mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-13 11:25:19 +00:00
5cd3c00dba
The previous version forced us to create AWS IAM Policies that are too permissive when dealing with volumes. That's because: 1. Volumes were created without tags that identifies the new resource as managed by the cluster. So technically the resourse, at creation time, is not owned by the cluster. 2. Tags were added to the volume making the resource now managed by the cluster. The problem being that it could make ANY volume as managed by the cluster. Thus allowing resources that aren't really part of the cluster, or part of no cluster at all, to become a resource managed by the cluster. By combining the operations we can both make the code simpler, since we don't need to deal with deleting a volume in case we can't apply tags to it, plus the security model gets a nice improvement.