kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4958 from appvia/iam-remove-sids 

Remove custom Statement IDs from IAM Policy Statements
This commit is contained in:
k8s-ci-robot 2018-05-09 18:37:54 -07:00 committed by GitHub
parent 55145d2515 bf30b2559f
commit 827357ef0a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 35 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkg/model/iam/iam_builder.go
View File

@ -31,7 +31,6 @@ import (
"fmt"
"io"
"sort"
"strconv"
"strings"
"github.com/golang/glog"
@ -77,7 +76,6 @@ type Condition map[string]interface{}
// Statement is an AWS IAM Policy Statement Object:
// http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement
type Statement struct {
Sid string
Effect StatementEffect
Action stringorslice.StringOrSlice
Resource stringorslice.StringOrSlice
@ -237,7 +235,6 @@ func (b *PolicyBuilder) BuildAWSPolicyBastion() (*Policy, error) {
// Bastion hosts currently don't require any specific permissions.
// A trivial permission is granted, because empty policies are not allowed.
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sBastion",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"ec2:DescribeRegions"}),
Resource: resource,
@ -305,7 +302,7 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
sort.Strings(roots)
for i, root := range roots {
for _, root := range roots {
vfsPath, err := vfs.Context.BuildVfsPath(root)
if err != nil {
return nil, fmt.Errorf("cannot parse VFS path %q: %v", root, err)
@ -315,15 +312,7 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
iamS3Path := s3Path.Bucket() + "/" + s3Path.Key()
iamS3Path = strings.TrimSuffix(iamS3Path, "/")
sidSuffix := ""
if len(roots) > 1 {
// Avoid collisions with multiple buckets
// Sids are limited to A-Z,a-z,0-9
sidSuffix = strconv.Itoa(i)
}
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sS3GetListBucket" + sidSuffix,
Effect: StatementEffectAllow,
Action: stringorslice.Of("s3:GetBucketLocation", "s3:ListBucket"),
Resource: stringorslice.Slice([]string{
@ -333,7 +322,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
if b.Cluster.Spec.IAM.Legacy {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sS3BucketFullAccess" + sidSuffix,
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"s3:*"}),
Resource: stringorslice.Of(
@ -343,7 +331,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
} else {
if b.Role == kops.InstanceGroupRoleMaster {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sS3MasterBucketFullGet" + sidSuffix,
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"s3:Get*"}),
Resource: stringorslice.Of(
@ -352,7 +339,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
})
} else if b.Role == kops.InstanceGroupRoleNode {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sS3NodeBucketSelectiveGet" + sidSuffix,
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"s3:Get*"}),
Resource: stringorslice.Of(
@ -372,7 +358,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
// @check if kuberoute is enabled and permit access to the private key
if b.Cluster.Spec.Networking.Kuberouter != nil {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sS3NodeBucketGetKuberouter" + sidSuffix,
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"s3:Get*"}),
Resource: stringorslice.Of(
@ -384,7 +369,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
if b.Cluster.Spec.Networking.Calico != nil {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sS3NodeBucketGetCalicoClient" + sidSuffix,
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"s3:Get*"}),
Resource: stringorslice.Of(
@ -494,7 +478,6 @@ func addECRPermissions(p *Policy) {
// a private logging pod or similar.
// At this point we allow all regions with ECR, since ECR is region specific.
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sECR",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"ecr:GetAuthorizationToken",
@ -518,7 +501,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) {
hostedZoneID = strings.TrimPrefix(hostedZoneID, "hostedzone/")
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sRoute53Change",
Effect: StatementEffectAllow,
Action: stringorslice.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
@ -527,7 +509,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) {
})
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sRoute53GetChanges",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
@ -535,7 +516,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) {
wildcard := stringorslice.Slice([]string{"*"})
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sRoute53ListZones",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:ListHostedZones"}),
Resource: wildcard,
@ -545,7 +525,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) {
func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) {
if legacyIAM {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sKMSEncryptedVolumesLegacyPerms",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"kms:ListGrants",
@ -557,7 +536,6 @@ func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIA
// TODO could use "kms:ViaService" Condition Key here?
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sKMSEncryptedVolumes",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"kms:CreateGrant",
@ -572,9 +550,8 @@ func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIA
}
func addNodeEC2Policies(p *Policy, resource stringorslice.StringOrSlice) {
// Protokube makes a DescribeInstances call
// Protokube makes a DescribeInstances call, DescribeRegions when finding S3 State Bucket
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sEC2NodePerms",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"ec2:DescribeInstances", "ec2:DescribeRegions"}),
Resource: resource,
@ -582,10 +559,10 @@ func addNodeEC2Policies(p *Policy, resource stringorslice.StringOrSlice) {
}
func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
// The legacy IAM policy grants full ec2 API access
if legacyIAM {
p.Statement = append(p.Statement,
&Statement{
Sid: "kopsK8sEC2MasterPermsFullAccess",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"ec2:*"}),
Resource: resource,
@ -606,7 +583,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
// Comments are which cloudprovider code file makes the call
p.Statement = append(p.Statement,
&Statement{
Sid: "kopsK8sEC2MasterPermsDescribeResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:DescribeInstances", // aws.go
@ -619,7 +595,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
Resource: resource,
},
&Statement{
Sid: "kopsK8sEC2MasterPermsAllResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:CreateSecurityGroup", // aws.go
@ -630,7 +605,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
Resource: resource,
},
&Statement{
Sid: "kopsK8sEC2MasterPermsTaggedResources",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"ec2:AttachVolume", // aws.go
@ -656,7 +630,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac
func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) {
if legacyIAM {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sELBMasterPermsFullAccess",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"elasticloadbalancing:*"}),
Resource: resource,
@ -664,7 +637,6 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac
} else {
// Comments are which cloudprovider code file makes the call
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sELBMasterPermsRestrictive",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"elasticloadbalancing:AddTags", // aws_loadbalancer.go
@ -688,7 +660,6 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac
})
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sNLBMasterPermsRestrictive",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"ec2:DescribeVpcs", // aws_loadbalancer.go
@ -714,7 +685,6 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac
func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
if legacyIAM {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sASMasterPerms",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"autoscaling:DescribeAutoScalingGroups",
@ -733,7 +703,6 @@ func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacy
// TODO: Make optional only if using autoscalers
p.Statement = append(p.Statement,
&Statement{
Sid: "kopsK8sASMasterPermsAllResources",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"autoscaling:DescribeAutoScalingGroups", // aws_instancegroups.go
@ -744,7 +713,6 @@ func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacy
Resource: resource,
},
&Statement{
Sid: "kopsK8sASMasterPermsTaggedResources",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"autoscaling:SetDesiredCapacity", // aws_manager.go
@ -765,7 +733,6 @@ func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacy
func addCertIAMPolicies(p *Policy, resource stringorslice.StringOrSlice) {
// TODO: Make optional only if using IAM SSL Certs on ELBs
p.Statement = append(p.Statement, &Statement{
Sid: "kopsMasterCertIAMPerms",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"iam:ListServerCertificates",
@ -793,7 +760,6 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le
// Comments are which Romana component makes the call
p.Statement = append(p.Statement,
&Statement{
Sid: "kopsK8sEC2RomanaCNIMasterPermsAllResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:DescribeAvailabilityZones", // vpcrouter
@ -802,7 +768,6 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le
Resource: resource,
},
&Statement{
Sid: "kopsK8sEC2RomanaCNIMasterPermsTaggedResources",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:CreateRoute", // vpcrouter
@ -827,7 +792,6 @@ func addAmazonVPCCNIPermissions(p *Policy, resource stringorslice.StringOrSlice,
} else {
p.Statement = append(p.Statement,
&Statement{
Sid: "kopsK8sEC2NodeAmazonVPCPerms",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{
"ec2:CreateNetworkInterface",

