kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Always grant route53 ListHostedZones permission

This commit is contained in:
Justin Santa Barbara 2017-06-19 13:38:15 -04:00
parent 734289043a
commit 3c6689b5b0
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/model/iam/iam_builder.go
View File

@ -182,6 +182,8 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
if b.HostedZoneID != "" { if b.HostedZoneID != "" {
addRoute53Permissions(p, b.HostedZoneID) addRoute53Permissions(p, b.HostedZoneID)
} }
// dns-controller currently assumes it can list the hosted zones, even when using gossip
addRoute53ListHostedZonesPermission(p)
// For S3 IAM permissions, we grant permissions to subtrees. So find the parents; // For S3 IAM permissions, we grant permissions to subtrees. So find the parents;
// we don't need to grant mypath and mypath/child. // we don't need to grant mypath and mypath/child.
@ -279,7 +281,9 @@ func addRoute53Permissions(p *IAMPolicy, hostedZoneID string) {
Action: stringorslice.Slice([]string{"route53:GetChange"}), Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}), Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
}) })
}
func addRoute53ListHostedZonesPermission(p *IAMPolicy) {
wildcard := stringorslice.Slice([]string{"*"}) wildcard := stringorslice.Slice([]string{"*"})
p.Statement = append(p.Statement, &IAMStatement{ p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow, Effect: IAMStatementEffectAllow,