Skip to content

fix(manifests): Add list bucket to IAM policy#13469

Open
tarekabouzeid wants to merge 1 commit into
kubeflow:masterfrom
tarekabouzeid:kserve-policy
Open

fix(manifests): Add list bucket to IAM policy#13469
tarekabouzeid wants to merge 1 commit into
kubeflow:masterfrom
tarekabouzeid:kserve-policy

Conversation

@tarekabouzeid
Copy link
Copy Markdown
Member

@tarekabouzeid tarekabouzeid commented Jun 1, 2026

Description of your changes:

Kserve storage initializer is running HeadBucket  on arn:aws:s3:::mlpipeline , need to update IAM policy to allow that.

Checklist:

Copilot AI review requested due to automatic review settings June 1, 2026 18:51
@google-oss-prow
Copy link
Copy Markdown

google-oss-prow Bot commented Jun 1, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign juliusvonkohout for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the IAM policy generated by the pipelines profile controller to include an explicit bucket-level permission needed by some S3 clients (e.g., KServe storage-initializer) while keeping object permissions scoped to specific prefixes.

Changes:

  • Split the single S3 statement into separate bucket-level and object-level statements.
  • Added s3:ListBucket on the bucket resource to support bucket-level checks prior to object access.

Comment thread manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/sync.py
Comment on lines +394 to +405
"Statement": [
{
# Bucket-level: allows HeadBucket (used by KServe storage-initializer
# and other S3 clients before downloading model artifacts).
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
f"arn:aws:s3:::{S3_BUCKET_NAME}"
]
},
Copy link
Copy Markdown
Member

@juliusvonkohout juliusvonkohout Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a secure way to implement this?

Comment thread manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/sync.py
Comment on lines +406 to +420
{
# Object-level: prefix-scoped to this namespace only.
"Effect": "Allow",
"Action": [
"s3:Put*",
"s3:Get*",
"s3:List*"
],
"Resource": [
f"arn:aws:s3:::{S3_BUCKET_NAME}/artifacts/*",
f"arn:aws:s3:::{S3_BUCKET_NAME}/private-artifacts/{namespace}/*",
f"arn:aws:s3:::{S3_BUCKET_NAME}/private/{namespace}/*",
f"arn:aws:s3:::{S3_BUCKET_NAME}/shared/*",
]
}
@tarekabouzeid
Add list bucket to IAM policy
447477e 
Signed-off-by: Tarek Abouzeid <tarek.abouzeid91@gmail.com>
@juliusvonkohout
Copy link
Copy Markdown
Member

juliusvonkohout commented Jun 1, 2026
edited
Loading

Thank you for the PR.

can you verify

  1. that you cannot list objects from other namespaces, sicne that would break enterprise multi tenancy. You could make it configurable behind an off bey default flag if the multi-tenancy is violated.
  2. Are you sure about the kserver storage initializer needing it? i recently had an occurence where it worked with the status quo.
  3. we would need to extend the current multi tenancy tests to also verify that listing objects beyond tenancy borders is blocked, not just downloading.

/hold

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@juliusvonkohout juliusvonkohout Awaiting requested review from juliusvonkohout

@mprahl mprahl Awaiting requested review from mprahl

Assignees

No one assigned

Labels

do-not-merge/hold size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tarekabouzeid @juliusvonkohout