kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review 

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
This commit is contained in:
Ole Markus With 2021-05-02 07:44:46 +02:00 committed by Ole Markus With
parent 6f8b3647cf
commit 6199174d78
4 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
k8s/crds/kops.k8s.io_clusters.yaml
View File

@ -1175,15 +1175,21 @@ spec:
description: AWS grants permissions to AWS resources.
properties:
inlinePolicy:
description: InlinePolicy is an IAM Policy that will
be attached inline to the IAM Role.
type: string
policyARNs:
description: PolicyARNs is a list of existing IAM Policies.
items:
type: string
type: array
type: object
name:
description: Name is the name of the Kubernetes ServiceAccount.
type: string
namespace:
description: Namespace is the namespace of the Kubernetes
ServiceAccount.
type: string
required:
- name

10
pkg/apis/kops/cluster.go
View File

@ -220,7 +220,9 @@ type ServiceAccountIssuerDiscoveryConfig struct {
// ServiceAccountExternalPermissions grants a ServiceAccount permissions to external resources.
type ServiceAccountExternalPermission struct {
Name string `json:"name"`
// Name is the name of the Kubernetes ServiceAccount.
Name string `json:"name"`
// Namespace is the namespace of the Kubernetes ServiceAccount.
Namespace string `json:"namespace"`
// AWS grants permissions to AWS resources.
AWS *AWSPermission `json:"aws,omitempty"`
@ -228,8 +230,10 @@ type ServiceAccountExternalPermission struct {
// AWSPermission grants permissions to AWS resources.
type AWSPermission struct {
PolicyARNs []string `json:"policyARNs,omitempty"`
InlinePolicy string `json:"inlinePolicy,omitempty"`
// PolicyARNs is a list of existing IAM Policies.
PolicyARNs []string `json:"policyARNs,omitempty"`
// InlinePolicy is an IAM Policy that will be attached inline to the IAM Role.
InlinePolicy string `json:"inlinePolicy,omitempty"`
}
// NodeAuthorizationSpec is used to node authorization

10
pkg/apis/kops/v1alpha2/cluster.go
View File

@ -219,7 +219,9 @@ type ServiceAccountIssuerDiscoveryConfig struct {
// ServiceAccountExternalPermissions grants a ServiceAccount permissions to external resources.
type ServiceAccountExternalPermission struct {
Name string `json:"name"`
// Name is the name of the Kubernetes ServiceAccount.
Name string `json:"name"`
// Namespace is the namespace of the Kubernetes ServiceAccount.
Namespace string `json:"namespace"`
// AWS grants permissions to AWS resources.
AWS *AWSPermission `json:"aws,omitempty"`
@ -227,8 +229,10 @@ type ServiceAccountExternalPermission struct {
// AWSPermission grants permissions to AWS resources.
type AWSPermission struct {
PolicyARNs []string `json:"policyARNs,omitempty"`
InlinePolicy string `json:"inlinePolicy,omitempty"`
// PolicyARNs is a list of existing IAM Policies.
PolicyARNs []string `json:"policyARNs,omitempty"`
// InlinePolicy is an IAM Policy that will be attached inline to the IAM Role.
InlinePolicy string `json:"inlinePolicy,omitempty"`
}
// NodeAuthorizationSpec is used to node authorization

2
pkg/apis/kops/validation/validation.go
View File

@ -257,7 +257,7 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
if spec.IAM != nil {
if len(spec.IAM.ServiceAccountExternalPermissions) > 0 {
if spec.ServiceAccountIssuerDiscovery == nil || !spec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider {
allErrs = append(allErrs, field.Required(fieldPath.Child("serviceAccountIssuerDiscovery", "enableAWSOIDCProvider"), "serviceAccountExternalPermissions requires AWS OIDC Provider to be enabled"))
allErrs = append(allErrs, field.Forbidden(fieldPath.Child("iam", "serviceAccountExternalPermissions"), "serviceAccountExternalPermissions requires AWS OIDC Provider to be enabled"))
}
allErrs = append(allErrs, validateSAExternalPermissions(spec.IAM.ServiceAccountExternalPermissions, fieldPath.Child("iam", "serviceAccountExternalPermissions"))...)
}