Skip to content

docs: updating velero AWS policy with cluster tag #2234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
briantwatson wants to merge 5 commits into
base: main
Choose a base branch
from
Open

docs: updating velero AWS policy with cluster tag #2234

briantwatson wants to merge 5 commits into from

Conversation

@briantwatson
Copy link
Contributor

@briantwatson briantwatson commented Dec 18, 2025
edited
Loading

  • Small documentation update following some changes we've made to environment we're managing

@briantwatson briantwatson requested a review from a team as a code owner December 18, 2025 16:10
Copilot AI review requested due to automatic review settings December 18, 2025 16:10
@briantwatson briantwatson self-assigned this Dec 18, 2025
Copilot AI reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Velero AWS IAM policy documentation to use standard Kubernetes cluster ownership tags instead of EBS CSI driver-specific tags. The changes align the policy with Kubernetes conventions while simplifying the CreateTags permission statement.

Key changes:

  • Replaced ebs.csi.aws.com/cluster tags with kubernetes.io/cluster/<YOUR_CLUSTER_NAME> tags across all policy statements
  • Changed tag values from "true" to "owned" to match Kubernetes cluster ownership conventions
  • Simplified the CreateTags statement from two conditions to one, changing the operator from ForAllValues to ForAnyValue
Comments suppressed due to low confidence (1)

docs/reference/configuration/backup-and-restore/velero-cloud.md:107

  • The CreateTags statement was significantly simplified by removing one condition and changing the operator. The original policy had two conditions (one checking RequestTag and another checking ResourceTag with IfExists), while the new policy has only one. Additionally, the operator changed from ForAllValues:StringEquals to ForAnyValue:StringEquals.

ForAnyValue allows the CreateTags action as long as at least one of the tags being created matches the condition, permitting additional arbitrary tags in the same request. ForAllValues would require all tags in the request to match.

This is a substantial change in policy behavior that makes it more permissive. Please verify this aligns with your security requirements and that the removal of the ResourceTag condition check is intentional.

    condition {
      test     = "ForAnyValue:StringEquals"
      variable = "aws:RequestTag/kubernetes.io/cluster/<YOUR_CLUSTER_NAME>"
      values = ["owned"]
    }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@briantwatson briantwatson marked this pull request as draft December 18, 2025 16:32
@briantwatson briantwatson force-pushed the docs/updating-velero-docs-with-cluster-tag branch from 75db850 to a2eaf5f Compare December 18, 2025 19:59
@briantwatson briantwatson force-pushed the docs/updating-velero-docs-with-cluster-tag branch from a2eaf5f to 487cdb5 Compare December 18, 2025 20:03
@briantwatson briantwatson marked this pull request as ready for review December 18, 2025 20:13
joelmccoy
joelmccoy reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@joelmccoy joelmccoy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these changes look good but would like to match our CI to ensure this still works and there aren't any gotchas. Would request that we update the policy for EKS

@joelmccoy joelmccoy requested a review from Copilot December 19, 2025 17:52
Copilot AI reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@joelmccoy joelmccoy joelmccoy approved these changes

@mjnagel mjnagel mjnagel approved these changes

Assignees

@briantwatson briantwatson

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@briantwatson @joelmccoy @mjnagel