diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 014e858a14..58448642cc 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -183,7 +183,7 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) { } if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Romana != nil { - addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy) + addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName()) } if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.AmazonVPC != nil { @@ -564,7 +564,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac Sid: "kopsK8sEC2MasterPermsAllResources", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ - "ec2:CreateRoute", // aws.go "ec2:CreateSecurityGroup", // aws.go "ec2:CreateTags", // aws.go, tag.go "ec2:CreateVolume", // aws.go @@ -578,6 +577,7 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac Action: stringorslice.Of( "ec2:AttachVolume", // aws.go "ec2:AuthorizeSecurityGroupIngress", // aws.go + "ec2:CreateRoute", // aws.go "ec2:DeleteRoute", // aws.go "ec2:DeleteSecurityGroup", // aws.go "ec2:DeleteVolume", // aws.go @@ -726,7 +726,7 @@ func addRoute53ListHostedZonesPermission(p *Policy) { }) } -func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) { +func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) { if legacyIAM { // Legacy IAM provides ec2:*, so no additional permissions required return @@ -735,7 +735,7 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le // Comments are which Romana component makes the call p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sEC2MasterPermsRomanaCNI", + Sid: "kopsK8sEC2RomanaCNIMasterPermsAllResources", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "ec2:DescribeAvailabilityZones", // vpcrouter @@ -743,6 +743,21 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le }), Resource: resource, }, + &Statement{ + Sid: "kopsK8sEC2RomanaCNIMasterPermsTaggedResources", + Effect: StatementEffectAllow, + Action: stringorslice.Slice([]string{ + "ec2:CreateRoute", // vpcrouter + "ec2:DeleteRoute", // vpcrouter + "ec2:ReplaceRoute", // vpcrouter + }), + Resource: resource, + Condition: Condition{ + "StringEquals": map[string]string{ + "ec2:ResourceTag/KubernetesCluster": clusterName, + }, + }, + }, ) } } diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 8a180e8e98..5e90e17e2d 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -19,7 +19,6 @@ "Sid": "kopsK8sEC2MasterPermsAllResources", "Effect": "Allow", "Action": [ - "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", @@ -35,6 +34,7 @@ "Action": [ "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index 6b9e30ce4b..54f0563281 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -19,7 +19,6 @@ "Sid": "kopsK8sEC2MasterPermsAllResources", "Effect": "Allow", "Action": [ - "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", @@ -35,6 +34,7 @@ "Action": [ "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume",