Add Node IAM permissions to access kube-router key in S3.

2017-11-08 09:29:07 +00:00 · 2017-11-08 09:29:07 +00:00 · 029d0c0393
parent 760d58ea04
commit 029d0c0393
1 changed files with 11 additions and 0 deletions
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -348,6 +348,17 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
 							strings.Join([]string{b.IAMPrefix(), ":s3:::", iamS3Path, "/secrets/dockerconfig"}, ""),
 						),
 					})
+
+					if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Kuberouter != nil {
+						p.Statement = append(p.Statement, &Statement{
+							Sid:    "kopsK8sS3NodeBucketGetKuberouter",
+							Effect: StatementEffectAllow,
+							Action: stringorslice.Slice([]string{"s3:Get*"}),
+							Resource: stringorslice.Of(
+								strings.Join([]string{b.IAMPrefix(), ":s3:::", iamS3Path, "/pki/private/kube-router/*"}, ""),
+							),
+						})
+					}
 				}
 			}
 		} else if _, ok := vfsPath.(*vfs.MemFSPath); ok {