Skip to content

Commit 6e80924

Browse files
author
iru
authored
Update README.md
1 parent 94801c3 commit 6e80924

File tree

1 file changed

+18
-16
lines changed

1 file changed

+18
-16
lines changed

use_cases/org-k8s/README.md

Lines changed: 18 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -73,13 +73,26 @@ Use following snipped if required
7373
```
7474
<br/><br/>
7575

76+
### 4. **Cross-Account Access Role**
7677

77-
### 4. **Cloudtrail-S3 Account AssumeRole**
78+
This step provisions a role for Sysdig compute workload to be able to assume, and access resources outside the account, such as S3 bucket.
79+
Create a `SYSDIG_S3_ACCESS_ROLE` and setup a Trust Relationship, for Sysdig Compute role to be able to assume it.
80+
```
81+
{
82+
"Sid": "AllowSysdigAssumeRole",
83+
"Effect": "Allow",
84+
"Principal": {
85+
"AWS": "<ARN_SYSDIG_COMPUTE_ROLE>"
86+
},
87+
"Action": "sts:AssumeRole"
88+
}
89+
```
90+
<br/><br/>
7891

79-
This step is required when Cloudtrail-S3 bucket is stored in a different account than the cluster where we will deploy Sysdig workload.
80-
We will need to create a role to assume from our workload, due to cross-account S3 restrictions.
92+
### 5. **Cross-Account Access Setup for S3**
8193

82-
Create a `SYSDIG_S3_ACCESS_ROLE` role and give it following **permission** Statement
94+
In the previously created `SYSDIG_S3_ACCESS_ROLE`, we're gonna enable it to acces the `ARN_CLOUDTRAIL_S3` bucket where the events are stored
95+
Give the following **permission** Statement
8396
```
8497
{
8598
"Sid": "AllowSysdigReadS3",
@@ -91,17 +104,6 @@ Create a `SYSDIG_S3_ACCESS_ROLE` role and give it following **permission** State
91104
}
92105
```
93106

94-
We will also allow a Trust Relationship, for Sysdig Compute to be able to assume this role
95-
```
96-
{
97-
"Sid": "AllowSysdigAssumeRole",
98-
"Effect": "Allow",
99-
"Principal": {
100-
"AWS": "<ARN_SYSDIG_COMPUTE_ROLE>"
101-
},
102-
"Action": "sts:AssumeRole"
103-
}
104-
```
105107

106108
Now we will need to perform same **permissions setup on the S3 bucket**. Add following Statement to the **Bucket policy**
107109

@@ -119,7 +121,7 @@ Now we will need to perform same **permissions setup on the S3 bucket**. Add fol
119121
<br/><br/>
120122

121123

122-
### 5. **Sysdig Compute** Workload deployment in **K8s**
124+
### 6. **Sysdig Compute** Workload deployment in **K8s**
123125

124126
First let's review permission schema.
125127
![permission schema](./diagram.png)

0 commit comments

Comments
 (0)