kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4365 from romana/romana-iam-permission 

Update route-related IAM permissions for Romana
This commit is contained in:
k8s-ci-robot 2018-02-02 03:01:11 -08:00 committed by GitHub
parent dbc81d2be1 1e74216b94
commit 0a2c59bac1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/model/iam/iam_builder.go
View File

@ -183,7 +183,7 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) {
} }
if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Romana != nil { if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Romana != nil {
addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy) addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName())
} }
if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.AmazonVPC != nil { if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.AmazonVPC != nil {
@ -564,7 +564,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
Sid: "kopsK8sEC2MasterPermsAllResources", Sid: "kopsK8sEC2MasterPermsAllResources",
Effect: StatementEffectAllow, Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{ Action: stringorslice.Slice([]string{
"ec2:CreateRoute", // aws.go
"ec2:CreateSecurityGroup", // aws.go "ec2:CreateSecurityGroup", // aws.go
"ec2:CreateTags", // aws.go, tag.go "ec2:CreateTags", // aws.go, tag.go
"ec2:CreateVolume", // aws.go "ec2:CreateVolume", // aws.go
@ -578,6 +577,7 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
Action: stringorslice.Of( Action: stringorslice.Of(
"ec2:AttachVolume", // aws.go "ec2:AttachVolume", // aws.go
"ec2:AuthorizeSecurityGroupIngress", // aws.go "ec2:AuthorizeSecurityGroupIngress", // aws.go
"ec2:CreateRoute", // aws.go
"ec2:DeleteRoute", // aws.go "ec2:DeleteRoute", // aws.go
"ec2:DeleteSecurityGroup", // aws.go "ec2:DeleteSecurityGroup", // aws.go
"ec2:DeleteVolume", // aws.go "ec2:DeleteVolume", // aws.go
@ -726,7 +726,7 @@ func addRoute53ListHostedZonesPermission(p *Policy) {
}) })
} }
func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) { func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
if legacyIAM { if legacyIAM {
// Legacy IAM provides ec2:*, so no additional permissions required // Legacy IAM provides ec2:*, so no additional permissions required
return return
@ -735,7 +735,7 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le
// Comments are which Romana component makes the call // Comments are which Romana component makes the call
p.Statement = append(p.Statement, p.Statement = append(p.Statement,
&Statement{ &Statement{
Sid: "kopsK8sEC2MasterPermsRomanaCNI", Sid: "kopsK8sEC2RomanaCNIMasterPermsAllResources",
Effect: StatementEffectAllow, Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{ Action: stringorslice.Slice([]string{
"ec2:DescribeAvailabilityZones", // vpcrouter "ec2:DescribeAvailabilityZones", // vpcrouter
@ -743,6 +743,21 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le
}), }),
Resource: resource, Resource: resource,
}, },
&Statement{
Sid: "kopsK8sEC2RomanaCNIMasterPermsTaggedResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:CreateRoute", // vpcrouter
"ec2:DeleteRoute", // vpcrouter
"ec2:ReplaceRoute", // vpcrouter
}),
Resource: resource,
Condition: Condition{
"StringEquals": map[string]string{
"ec2:ResourceTag/KubernetesCluster": clusterName,
},
},
},
) )
} }
} }

2
pkg/model/iam/tests/iam_builder_master_strict.json
View File

@ -19,7 +19,6 @@
"Sid": "kopsK8sEC2MasterPermsAllResources", "Sid": "kopsK8sEC2MasterPermsAllResources",
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateRoute",
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
"ec2:CreateVolume", "ec2:CreateVolume",
@ -35,6 +34,7 @@
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:DeleteRoute", "ec2:DeleteRoute",
"ec2:DeleteSecurityGroup", "ec2:DeleteSecurityGroup",
"ec2:DeleteVolume", "ec2:DeleteVolume",

2
pkg/model/iam/tests/iam_builder_master_strict_ecr.json
View File

@ -19,7 +19,6 @@
"Sid": "kopsK8sEC2MasterPermsAllResources", "Sid": "kopsK8sEC2MasterPermsAllResources",
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateRoute",
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
"ec2:CreateVolume", "ec2:CreateVolume",
@ -35,6 +34,7 @@
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:DeleteRoute", "ec2:DeleteRoute",
"ec2:DeleteSecurityGroup", "ec2:DeleteSecurityGroup",
"ec2:DeleteVolume", "ec2:DeleteVolume",