AWS eks documentation change
Summary
Updated permissions explanation for kro capability, reinforced least privilege principle, and added strong warning against production use of AmazonEKSClusterAdminPolicy.
Security assessment
Enhances security documentation by clarifying default permissions and explicitly discouraging broad permissions in production. No evidence of addressing a specific security vulnerability.
Diff
diff --git a/eks/latest/userguide/kro-create-console.md b/eks/latest/userguide/kro-create-console.md index 969bb6694..4af573d68 100644 --- a//eks/latest/userguide/kro-create-console.md +++ b//eks/latest/userguide/kro-create-console.md @@ -63 +63,5 @@ For information about capability statuses and troubleshooting, see [Working with -By default, kro can only create and manage ResourceGraphDefinitions and their instances. To allow kro to create and manage the underlying Kubernetes resources defined in your ResourceGraphDefinitions, associate the `AmazonEKSClusterAdminPolicy` access policy with the capability’s access entry. +When you create a kro capability, an EKS Access Entry is automatically created with the `AmazonEKSKROPolicy`, which allows kro to manage ResourceGraphDefinitions and their instances. However, no permissions are granted by default to create the underlying Kubernetes resources (like Deployments, Services, ConfigMaps, etc.) defined in your ResourceGraphDefinitions. + +This intentional design follows the principle of least privilege—different ResourceGraphDefinitions require different permissions. You must explicitly configure the permissions kro needs based on the resources your ResourceGraphDefinitions will manage. + +For getting started quickly, testing, or development environments, use `AmazonEKSClusterAdminPolicy`: @@ -84 +88 @@ By default, kro can only create and manage ResourceGraphDefinitions and their in -The `AmazonEKSClusterAdminPolicy` grants broad permissions to create and manage all Kubernetes resources and is intended to streamline getting started. For production use, create more restrictive RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage. For guidance on configuring least-privilege permissions, see [Configure kro permissions](./kro-permissions.html) and [Security considerations for EKS Capabilities](./capabilities-security.html). +The `AmazonEKSClusterAdminPolicy` grants broad permissions to create and manage all Kubernetes resources, including the ability to create any resource type across all namespaces. This is convenient for development and POCs but should not be used in production. For production, create custom RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage. For guidance on configuring least-privilege permissions, see [Configure kro permissions](./kro-permissions.html) and [Security considerations for EKS Capabilities](./capabilities-security.html).