AWS eks documentation change
Summary
Clarified default permissions for kro capability and emphasized least privilege principle. Added explicit warning against using AmazonEKSClusterAdminPolicy in production due to broad permissions.
Security assessment
The change documents security best practices (least privilege) and explicitly warns against overly permissive policies in production. It does not address a specific security vulnerability but enhances security guidance.
Diff
diff --git a/eks/latest/userguide/kro-create-cli.md b/eks/latest/userguide/kro-create-cli.md index a151d86c5..5fd4cda08 100644 --- a//eks/latest/userguide/kro-create-cli.md +++ b//eks/latest/userguide/kro-create-cli.md @@ -110 +110,9 @@ You can also view the full capability details: -By default, kro can only create and manage ResourceGraphDefinitions and their instances. To allow kro to create and manage the underlying Kubernetes resources defined in your ResourceGraphDefinitions, associate the `AmazonEKSClusterAdminPolicy` access policy with the capability’s access entry. +When you create a kro capability, an EKS Access Entry is automatically created with the `AmazonEKSKROPolicy`, which allows kro to manage ResourceGraphDefinitions and their instances. However, no permissions are granted by default to create the underlying Kubernetes resources (like Deployments, Services, ConfigMaps, etc.) defined in your ResourceGraphDefinitions. + +This intentional design follows the principle of least privilege—different ResourceGraphDefinitions require different permissions. For example: * A ResourceGraphDefinition that creates only ConfigMaps and Secrets needs different permissions than one that creates Deployments and Services * A ResourceGraphDefinition that creates ACK resources needs permissions for those specific custom resources * Some ResourceGraphDefinitions might only read existing resources without creating new ones + +You must explicitly configure the permissions kro needs based on the resources your ResourceGraphDefinitions will manage. + +### Quick setup + +For getting started quickly, testing, or development environments, use `AmazonEKSClusterAdminPolicy`: @@ -134 +142 @@ Associate the cluster admin policy: -The `AmazonEKSClusterAdminPolicy` grants broad permissions to create and manage all Kubernetes resources and is intended to streamline getting started. For production use, create more restrictive RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage. For guidance on configuring least-privilege permissions, see [Configure kro permissions](./kro-permissions.html) and [Security considerations for EKS Capabilities](./capabilities-security.html). +The `AmazonEKSClusterAdminPolicy` grants broad permissions to create and manage all Kubernetes resources, including the ability to create any resource type across all namespaces. This is convenient for development and POCs but should not be used in production. For production, create custom RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage. For guidance on configuring least-privilege permissions, see [Configure kro permissions](./kro-permissions.html) and [Security considerations for EKS Capabilities](./capabilities-security.html).