6
pkg/model/iam/iam_builder_test.go
View File

@ -39,18 +39,16 @@ func TestRoundTrip(t *testing.T) {
Effect: StatementEffectAllow,
Action: stringorslice.Of("ec2:DescribeRegions"),
Resource: stringorslice.Of("*"),
Sid: "foo",
},
JSON: "{\"Sid\":\"foo\",\"Effect\":\"Allow\",\"Action\":\"ec2:DescribeRegions\",\"Resource\":\"*\"}",
JSON: "{\"Effect\":\"Allow\",\"Action\":\"ec2:DescribeRegions\",\"Resource\":\"*\"}",
},
{
IAM: &Statement{
Effect: StatementEffectDeny,
Action: stringorslice.Of("ec2:DescribeRegions", "ec2:DescribeInstances"),
Resource: stringorslice.Of("a", "b"),
Sid: "foo",
},
JSON: "{\"Sid\":\"foo\",\"Effect\":\"Deny\",\"Action\":[\"ec2:DescribeRegions\",\"ec2:DescribeInstances\"],\"Resource\":[\"a\",\"b\"]}",
JSON: "{\"Effect\":\"Deny\",\"Action\":[\"ec2:DescribeRegions\",\"ec2:DescribeInstances\"],\"Resource\":[\"a\",\"b\"]}",
},
}
for _, g := range grid {

