Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws/cert-manager: Tighten IAM permissions for cert-manager #16412

Conversation

andsens
Copy link
Contributor

@andsens andsens commented Mar 18, 2024

This change restricts which record types and domain prefixes cert-manager is allowed to change for DNS01 acme challenges.

Only _acme-challenge.* TXT records may be created/updated/removed.

Implements #15680

I ran make all examples test and it compiles, but beyond that I have not created any tests for this (knowledge of go is ankle deep) so I hope someone is kind enough to help me out and add that :-)

Copy link

linux-foundation-easycla bot commented Mar 18, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: andsens / name: Anders Ingemann (a902f9e)

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 18, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @andsens. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 18, 2024
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Mar 18, 2024
@hakman
Copy link
Member

hakman commented Mar 18, 2024

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 18, 2024
This change restricts which record types and domain prefixes
cert-manager is allowed to change for DNS01 acme challenges.

Only _acme-challenge.* TXT records may be created/updated/removed.

Implements kubernetes#15680
@andsens andsens force-pushed the tighten-cert-manager-aws-permissions branch from eb07883 to a902f9e Compare March 19, 2024 08:56
@hakman
Copy link
Member

hakman commented Mar 19, 2024

Thank you @andsens!
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 19, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 19, 2024
@k8s-ci-robot k8s-ci-robot merged commit 305e9b2 into kubernetes:master Mar 19, 2024
21 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Mar 19, 2024
k8s-ci-robot added a commit that referenced this pull request Mar 20, 2024
…-upstream-release-1.29

Automated cherry pick of #16412: aws/cert-manager: Tighten IAM permissions for cert-manager
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants