Otdfbt

Why didn't the Space Shuttle bounce back into space as many times as possible so as to lose a lot of kinetic energy up there?

What makes accurate emulation of old systems a difficult task?

What does "function" actually mean in music?

What was Apollo 13's "Little Jolt" after MECO?

Can a level 2 Warlock take one level in rogue, then continue advancing as a warlock?

How to have a sharp product image?

Apply a different color ramp to subset of categorized symbols in QGIS?

What is this word supposed to be?

Crossed out red box fitting tightly around image

What is the best way to deal with NPC-NPC combat?

std::unique_ptr of base class holding reference of derived class does not show warning in gcc compiler while naked pointer shows it. Why?

A faster way to compute the largest prime factor

Why do real positive eigenvalues result in an unstable system? What about eigenvalues between 0 and 1? or 1?

Complex numbers z=-3-4i polar form

How to keep bees out of canned beverages?

Is Diceware more secure than a long passphrase?

"My boss was furious with me and I have been fired" vs. "My boss was furious with me and I was fired"

Older movie/show about humans on derelict alien warship which refuels by passing through a star

"Whatever a Russian does, they end up making the Kalashnikov gun"? Are there any similar proverbs in English?

Is there really no use for MD5 anymore?

How do I reattach a shelf to the wall when it ripped out of the wall?

Extracting Dirichlet series coefficients

Multiple options vs single option UI

Why do games have consumables?

ECR IAM policy document for EKS node access

Setting environment variable in kubernetes before pulling an imageGive EC2 IAM role read access to S3 bucketCreate an IAM Policy that allows everything except IAM except PassRoleWhich IAM permissions are needed for ec2-create-image?Kubernetes/Flannel doens't work in private networkAutomatically login on Amazon ECR with Docker SwarmAWS access token for user assuming roleAWS could not get token: AccessDenied: User: ARN is not authorized to perform: sts:AssumeRole on resource: Role:ARNAmazon EKS: how to configure S3 access for worker nodes?possible for ec2 to have cross account bucket access without using iam user?Share IAM Policy across accounts in Organizations

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

What is the correct way to manage EKS node access to ECR via the IAM policy documents when I want to limit who can start jobs using different images?

In a simplified example, I have users A and B and ECR repositories C and D. User A has access to both repositories and user B should only have access to C. I want both users to be able to use the same EKS cluster (and the same set of nodes), and A should be able to run jobs on EKS using images from either C or D while B should be able to run only jobs using images from C but not D.

In my current setup, all EC2 nodes in the EKS cluster use a common IAM role which has AmazonEC2ContainerRegistryReadOnly attached to it so that it can read from all ECR repositories. Repository C gives user A and the EC2 node role read access, and repository D gives both users A and B as well as the EC2 node role read access. However, this means that both user A and user B can start jobs that read from either repository C or D, which is not what I want (user B shouldn't be able to start jobs reading from repository D).

I understand that one possibility would be to partition the set of nodes and assign them different EC2 IAM instance profiles and set up the ECR IAM policy documents so that the first set of nodes has access to repositories C and D while a second set of nodes only has access to C, but is there an alternative to this that avoids having to set up a set of nodes for each unique set of user permissions?

amazon-web-services kubernetes amazon-ecr

share|improve this question

asked Apr 18 at 17:11

Ai SuAi Su

61

add a comment | 

1

What is the correct way to manage EKS node access to ECR via the IAM policy documents when I want to limit who can start jobs using different images?

In a simplified example, I have users A and B and ECR repositories C and D. User A has access to both repositories and user B should only have access to C. I want both users to be able to use the same EKS cluster (and the same set of nodes), and A should be able to run jobs on EKS using images from either C or D while B should be able to run only jobs using images from C but not D.

In my current setup, all EC2 nodes in the EKS cluster use a common IAM role which has AmazonEC2ContainerRegistryReadOnly attached to it so that it can read from all ECR repositories. Repository C gives user A and the EC2 node role read access, and repository D gives both users A and B as well as the EC2 node role read access. However, this means that both user A and user B can start jobs that read from either repository C or D, which is not what I want (user B shouldn't be able to start jobs reading from repository D).

I understand that one possibility would be to partition the set of nodes and assign them different EC2 IAM instance profiles and set up the ECR IAM policy documents so that the first set of nodes has access to repositories C and D while a second set of nodes only has access to C, but is there an alternative to this that avoids having to set up a set of nodes for each unique set of user permissions?

amazon-web-services kubernetes amazon-ecr

share|improve this question

asked Apr 18 at 17:11

Ai SuAi Su

61

add a comment | 

What is the correct way to manage EKS node access to ECR via the IAM policy documents when I want to limit who can start jobs using different images?

In a simplified example, I have users A and B and ECR repositories C and D. User A has access to both repositories and user B should only have access to C. I want both users to be able to use the same EKS cluster (and the same set of nodes), and A should be able to run jobs on EKS using images from either C or D while B should be able to run only jobs using images from C but not D.

In my current setup, all EC2 nodes in the EKS cluster use a common IAM role which has AmazonEC2ContainerRegistryReadOnly attached to it so that it can read from all ECR repositories. Repository C gives user A and the EC2 node role read access, and repository D gives both users A and B as well as the EC2 node role read access. However, this means that both user A and user B can start jobs that read from either repository C or D, which is not what I want (user B shouldn't be able to start jobs reading from repository D).

I understand that one possibility would be to partition the set of nodes and assign them different EC2 IAM instance profiles and set up the ECR IAM policy documents so that the first set of nodes has access to repositories C and D while a second set of nodes only has access to C, but is there an alternative to this that avoids having to set up a set of nodes for each unique set of user permissions?

amazon-web-services kubernetes amazon-ecr

share|improve this question

asked Apr 18 at 17:11

Ai SuAi Su

61

share|improve this question

asked Apr 18 at 17:11

Ai SuAi Su

61

share|improve this question

asked Apr 18 at 17:11

Ai SuAi Su

61

asked Apr 18 at 17:11

Ai SuAi Su

61

asked Apr 18 at 17:11

Ai SuAi Su

61