1
pkg/model/iam/tests/iam_builder_bastion.json
View File

@ -2,7 +2,6 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kopsK8sBastion",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions"

10
pkg/model/iam/tests/iam_builder_master_legacy.json
View File

@ -2,7 +2,6 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kopsK8sEC2MasterPermsFullAccess",
"Effect": "Allow",
"Action": [
"ec2:*"
@ -12,7 +11,6 @@
]
},
{
"Sid": "kopsK8sASMasterPerms",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
@ -29,7 +27,6 @@
]
},
{
"Sid": "kopsK8sELBMasterPermsFullAccess",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
@ -39,7 +36,6 @@
]
},
{
"Sid": "kopsMasterCertIAMPerms",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
@ -50,7 +46,6 @@
]
},
{
"Sid": "kopsK8sS3GetListBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
@ -61,7 +56,6 @@
]
},
{
"Sid": "kopsK8sS3BucketFullAccess",
"Effect": "Allow",
"Action": [
"s3:*"
@ -69,7 +63,6 @@
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
},
{
"Sid": "kopsK8sKMSEncryptedVolumesLegacyPerms",
"Effect": "Allow",
"Action": [
"kms:ListGrants",
@ -82,7 +75,6 @@
]
},
{
"Sid": "kopsK8sKMSEncryptedVolumes",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
@ -99,7 +91,6 @@
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones"
@ -109,7 +100,6 @@
]
},
{
"Sid": "kopsK8sECR",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",

11
pkg/model/iam/tests/iam_builder_master_strict.json
View File

@ -2,7 +2,6 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kopsK8sEC2MasterPermsDescribeResources",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
@ -17,7 +16,6 @@
]
},
{
"Sid": "kopsK8sEC2MasterPermsAllResources",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
@ -30,7 +28,6 @@
]
},
{
"Sid": "kopsK8sEC2MasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
@ -52,7 +49,6 @@
}
},
{
"Sid": "kopsK8sASMasterPermsAllResources",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
@ -65,7 +61,6 @@
]
},
{
"Sid": "kopsK8sASMasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
@ -82,7 +77,6 @@
}
},
{
"Sid": "kopsK8sELBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
@ -107,7 +101,6 @@
]
},
{
"Sid": "kopsK8sNLBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
@ -130,7 +123,6 @@
]
},
{
"Sid": "kopsMasterCertIAMPerms",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
@ -141,7 +133,6 @@
]
},
{
"Sid": "kopsK8sS3GetListBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
@ -152,7 +143,6 @@
]
},
{
"Sid": "kopsK8sS3MasterBucketFullGet",
"Effect": "Allow",
"Action": [
"s3:Get*"
@ -160,7 +150,6 @@
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
},
{
"Sid": "kopsK8sKMSEncryptedVolumes",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",

12
pkg/model/iam/tests/iam_builder_master_strict_ecr.json
View File

@ -2,7 +2,6 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kopsK8sEC2MasterPermsDescribeResources",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
@ -17,7 +16,6 @@
]
},
{
"Sid": "kopsK8sEC2MasterPermsAllResources",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
@ -30,7 +28,6 @@
]
},
{
"Sid": "kopsK8sEC2MasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
@ -52,7 +49,6 @@
}
},
{
"Sid": "kopsK8sASMasterPermsAllResources",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
@ -65,7 +61,6 @@
]
},
{
"Sid": "kopsK8sASMasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
@ -82,7 +77,6 @@
}
},
{
"Sid": "kopsK8sELBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
@ -107,7 +101,6 @@
]
},
{
"Sid": "kopsK8sNLBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
@ -130,7 +123,6 @@
]
},
{
"Sid": "kopsMasterCertIAMPerms",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
@ -141,7 +133,6 @@
]
},
{
"Sid": "kopsK8sS3GetListBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
@ -152,7 +143,6 @@
]
},
{
"Sid": "kopsK8sS3MasterBucketFullGet",
"Effect": "Allow",
"Action": [
"s3:Get*"
@ -160,7 +150,6 @@
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
},
{
"Sid": "kopsK8sKMSEncryptedVolumes",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
@ -177,7 +166,6 @@
]
},
{
"Sid": "kopsK8sECR",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",

