allow"
+        },
+      ]
+    }
+  }
+}
+```
+
+* Create a kubernetes secret for the API key with [exoscale-secret.sh](./deployment/exoscale-secret.sh).
     ```Bash
     export EXOSCALE_API_KEY=EXOxxxxx
     export EXOSCALE_API_SECRET=xxxxx

diff --git a/internal/integ/cluster/utils.go b/internal/integ/cluster/utils.go
@@ -226,8 +226,14 @@ func (c *Cluster) applyCSI() error {
 			return err
 		}
 
-		allow := exov2.IAMPolicyService{
-			Type: ptr("allow"),
+		onlyAllowBlockStorageOperations := exov2.IAMPolicyService{
+			Type: ptr("rules"),
+			Rules: []exov2.IAMPolicyServiceRule{
+				exov2.IAMPolicyServiceRule{
+					Action:     ptr("allow"),
+					Expression: ptr("operation in ['list-zones', 'get-block-storage-volume', 'list-block-storage-volumes', 'create-block-storage-volume', 'delete-block-storage-volume', 'attach-block-storage-volume-to-instance', 'detach-block-storage-volume', 'update-block-storage-volume-labels', 'resize-block-storage-volume', 'get-block-storage-snapshot', 'list-block-storage-snapshots', 'create-block-storage-snapshot', 'delete-block-storage-snapshot']"),
+				},
+			},
 		}
 
 		role, err := c.Ego.CreateIAMRole(c.exoV2Context, *flags.Zone, &exov2.IAMRole{
@@ -237,7 +243,7 @@ func (c *Cluster) applyCSI() error {
 			Policy: &exov2.IAMPolicy{
 				DefaultServiceStrategy: "deny",
 				Services: map[string]exov2.IAMPolicyService{
-					"compute": allow,
+					"compute": onlyAllowBlockStorageOperations,
 				},
 			},
 		})
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,7 @@ @@
     *.dll
     *.so
     *.dylib
+    /bin
     # Test binary, built with `go test -c`
     *.test
@@ Expand Down @@