Add elasticloadbalancing:DeregisterTargets permission to master policy

Without this permission, controller-manager gets the following error: failed to ensure load balancer for service XXX: Error trying to deregister targets in target group: "AccessDenied: User: arn:aws:sts::XXX:assumed-role/masters... is not authorized to perform: elasticloadbalancing:DeregisterTargets on resource: arn:aws:elasticloadbalancing:XXX
2018-09-05 13:45:23 -04:00 · 2018-09-05 13:45:23 -04:00 · 8132073ad9
parent 66b9e0e8b0
commit 8132073ad9
3 changed files with 3 additions and 0 deletions
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -704,6 +704,7 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac
 				"elasticloadbalancing:CreateTargetGroup",                 // aws_loadbalancer.go
 				"elasticloadbalancing:DeleteListener",                    // aws_loadbalancer.go
 				"elasticloadbalancing:DeleteTargetGroup",                 // aws_loadbalancer.go
+				"elasticloadbalancing:DeregisterTargets",                 // aws_loadbalancer.go
 				"elasticloadbalancing:DescribeListeners",                 // aws_loadbalancer.go
 				"elasticloadbalancing:DescribeLoadBalancerPolicies",      // aws_loadbalancer.go
 				"elasticloadbalancing:DescribeTargetGroups",              // aws_loadbalancer.go
--- a/pkg/model/iam/tests/iam_builder_master_strict.json
+++ b/pkg/model/iam/tests/iam_builder_master_strict.json
@ -110,6 +110,7 @@
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:DeregisterTargets",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeTargetGroups",
--- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json
+++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json
@ -110,6 +110,7 @@
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:DeregisterTargets",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeTargetGroups",