kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

iam_builder.go: ensure kube-router src/dst permissions

This commit is contained in:
Aaron U'Ren 2024-03-30 22:19:01 -05:00
parent d3e4d74947
commit 821ab18649
No known key found for this signature in database
GPG Key ID: 3A160440911786EE
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/model/iam/iam_builder.go
View File

@ -468,6 +468,10 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
addCalicoSrcDstCheckPermissions(p)
}
if b.Cluster.Spec.Networking.KubeRouter != nil {
addKubeRouterSrcDstCheckPermissions(p)
}
return p, nil
}
@ -769,6 +773,12 @@ func addCalicoSrcDstCheckPermissions(p *Policy) {
)
}
func addKubeRouterSrcDstCheckPermissions(p *Policy) {
p.unconditionalAction.Insert(
"ec2:ModifyInstanceAttribute",
)
}
func (b *PolicyBuilder) addNodeupPermissions(p *Policy, enableHookSupport bool) {
addCertIAMPolicies(p)
addKMSGenerateRandomPolicies(p)