kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16173 from hakman/relax_kms 

aws: Add KMS to EBS CSI Driver and control plane
This commit is contained in:
Kubernetes Prow Robot 2023-12-13 07:32:15 +01:00 committed by GitHub
parent 1597863a39 ac7f184329
commit 28d59a6b60
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
78 changed files with 433 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/model/iam/iam_builder.go
View File

@ -357,9 +357,7 @@ func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
}
if b.KMSKeys != nil && len(b.KMSKeys) != 0 {
addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys))
}
addKMSIAMPolicies(p)
if b.Cluster.Spec.IAM != nil && b.Cluster.Spec.IAM.AllowContainerRegistry {
addECRPermissions(p)
@ -398,9 +396,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
}
if b.KMSKeys != nil && len(b.KMSKeys) != 0 {
addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys))
}
addKMSIAMPolicies(p)
// Protokube needs dns-controller permissions in instance role even if UseServiceAccountExternalPermissions.
AddDNSControllerPermissions(b, p)
@ -1005,6 +1001,8 @@ func AddClusterAutoscalerPermissions(p *Policy, useStaticInstanceList bool) {
// AddAWSEBSCSIDriverPermissions appens policy statements that the AWS EBS CSI Driver needs to operate.
func AddAWSEBSCSIDriverPermissions(p *Policy, appendSnapshotPermissions bool) {
addKMSIAMPolicies(p)
if appendSnapshotPermissions {
addSnapshotPersmissions(p)
}
@ -1090,7 +1088,7 @@ func AddKubeRouterPermissions(b *PolicyBuilder, p *Policy) {
)
}
func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice) {
func addKMSIAMPolicies(p *Policy) {
// TODO could use "kms:ViaService" Condition Key here?
p.unconditionalAction.Insert(
"kms:CreateGrant",

5
tests/integration/update_cluster/additionalobjects/data/aws_iam_role_policy_masters.additionalobjects.example.com_policy
View File

@ -198,8 +198,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

8
tests/integration/update_cluster/apiservernodes/data/aws_iam_role_policy_apiservers.minimal.example.com_policy
View File

@ -27,7 +27,13 @@
"ec2:DescribeRegions",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

5
tests/integration/update_cluster/apiservernodes/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

8
tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -42,7 +42,13 @@
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -103,7 +103,13 @@
"ec2:DescribeVolumes",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

5
tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/cluster-autoscaler-priority-expander-custom/data/aws_iam_role_policy_masters.cas-priority-expander-custom.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/cluster-autoscaler-priority-expander/data/aws_iam_role_policy_masters.cas-priority-expander.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/containerd-custom/data/aws_iam_role_policy_masters.containerd.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/containerd/data/aws_iam_role_policy_masters.containerd.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/digit/data/aws_iam_role_policy_masters.123.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/external_dns/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

8
tests/integration/update_cluster/external_dns_irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -42,7 +42,13 @@
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/external_dns_irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -103,7 +103,13 @@
"ec2:DescribeVolumes",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

5
tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

8
tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -42,7 +42,13 @@
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -103,7 +103,13 @@
"ec2:DescribeVolumes",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -45,7 +45,13 @@
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -121,7 +121,13 @@
"ec2:UnassignPrivateIpAddresses",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -45,7 +45,13 @@
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -121,7 +121,13 @@
"ec2:UnassignPrivateIpAddresses",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -45,7 +45,13 @@
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -121,7 +121,13 @@
"ec2:UnassignPrivateIpAddresses",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -45,7 +45,13 @@
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -121,7 +121,13 @@
"ec2:UnassignPrivateIpAddresses",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

5
tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -252,8 +252,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.many-addons.example.com_policy
View File

@ -252,8 +252,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-1.24/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -198,8 +198,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-1.25/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -198,8 +198,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-1.26/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -198,8 +198,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -198,8 +198,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -198,8 +198,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-1.29/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -198,8 +198,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-aws/data/aws_iam_role_policy_masters.minimal-aws.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -168,8 +168,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-etcd/data/aws_iam_role_policy_masters.minimal-etcd.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
View File

@ -193,8 +193,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
View File

@ -193,8 +193,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
View File

@ -193,8 +193,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
View File

@ -193,8 +193,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-longclustername/data/aws_iam_role_policy_masters.this.is.truly.a.really.really.long.cluster-name.m-kaamp9_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy
View File

@ -161,8 +161,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

8
tests/integration/update_cluster/minimal_gossip_irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.k8s.local_policy
View File

@ -42,7 +42,13 @@
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/minimal_gossip_irsa/data/aws_iam_role_policy_masters.minimal.k8s.local_policy
View File

@ -73,7 +73,13 @@
"ec2:DescribeVolumes",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

5
tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

8
tests/integration/update_cluster/nth-imds-processor-irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.nthimdsprocessor.lon-kfj86l_policy
View File

@ -42,7 +42,13 @@
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/nth-imds-processor-irsa/data/aws_iam_role_policy_masters.nthimdsprocessor.longclustername.example.com_policy
View File

@ -103,7 +103,13 @@
"ec2:DescribeVolumes",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

7
tests/integration/update_cluster/nth-imds-processor/data/aws_iam_role_policy_masters.nthimdsprocessor.longclustername.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateRandom"
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

5
tests/integration/update_cluster/nvidia/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy
View File

@ -199,8 +199,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatecilium-eni/data/aws_iam_role_policy_masters.privatecilium.example.com_policy
View File

@ -201,8 +201,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy
View File

@ -211,8 +211,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

8
tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy
View File

@ -42,7 +42,13 @@
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

8
tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -103,7 +103,13 @@
"ec2:DescribeVolumes",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:GenerateRandom"
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "*"

5
tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/shared_vpc_ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
View File

@ -193,8 +193,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],

5
tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -191,8 +191,13 @@
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*",
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],