Allow controller to assume any role

Drop kube2iam because this never was really working. Updated readme to point to kiam.
itskoko · Mar 14, 2018 · 2b51384 · 2b51384
1 parent 59a283b
commit 2b51384
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 73 deletions.
diff --git a/README.md b/README.md
@@ -13,9 +13,9 @@ the cluster is heathly.
 We try to be reasonably secure, meaning all components are secured via TLS
 and RBAC is enabled. Yet, due to the user-data size limits we need to fetch
 the TLS keys from a S3 bucket. The permission for this is granted as an IAM
-instance profile, that means you need to deploy kube2iam or something else
-to block access to the metadata service. This isn't ideal but following the
-current best practices.
+instance profile, that means you need to deploy a metadata proxy to to block
+access to the metadata service. This isn't ideal but following the current best
+practices. We recommend [kiam](https://github.com/uswitch/kiam).
 
 ## Operations
 You can either edit the Makefile or use environment variable to override

diff --git a/kubernetes.yaml b/kubernetes.yaml
@@ -752,6 +752,10 @@ Resources:
       PolicyDocument:
         Version: 2012-10-17
         Statement:
+          - Effect: Allow
+            Action:
+              - "sts:AssumeRole"
+            Resource: "*"
           - Effect: Allow
             Action:
               - "ec2:Describe*"

diff --git a/manifests/kube2iam.yaml b/manifests/kube2iam.yaml