5
pkg/model/iam/tests/iam_builder_node_legacy.json
View File

@ -2,7 +2,6 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kopsK8sEC2NodePerms",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
@ -13,7 +12,6 @@
]
},
{
"Sid": "kopsK8sS3GetListBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
@ -24,7 +22,6 @@
]
},
{
"Sid": "kopsK8sS3BucketFullAccess",
"Effect": "Allow",
"Action": [
"s3:*"
@ -32,7 +29,6 @@
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones"
@ -42,7 +38,6 @@
]
},
{
"Sid": "kopsK8sECR",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",

3
pkg/model/iam/tests/iam_builder_node_strict.json
View File

@ -2,7 +2,6 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kopsK8sEC2NodePerms",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
@ -13,7 +12,6 @@
]
},
{
"Sid": "kopsK8sS3GetListBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
@ -24,7 +22,6 @@
]
},
{
"Sid": "kopsK8sS3NodeBucketSelectiveGet",
"Effect": "Allow",
"Action": [
"s3:Get*"

4
pkg/model/iam/tests/iam_builder_node_strict_ecr.json
View File

@ -2,7 +2,6 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kopsK8sEC2NodePerms",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
@ -13,7 +12,6 @@
]
},
{
"Sid": "kopsK8sS3GetListBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
@ -24,7 +22,6 @@
]
},
{
"Sid": "kopsK8sS3NodeBucketSelectiveGet",
"Effect": "Allow",
"Action": [
"s3:Get*"
@ -42,7 +39,6 @@
]
},
{
"Sid": "kopsK8sECR",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",

45
tests/integration/update_cluster/additional_user-data/cloudformation.json
View File

@ -629,8 +629,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sEC2MasterPermsFullAccess"
]
},
{
"Action": [
@ -646,8 +645,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sASMasterPerms"
]
},
{
"Action": [
@ -656,8 +654,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sELBMasterPermsFullAccess"
]
},
{
"Action": [
@ -667,8 +664,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsMasterCertIAMPerms"
]
},
{
"Action": [
@ -679,8 +675,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
],
"Sid": "kopsK8sRoute53Change"
]
},
{
"Action": [
@ -689,8 +684,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::change/*"
],
"Sid": "kopsK8sRoute53GetChanges"
]
},
{
"Action": [
@ -699,8 +693,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sRoute53ListZones"
]
},
{
"Action": [
@ -709,8 +702,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": ""
]
},
{
"Action": [
@ -725,8 +717,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sECR"
]
}
],
"Version": "2012-10-17"
@ -752,8 +743,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sEC2NodePerms"
]
},
{
"Action": [
@ -764,8 +754,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
],
"Sid": "kopsK8sRoute53Change"
]
},
{
"Action": [
@ -774,8 +763,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::change/*"
],
"Sid": "kopsK8sRoute53GetChanges"
]
},
{
"Action": [
@ -784,8 +772,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sRoute53ListZones"
]
},
{
"Action": [
@ -794,8 +781,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": ""
]
},
{
"Action": [
@ -810,8 +796,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sECR"
]
}
],
"Version": "2012-10-17"

45
tests/integration/update_cluster/minimal-cloudformation/cloudformation.json
View File

@ -629,8 +629,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sEC2MasterPermsFullAccess"
]
},
{
"Action": [
@ -646,8 +645,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sASMasterPerms"
]
},
{
"Action": [
@ -656,8 +654,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sELBMasterPermsFullAccess"
]
},
{
"Action": [
@ -667,8 +664,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsMasterCertIAMPerms"
]
},
{
"Action": [
@ -679,8 +675,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
],
"Sid": "kopsK8sRoute53Change"
]
},
{
"Action": [
@ -689,8 +684,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::change/*"
],
"Sid": "kopsK8sRoute53GetChanges"
]
},
{
"Action": [
@ -699,8 +693,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sRoute53ListZones"
]
},
{
"Action": [
@ -709,8 +702,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": ""
]
},
{
"Action": [
@ -725,8 +717,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sECR"
]
}
],
"Version": "2012-10-17"
@ -752,8 +743,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sEC2NodePerms"
]
},
{
"Action": [
@ -764,8 +754,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
],
"Sid": "kopsK8sRoute53Change"
]
},
{
"Action": [
@ -774,8 +763,7 @@
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::change/*"
],
"Sid": "kopsK8sRoute53GetChanges"
]
},
{
"Action": [
@ -784,8 +772,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sRoute53ListZones"
]
},
{
"Action": [
@ -794,8 +781,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": ""
]
},
{
"Action": [
@ -810,8 +796,7 @@
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "kopsK8sECR"
]
}
],
"Version": "2012-10-17"