3

According to documentation of both kops and aws, the dedicated kops user needs IAMFullAccess permission to operate properly.

Why is this permission needed?

Is there a way to avoid (i.e. restrict) this, given that it is a bit too intrusive to create a user with such a permission?

edit: one could assume that the specific permission is needed to attach the respective roles to the master(s) and node(s) instances;

therefore perhaps the question / challenge becomes how to:

  • not use IAMFullAccess
  • sync with the node creation / bootstrapping process and attach the above roles; (perhaps create a cluster on pre-configured instances? - no idea if kops provides for that)
pkaramol
  • 16,451
  • 43
  • 149
  • 324

1 Answers1

1

As far as I understand kops design, it's meant to be end to end tool for provisioning you with k8s clusters. If you want to provision your nodes separately and deploy k8s on them I would suggest to use other tool, such as kubespray or kubeadm:

https://github.com/kubernetes-incubator/kubespray

https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/

Nebril
  • 3,153
  • 1
  • 33
  • 50
  • In that case, and since I have encountered `kubeadm` before, do we have a comparison of `kubeadm` and `kops` in terms of production-readiness & stability? – pkaramol Jan 05 '18 at 13:37
  • I would be more comfortable with kubespray in terms of production-readiness. Kubeadm seems to have more uses in temporary CI/getting started scenarios. But everything depends on your definitions of production-readiness. – Nebril Jan 05 '18 at 15:05