kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

aws: Always add KMS permissions to control plane

This commit is contained in:
Ciprian Hacman 2023-12-13 02:56:23 +02:00
parent 1597863a39
commit 24a8bc39d5
1 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/model/iam/iam_builder.go
View File

@ -357,9 +357,7 @@ func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
}
if b.KMSKeys != nil && len(b.KMSKeys) != 0 {
addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys))
}
addKMSIAMPolicies(p)
if b.Cluster.Spec.IAM != nil && b.Cluster.Spec.IAM.AllowContainerRegistry {
addECRPermissions(p)
@ -398,9 +396,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
}
if b.KMSKeys != nil && len(b.KMSKeys) != 0 {
addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys))
}
addKMSIAMPolicies(p)
// Protokube needs dns-controller permissions in instance role even if UseServiceAccountExternalPermissions.
AddDNSControllerPermissions(b, p)
@ -1090,7 +1086,7 @@ func AddKubeRouterPermissions(b *PolicyBuilder, p *Policy) {
)
}
func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice) {
func addKMSIAMPolicies(p *Policy) {
// TODO could use "kms:ViaService" Condition Key here?
p.unconditionalAction.Insert(
"kms:CreateGrant",