Skip to content

[ODM-12761] Processors-controller doc #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
genestack-okunitsyn merged 7 commits into from
Aug 11, 2025
Merged

[ODM-12761] Processors-controller doc #131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b62a091
[ODM-12761] Add version 1.62 section with processors-controller descr…
Aug 11, 2025
61f8759
[ODM-12563] Add policy for ECR
Aug 11, 2025
e71343f
[ODM-12563] Add note for ecr access
Aug 11, 2025
4126b0f
[ODM-12563] Add note for ecr acess
Aug 11, 2025
24441df
[ODM-12563] Add reference to release notes
Aug 11, 2025
84e5b17
[ODM-12563] Separate using identity
Aug 11, 2025
840f6a7
[ODM-12563] Rephrase
Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 77 additions & 4 deletions docs/home/clouds/aws.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,9 +133,71 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally

- in the `Key policy` of the KMS key that is used to encrypt data in the S3 bucket

## Cross-account ECR access

⚠️ **Mandatory in case of processors-controller usage**

The approach is based on the [official AWS documentation](https://repost.aws/knowledge-center/secondary-account-access-ecr) for ECR repository policies and cross-account access patterns.

ECR cross-account access requires configuring both:

- `IAM policy` attached to the IAM role/user

If the ECR repository uses `KMS encryption` with a customer-managed key, then it is necessary to additionally grant access to the KMS key in:

- The `IAM policy` that is attached to the IAM role/user

- The `Key policy` of the KMS key used to encrypt the ECR repository

## Configuration examples

<details><summary>IAM policy for ECR access</summary>

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRRepositoryAccess",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Sid": "ECRImagePull",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:ListImages"
],
"Resource": "*"
},
{
"Sid" : "AllowUseOfTheKey",
"Effect": "Allow",
"Action" : [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource" : ["KMS_KEY_ARN"]
}
]
}
```

</details>

<details><summary>AbortIncompleteMultipartUpload rule</summary>

```json
{
"Rules": [
Expand All @@ -149,27 +211,29 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
]
}
```

</details>

<details><summary>IAM policy for S3 access</summary>

```json
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "ListObjectsInBucket",
"Effect" : "Allow",
"Effect": "Allow",
"Action" : [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource" : ["S3_BUCKET_ARN"]
"Resource": ["S3_BUCKET_ARN"]
},
{
"Sid" : "AllObjectActions",
"Effect" : "Allow",
"Effect": "Allow",
"Action" : [
"s3:*Object*",
"s3:AbortMultipartUpload",
Expand All @@ -179,7 +243,7 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
},
{
"Sid" : "AllowUseOfTheKey",
"Effect" : "Allow",
"Effect": "Allow",
"Action" : [
"kms:Encrypt",
"kms:Decrypt",
Expand All @@ -192,9 +256,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
]
}
```

</details>

<details><summary>IRSA Trust Relationships</summary>

```json
{
"Version": "2012-10-17",
Expand All @@ -215,9 +281,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
]
}
```

</details>

<details><summary>Pod Identity Trust Relationships</summary>

```json
{
"Version": "2012-10-17",
Expand All @@ -235,9 +303,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
]
}
```

</details>

<details><summary>GP3 StorageClass example</summary>

```yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
Expand All @@ -249,9 +319,11 @@ provisioner: ebs.csi.aws.com
volumeBindingMode: Immediate
allowVolumeExpansion: true
```

</details>

<details><summary>TargetGroupBinding example</summary>

```yaml
apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
Expand All @@ -265,4 +337,5 @@ spec:
port: 80
targetGroupARN: TARGET_GROUP_ARN
```

</details>
12 changes: 12 additions & 0 deletions docs/home/release-notes/v1.60-v1.69.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,17 @@
# Release notes

## Version 1.62

!!! tip ""
Helm chart version 1.62.0

### Helm configuration changes

- Added a new service, `processors-controller`, which manages the lifecycle of `transformation` pods.
- To use transformations, configure cross-account ECR access. See [Cross-account ECR access](./../clouds/aws.md#cross-account-ecr-access).
- The `processors-controller` requires RBAC permissions to manage `Pods`, `ConfigMaps`, and `PersistentVolumeClaims`.
The required manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.

## Version 1.61

!!! tip ""
Expand Down