diff --git a/pkg/model/awsmodel/iam.go b/pkg/model/awsmodel/iam.go index 09d945a0aa..5b19d36ca5 100644 --- a/pkg/model/awsmodel/iam.go +++ b/pkg/model/awsmodel/iam.go @@ -465,8 +465,9 @@ func (b *IAMModelBuilder) FindDeletions(context *fi.ModelBuilderContext, cloud f if fi.StringValue(tag.Key) == ownershipTag && fi.StringValue(tag.Value) == "owned" { if _, ok := context.Tasks["IAMRole/"+fi.StringValue(role.RoleName)]; !ok { context.AddTask(&awstasks.IAMRole{ - ID: role.RoleId, - Name: role.RoleName, + ID: role.RoleId, + Name: role.RoleName, + Lifecycle: b.Lifecycle, }) } } diff --git a/pkg/model/components/addonmanifests/BUILD.bazel b/pkg/model/components/addonmanifests/BUILD.bazel index 8623b02fd6..699a9b62d8 100644 --- a/pkg/model/components/addonmanifests/BUILD.bazel +++ b/pkg/model/components/addonmanifests/BUILD.bazel @@ -12,6 +12,7 @@ go_library( "//pkg/kubemanifest:go_default_library", "//pkg/model:go_default_library", "//pkg/model/components/addonmanifests/awsloadbalancercontroller:go_default_library", + "//pkg/model/components/addonmanifests/clusterautoscaler:go_default_library", "//pkg/model/components/addonmanifests/dnscontroller:go_default_library", "//pkg/model/iam:go_default_library", "//upup/pkg/fi:go_default_library", diff --git a/pkg/model/components/addonmanifests/clusterautoscaler/BUILD.bazel b/pkg/model/components/addonmanifests/clusterautoscaler/BUILD.bazel new file mode 100644 index 0000000000..4b859be5e7 --- /dev/null +++ b/pkg/model/components/addonmanifests/clusterautoscaler/BUILD.bazel @@ -0,0 +1,12 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["iam.go"], + importpath = "k8s.io/kops/pkg/model/components/addonmanifests/clusterautoscaler", + visibility = ["//visibility:public"], + deps = [ + "//pkg/model/iam:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/types:go_default_library", + ], +) diff --git a/pkg/model/components/addonmanifests/clusterautoscaler/iam.go b/pkg/model/components/addonmanifests/clusterautoscaler/iam.go new file mode 100644 index 0000000000..8e209a6922 --- /dev/null +++ b/pkg/model/components/addonmanifests/clusterautoscaler/iam.go @@ -0,0 +1,48 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package clusterautoscaler + +import ( + "k8s.io/apimachinery/pkg/types" + "k8s.io/kops/pkg/model/iam" +) + +// ServiceAccount represents the service-account used by the dns-controller. +// It implements iam.Subject to get AWS IAM permissions. +type ServiceAccount struct { +} + +var _ iam.Subject = &ServiceAccount{} + +// BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role. +func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) { + p := &iam.Policy{ + Version: iam.PolicyDefaultVersion, + } + + iam.AddClusterAutoscalerPermissions(p, b.Cluster.ObjectMeta.Name) + + return p, nil +} + +// ServiceAccount returns the kubernetes service account used. +func (r *ServiceAccount) ServiceAccount() (types.NamespacedName, bool) { + return types.NamespacedName{ + Namespace: "kube-system", + Name: "cluster-autoscaler", + }, true +} diff --git a/pkg/model/components/addonmanifests/remap.go b/pkg/model/components/addonmanifests/remap.go index 4be666d069..7e9d8472d0 100644 --- a/pkg/model/components/addonmanifests/remap.go +++ b/pkg/model/components/addonmanifests/remap.go @@ -29,6 +29,7 @@ import ( "k8s.io/kops/pkg/kubemanifest" "k8s.io/kops/pkg/model" "k8s.io/kops/pkg/model/components/addonmanifests/awsloadbalancercontroller" + "k8s.io/kops/pkg/model/components/addonmanifests/clusterautoscaler" "k8s.io/kops/pkg/model/components/addonmanifests/dnscontroller" "k8s.io/kops/pkg/model/iam" "k8s.io/kops/upup/pkg/fi" @@ -119,6 +120,8 @@ func getWellknownServiceAccount(name string) iam.Subject { switch name { case "aws-load-balancer-controller": return &awsloadbalancercontroller.ServiceAccount{} + case "cluster-autoscaler": + return &clusterautoscaler.ServiceAccount{} default: return nil } diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index b7d2f82ea4..83542a0549 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -310,6 +310,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) { AddAWSLoadbalancerControllerPermissions(p, resource, b.Cluster.GetName()) } + AddClusterAutoscalerPermissions(p, b.Cluster.GetName()) } if b.Cluster.Spec.IAM.AllowContainerRegistry { @@ -761,6 +762,34 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, resource stringorslice.S ) } +func AddClusterAutoscalerPermissions(p *Policy, clusterName string) { + resource := stringorslice.Slice([]string{"*"}) + p.Statement = append(p.Statement, + &Statement{ + Effect: StatementEffectAllow, + Action: stringorslice.Of( + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + ), + Resource: resource, + Condition: Condition{ + "StringEquals": map[string]string{ + "autoscaling:ResourceTag/KubernetesCluster": clusterName, + }, + }, + }, + &Statement{ + Effect: StatementEffectAllow, + Action: stringorslice.Of( + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + ), + Resource: resource, + }, + ) +} + func addSnapshotPersmissions(p *Policy, clusterName string) { p.Statement = append(p.Statement, &Statement{ Effect: StatementEffectAllow, @@ -988,20 +1017,6 @@ func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, cluste ), Resource: resource, }, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "autoscaling:SetDesiredCapacity", // aws_manager.go - "autoscaling:TerminateInstanceInAutoScalingGroup", // aws_manager.go - "autoscaling:UpdateAutoScalingGroup", // aws_instancegroups.go - ), - Resource: resource, - Condition: Condition{ - "StringEquals": map[string]string{ - "autoscaling:ResourceTag/KubernetesCluster": clusterName, - }, - }, - }, &Statement{ Effect: StatementEffectAllow, Action: stringorslice.Of( diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 579d2b95a4..deea721e79 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -232,6 +216,32 @@ "key-id-2", "key-id-3" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index fc86068b3f..91151b9bb4 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -233,6 +217,32 @@ "key-id-3" ] }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ecr:GetAuthorizationToken", diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index a06e473a18..687c2c3e7a 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1376,22 +1376,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1492,6 +1476,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index 2646478d1e..995741321a 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index 7ccde89c37..bb9431d724 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index e67db40b71..a752e44b26 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1673,22 +1673,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1789,6 +1773,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 995063ce32..3571c6f1d6 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index 5965e02d36..e8d00339c1 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "compress.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 1b730f84f0..d12a37412f 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -1056,22 +1056,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1172,6 +1156,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 1b730f84f0..d12a37412f 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -1056,22 +1056,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1172,6 +1156,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index eb6d8bedf8..d09ab4ab0b 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -1056,22 +1056,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1172,6 +1156,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "docker.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index dc44a5d210..3f622245eb 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "existingsg.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index c7ad765181..64f8ab5cf1 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1072,22 +1072,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1188,6 +1172,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index b5ffb0f3eb..8884774a62 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index 31696f931b..ce5359117a 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "externalpolicies.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index fc9b676988..0633c6d609 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "ha.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 2646478d1e..f416945090 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index 33f5f67a4d..b2a8f3e9b6 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -1056,22 +1056,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1172,6 +1156,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index e92e2b7ba5..1180c5a994 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -1052,22 +1052,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1168,6 +1152,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index 2646478d1e..f416945090 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index 531c397286..0b8d956467 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1233,22 +1233,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1349,6 +1333,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index adb9ef0379..84f898a019 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index 319673979f..a8c785cef4 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal-json.