kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4365 from romana/romana-iam-permission 

Update route-related IAM permissions for Romana
This commit is contained in:
k8s-ci-robot 2018-02-02 03:01:11 -08:00 committed by GitHub
parent dbc81d2be1 1e74216b94
commit 0a2c59bac1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/model/iam/iam_builder.go
View File

@ -183,7 +183,7 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) {
}
if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Romana != nil {
addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy)
addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName())
}
if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.AmazonVPC != nil {
@ -564,7 +564,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
Sid: "kopsK8sEC2MasterPermsAllResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:CreateRoute", // aws.go
"ec2:CreateSecurityGroup", // aws.go
"ec2:CreateTags", // aws.go, tag.go
"ec2:CreateVolume", // aws.go
@ -578,6 +577,7 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
Action: stringorslice.Of(
"ec2:AttachVolume", // aws.go
"ec2:AuthorizeSecurityGroupIngress", // aws.go
"ec2:CreateRoute", // aws.go
"ec2:DeleteRoute", // aws.go
"ec2:DeleteSecurityGroup", // aws.go
"ec2:DeleteVolume", // aws.go
@ -726,7 +726,7 @@ func addRoute53ListHostedZonesPermission(p *Policy) {
})
}
func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) {
func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
if legacyIAM {
// Legacy IAM provides ec2:*, so no additional permissions required
return
@ -735,7 +735,7 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le
// Comments are which Romana component makes the call
p.Statement = append(p.Statement,
&Statement{
Sid: "kopsK8sEC2MasterPermsRomanaCNI",
Sid: "kopsK8sEC2RomanaCNIMasterPermsAllResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:DescribeAvailabilityZones", // vpcrouter
@ -743,6 +743,21 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le
}),
Resource: resource,
},
&Statement{
Sid: "kopsK8sEC2RomanaCNIMasterPermsTaggedResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:CreateRoute", // vpcrouter
"ec2:DeleteRoute", // vpcrouter
"ec2:ReplaceRoute", // vpcrouter
}),
Resource: resource,
Condition: Condition{
"StringEquals": map[string]string{
"ec2:ResourceTag/KubernetesCluster": clusterName,
},
},
},
)
}
}

2
pkg/model/iam/tests/iam_builder_master_strict.json
View File

@ -19,7 +19,6 @@
"Sid": "kopsK8sEC2MasterPermsAllResources",
"Effect": "Allow",
"Action": [
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
@ -35,6 +34,7 @@
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",

2
pkg/model/iam/tests/iam_builder_master_strict_ecr.json
View File

@ -19,7 +19,6 @@
"Sid": "kopsK8sEC2MasterPermsAllResources",
"Effect": "Allow",
"Action": [
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
@ -35,6 +34,7 @@
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",