aws-operator health check should check account credentials
rossf7 opened this issue · 6 comments
What would be really nice here actually, is it it checked that it had the required permissions too.
And maybe even that it doesn't have too many permissions :D
@JosephSalisbury Yes that's nice :) The health check needs an API call to make that will do no harm. So it can call the IAM API and get the policy for theaws-operator
IAM account.
We still need to create the correct IAM policy. At the moment it has admin access. Once that's done validating it's the correct policy would be useful.
@JosephSalisbury I've got a basic health check that gets the current user and the groups it belongs to. See https://github.com/giantswarm/aws-operator/pull/357/files#r129328713
This checks the IAM credentials work but doesn't check the permissions. To do that I think we should check the aws-operator
user is in an aws-operator
group.
The problem is currently it has Admin access and that group has different names across installs. So we'd need to wait until that group exists. WDYT?
If the aws-operator creates the aws-operator
group, it's probably a bad idea to check that the group in the healthz. My thinking is if the group creation takes longer than the health check, the pod will be killed, and we can't do any work. Not certain on specifics.
The group would have to be created as part of the host cluster setup. If it was standard across installs then the health check could check for it.
Until then I'm not sure how we can check the permissions.