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index 68d959628b..8380a778ea 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -1056,22 +1056,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1172,6 +1156,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index 2646478d1e..f416945090 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index 56f476ec1d..83c1b36d2b 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -197,6 +181,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index 442377e765..ce1a5f7480 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1769,22 +1769,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1885,6 +1869,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index e8ddf05448..a1c00db896 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index 0061cb2af5..3a998b7d8d 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1770,22 +1770,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1886,6 +1870,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index e8ddf05448..a1c00db896 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index f75b76defb..5e8298ef73 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1166,22 +1166,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1283,6 +1267,32 @@ "*" ] }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "autoscaling:CompleteLifecycleAction", diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index 84c58aa6f5..587575cf86 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -227,6 +211,32 @@ "*" ] }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "autoscaling:CompleteLifecycleAction", diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index ecb39f663f..4fb7052531 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1573,22 +1573,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1689,6 +1673,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index e5d5b1b0e5..401207a3bb 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index 0ac3400d3c..2dcf8ec008 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index 313f11ff6c..ff5d9f5c32 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1729,22 +1729,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1845,6 +1829,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index c4f38aa648..e7acd8d6cb 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index d12989a0ba..e099954d32 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatecanal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 1e1128fd08..626eba1573 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1715,22 +1715,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1831,6 +1815,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 9a4577e8de..6c2f7043e1 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index 1e1128fd08..626eba1573 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1715,22 +1715,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1831,6 +1815,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 9a4577e8de..6c2f7043e1 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index be57ba3349..be25c3aeb5 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1748,22 +1748,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -1865,6 +1849,32 @@ "*" ] }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeSubnets", diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index ed1d3fc73b..fe41ac713a 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -227,6 +211,32 @@ "*" ] }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeSubnets", diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index 056650f2f6..fdb759a63e 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatedns1.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index 68f10706b6..a5e1e8479a 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatedns2.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 161f707039..173f10b3a4 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privateflannel.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 28db38ada8..99cf3e51d1 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privatekopeio.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index eba0d9ff13..b0a6a37eef 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "privateweave.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index 2646478d1e..995741321a 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index 3e0328074a..d7cb3d04d0 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 6a3edc323e..5c16ec4483 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "sharedvpc.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index 3ad7e0d048..b46dbcdd2e 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "unmanaged.