Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add IRSA usage doc #1293

Merged
merged 1 commit into from
Apr 19, 2024
Merged

chore: add IRSA usage doc #1293

merged 1 commit into from
Apr 19, 2024

Conversation

JBOClara
Copy link
Contributor

What this PR does:

Adding doc about IAM role usage.

Which issue(s) this PR fixes:
Complete #1152

Checklist

  • Changes manually tested
  • Automated Tests added/updated
  • Documentation added/updated
  • CHANGELOG.md updated (not required for documentation PRs)
  • CLA Signed: DataStax CLA

@JBOClara JBOClara requested a review from a team as a code owner April 19, 2024 12:06
@github-actions GitHub Actions
Copy link

No linked issues found. Please add the corresponding issues in the pull request description.
Use GitHub automation to close the issue when a PR is merged

@JBOClara JBOClara mentioned this pull request Apr 19, 2024
Merged
5 tasks
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.2% Duplication on New Code

See analysis details on SonarCloud

adejanovski
adejanovski approved these changes Apr 19, 2024
View reviewed changes
Copy link
Contributor

@adejanovski adejanovski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot @JBOClara , much appreciated!

@adejanovski adejanovski merged commit edd6b4c into k8ssandra:main Apr 19, 2024
1 of 2 checks passed
c3-clement
c3-clement reviewed Apr 19, 2024
View reviewed changes
docs/content/en/tasks/backup-restore/_index.md

To make this work, you must ensure the following steps are completed:

> While Medusa is running in standalone mode, it uses the default service account from the namespace. Make sure this service account has the necessary role annotation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this behavior acceptable ?
That means that the default service account needs to be properly annotated and needs to be properly bound with the AWS IAM role.

Therefore, any pods created without a SA specified will be granted with AWS permissions.
This against the least privilege principle - many of our customers won't accept this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following this, just opened this issue #1294

Copy link
Contributor Author

@JBOClara JBOClara Apr 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Totally agree, in my case, my project is not yet in production, so we have accepted the risk.
However, it is essential to be able to specify a specific "ServiceAccount" for Medusa standalone.

Each component should have complete customization of its spec.

@adejanovski
Copy link
Contributor

FYI folks, this is in our current dev cycle. We'll probably end up removing this pod altogether since its original use case is no longer valid, and the one we had planned for (bootstrapping a new cluster using a backup) isn't implemented yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c3-clement c3-clement c3-clement left review comments

@adejanovski adejanovski adejanovski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JBOClara @adejanovski @c3-clement