kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11836 from olemarkus/no-policy-reconcile 

Don't reconcile roles and policies if a profile is provided
This commit is contained in:
Kubernetes Prow Robot 2021-06-26 11:29:23 -07:00 committed by GitHub
parent ada21a81cf dc79acb1bb
commit 2d75004e19
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 69 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
pkg/model/awsmodel/iam.go
View File

@ -279,15 +279,6 @@ func (b *IAMModelBuilder) roleKey(role iam.Subject) (string, bool) {
func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.ModelBuilderContext, shared bool) error { func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.ModelBuilderContext, shared bool) error {
roleKey, _ := b.roleKey(role) roleKey, _ := b.roleKey(role)
iamRole, err := b.buildIAMRole(role, iamName, c)
if err != nil {
return err
}
if err := b.buildIAMRolePolicy(role, iamName, iamRole, c); err != nil {
return err
}
{ {
// To minimize diff for easier code review // To minimize diff for easier code review
@ -297,79 +288,90 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.
Name: fi.String(iamName), Name: fi.String(iamName),
Lifecycle: b.Lifecycle, Lifecycle: b.Lifecycle,
Shared: fi.Bool(shared), Shared: fi.Bool(shared),
Tags: b.CloudTags(iamName, false), Tags: b.CloudTags(iamName, shared),
} }
c.AddTask(iamInstanceProfile) c.AddTask(iamInstanceProfile)
} }
{
iamInstanceProfileRole := &awstasks.IAMInstanceProfileRole{
Name: fi.String(iamName),
Lifecycle: b.Lifecycle,
InstanceProfile: iamInstanceProfile,
Role: iamRole,
}
c.AddTask(iamInstanceProfileRole)
}
// Create External Policy tasks
if !shared { if !shared {
var externalPolicies []string
if b.Cluster.Spec.ExternalPolicies != nil { // Create External Policy tasks
p := *(b.Cluster.Spec.ExternalPolicies) iamRole, err := b.buildIAMRole(role, iamName, c)
externalPolicies = append(externalPolicies, p[roleKey]...) if err != nil {
} return err
sort.Strings(externalPolicies)
name := fmt.Sprintf("%s-policyoverride", roleKey)
t := &awstasks.IAMRolePolicy{
Name: fi.String(name),
Lifecycle: b.Lifecycle,
Role: iamRole,
Managed: true,
ExternalPolicies: &externalPolicies,
} }
c.AddTask(t) {
} if err := b.buildIAMRolePolicy(role, iamName, iamRole, c); err != nil {
return err
}
{
iamInstanceProfileRole := &awstasks.IAMInstanceProfileRole{
Name: fi.String(iamName),
Lifecycle: b.Lifecycle,
// Generate additional policies if needed, and attach to existing role InstanceProfile: iamInstanceProfile,
if !shared { Role: iamRole,
additionalPolicy := "" }
if b.Cluster.Spec.AdditionalPolicies != nil { c.AddTask(iamInstanceProfileRole)
additionalPolicies := *(b.Cluster.Spec.AdditionalPolicies)
additionalPolicy = additionalPolicies[roleKey]
}
additionalPolicyName := "additional." + iamName
t := &awstasks.IAMRolePolicy{
Name: fi.String(additionalPolicyName),
Lifecycle: b.Lifecycle,
Role: iamRole,
}
if additionalPolicy != "" {
p, err := b.buildPolicy(additionalPolicy)
if err != nil {
return fmt.Errorf("additionalPolicy %q is invalid: %v", roleKey, err)
} }
policy, err := p.AsJSON() var externalPolicies []string
if err != nil {
return fmt.Errorf("error building IAM policy: %w", err) if b.Cluster.Spec.ExternalPolicies != nil {
p := *(b.Cluster.Spec.ExternalPolicies)
externalPolicies = append(externalPolicies, p[roleKey]...)
}
sort.Strings(externalPolicies)
name := fmt.Sprintf("%s-policyoverride", roleKey)
t := &awstasks.IAMRolePolicy{
Name: fi.String(name),
Lifecycle: b.Lifecycle,
Role: iamRole,
Managed: true,
ExternalPolicies: &externalPolicies,
} }
t.PolicyDocument = fi.NewStringResource(policy) c.AddTask(t)
} else {
t.PolicyDocument = fi.NewStringResource("")
} }
c.AddTask(t) // Generate additional policies if needed, and attach to existing role
{
additionalPolicy := ""
if b.Cluster.Spec.AdditionalPolicies != nil {
additionalPolicies := *(b.Cluster.Spec.AdditionalPolicies)
additionalPolicy = additionalPolicies[roleKey]
}
additionalPolicyName := "additional." + iamName
t := &awstasks.IAMRolePolicy{
Name: fi.String(additionalPolicyName),
Lifecycle: b.Lifecycle,
Role: iamRole,
}
if additionalPolicy != "" {
p, err := b.buildPolicy(additionalPolicy)
if err != nil {
return fmt.Errorf("additionalPolicy %q is invalid: %v", roleKey, err)
}
policy, err := p.AsJSON()
if err != nil {
return fmt.Errorf("error building IAM policy: %w", err)
}
t.PolicyDocument = fi.NewStringResource(policy)
} else {
t.PolicyDocument = fi.NewStringResource("")
}
c.AddTask(t)
}
} }
} }