Consolidate IAM statements

2021-08-19 23:16:04 -05:00 · 2021-08-19 23:16:04 -05:00 · 67007e1a0a
parent 23a313758b
commit 67007e1a0a
1 changed files with 9 additions and 45 deletions
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -767,25 +767,17 @@ func addNodeupPermissions(p *Policy, enableHookSupport bool) {
 }

 func addEtcdManagerPermissions(p *Policy) {
-	resource := stringorslice.Slice([]string{"*"})
 	p.unconditionalAction.Insert(
 		"ec2:DescribeVolumes", // aws.go
 	)

 	p.Statement = append(p.Statement,
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Slice([]string{
-				"ec2:DescribeVolumes", // aws.go
-			}),
-			Resource: resource,
-		},
 		&Statement{
 			Effect: StatementEffectAllow,
 			Action: stringorslice.Of(
 				"ec2:AttachVolume",
 			),
-			Resource: resource,
+			Resource: stringorslice.Slice([]string{"*"}),
 			Condition: Condition{
 				"StringEquals": map[string]string{
 					"aws:ResourceTag/k8s.io/role/master": "1",
@ -805,8 +797,6 @@ func AddLegacyCCMPermissions(p *Policy) {
 }

 func AddCCMPermissions(p *Policy, cloudRoutes bool) {
-	resource := stringorslice.Slice([]string{"*"})
-
 	p.unconditionalAction.Insert(
 		"autoscaling:DescribeAutoScalingGroups",
 		"autoscaling:DescribeTags",
@ -855,6 +845,13 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
 		"elasticloadbalancing:RegisterTargets",
 		"elasticloadbalancing:DeregisterTargets",
 		"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
+		"elasticloadbalancing:CreateLoadBalancer",
+		"elasticloadbalancing:CreateLoadBalancerPolicy",
+		"elasticloadbalancing:CreateLoadBalancerListeners",
+		"ec2:CreateSecurityGroup",
+		"ec2:CreateVolume",
+		"elasticloadbalancing:CreateListener",
+		"elasticloadbalancing:CreateTargetGroup",
 	)

 	p.Statement = append(p.Statement,
@ -878,25 +875,6 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
 				},
 			},
 		},
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Of(
-				"elasticloadbalancing:CreateLoadBalancer",
-				"elasticloadbalancing:CreateLoadBalancerPolicy",
-				"elasticloadbalancing:CreateLoadBalancerListeners",
-				"ec2:CreateSecurityGroup",
-				"ec2:CreateVolume",
-				"elasticloadbalancing:CreateListener",
-				"elasticloadbalancing:CreateTargetGroup",
-			),
-			Resource: resource,
-
-			Condition: Condition{
-				"StringEquals": map[string]string{
-					"aws:RequestTag/KubernetesCluster": p.clusterName,
-				},
-			},
-		},
 	)
 	if cloudRoutes {
 		p.clusterTaggedAction.Insert(
@ -973,25 +951,12 @@ func AddAWSEBSCSIDriverPermissions(p *Policy, appendSnapshotPermissions bool) {
 		"ec2:ModifyVolume",            // aws.go
 		"ec2:ModifyInstanceAttribute", // aws.go
 		"ec2:AttachVolume",            // aws.go
+		"ec2:CreateVolume",            // aws.go
 		"ec2:DeleteVolume",            // aws.go
 		"ec2:DetachVolume",            // aws.go
 	)

 	p.Statement = append(p.Statement,
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Slice([]string{
-				"ec2:CreateVolume", // aws.go
-			}),
-
-			Resource: stringorslice.String("*"),
-			Condition: Condition{
-				"StringEquals": map[string]string{
-					"aws:RequestTag/KubernetesCluster": p.clusterName,
-				},
-			},
-		},
-
 		&Statement{
 			Effect: StatementEffectAllow,
 			Action: stringorslice.String(
@ -1042,7 +1007,6 @@ func addSnapshotPersmissions(p *Policy) {
 	p.clusterTaggedAction.Insert(
 		"ec2:DeleteSnapshot",
 	)
-
 }

 // AddDNSControllerPermissions adds IAM permissions used by the dns-controller.