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index 2646478d1e..f416945090 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -110,22 +110,6 @@ "*" ] }, - { - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:CompleteLifecycleAction", @@ -226,6 +210,32 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup" + ], + "Condition": { + "StringEquals": { + "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17" diff --git a/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template b/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template index ac24e6d538..5bcbf56057 100644 --- a/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template +++ b/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template @@ -264,11 +264,13 @@ spec: topologyKey: topology.kubernetes.io/zone priorityClassName: system-cluster-critical serviceAccountName: cluster-autoscaler + {{ if not UseServiceAccountIAM }} tolerations: - operator: "Exists" key: node-role.kubernetes.io/master nodeSelector: node-role.kubernetes.io/master: "" + {{ end }} containers: - image: {{ .Image }} name: cluster-autoscaler @@ -293,6 +295,9 @@ spec: - --new-pod-scale-up-delay={{ .NewPodScaleUpDelay }} - --stderrthreshold=info - --v=2 + env: + - name: AWS_REGION + value: {{ Region }} ports: - containerPort: 8085 protocol: TCP diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel index 6548184c65..6d64242f35 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel @@ -18,6 +18,7 @@ go_library( "//pkg/model/awsmodel:go_default_library", "//pkg/model/components/addonmanifests:go_default_library", "//pkg/model/components/addonmanifests/awsloadbalancercontroller:go_default_library", + "//pkg/model/components/addonmanifests/clusterautoscaler:go_default_library", "//pkg/model/components/addonmanifests/dnscontroller:go_default_library", "//pkg/model/iam:go_default_library", "//pkg/templates:go_default_library", diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go index cd8ca16541..bc8e3285bb 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go @@ -30,6 +30,7 @@ import ( "k8s.io/kops/pkg/model/awsmodel" "k8s.io/kops/pkg/model/components/addonmanifests" "k8s.io/kops/pkg/model/components/addonmanifests/awsloadbalancercontroller" + "k8s.io/kops/pkg/model/components/addonmanifests/clusterautoscaler" "k8s.io/kops/pkg/model/components/addonmanifests/dnscontroller" "k8s.io/kops/pkg/model/iam" "k8s.io/kops/pkg/templates" @@ -257,6 +258,9 @@ func (b *BootstrapChannelBuilder) Build(c *fi.ModelBuilderContext) error { } func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*channelsapi.Addons, error) { + + serviceAccountRoles := []iam.Subject{} + addons := &channelsapi.Addons{} addons.Kind = "Addons" addons.ObjectMeta.Name = "bootstrap" @@ -455,19 +459,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann // Generate dns-controller ServiceAccount IAM permissions if b.UseServiceAccountIAM() { - awsModelContext := &awsmodel.AWSModelContext{ - KopsModelContext: b.KopsModelContext, - } - - serviceAccountRoles := []iam.Subject{&dnscontroller.ServiceAccount{}} - for _, serviceAccountRole := range serviceAccountRoles { - iamModelBuilder := &awsmodel.IAMModelBuilder{AWSModelContext: awsModelContext, Lifecycle: b.Lifecycle, Cluster: b.Cluster} - - _, err := iamModelBuilder.BuildServiceAccountRoleTasks(serviceAccountRole, c) - if err != nil { - return nil, err - } - } + serviceAccountRoles = append(serviceAccountRoles, &dnscontroller.ServiceAccount{}) } } @@ -531,6 +523,11 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann }) } } + + if b.UseServiceAccountIAM() { + serviceAccountRoles = append(serviceAccountRoles, &clusterautoscaler.ServiceAccount{}) + } + } if b.Cluster.Spec.MetricsServer != nil && fi.BoolValue(b.Cluster.Spec.MetricsServer.Enabled) { @@ -637,19 +634,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann // Generate aws-load-balancer-controller ServiceAccount IAM permissions if b.UseServiceAccountIAM() { - awsModelContext := &awsmodel.AWSModelContext{ - KopsModelContext: b.KopsModelContext, - } - - serviceAccountRoles := []iam.Subject{&awsloadbalancercontroller.ServiceAccount{}} - for _, serviceAccountRole := range serviceAccountRoles { - iamModelBuilder := &awsmodel.IAMModelBuilder{AWSModelContext: awsModelContext, Lifecycle: b.Lifecycle, Cluster: b.Cluster} - - _, err := iamModelBuilder.BuildServiceAccountRoleTasks(serviceAccountRole, c) - if err != nil { - return nil, err - } - } + serviceAccountRoles = append(serviceAccountRoles, &awsloadbalancercontroller.ServiceAccount{}) } } @@ -1068,5 +1053,19 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann }) } + if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderAWS { + awsModelContext := &awsmodel.AWSModelContext{ + KopsModelContext: b.KopsModelContext, + } + + for _, serviceAccountRole := range serviceAccountRoles { + iamModelBuilder := &awsmodel.IAMModelBuilder{AWSModelContext: awsModelContext, Lifecycle: b.Lifecycle, Cluster: b.Cluster} + + _, err := iamModelBuilder.BuildServiceAccountRoleTasks(serviceAccountRole, c) + if err != nil { + return nil, err + } + } + } return addons, nil }