diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 56361beb68..0c3655e907 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -31,7 +31,6 @@ import ( "fmt" "io" "sort" - "strconv" "strings" "github.com/golang/glog" @@ -77,7 +76,6 @@ type Condition map[string]interface{} // Statement is an AWS IAM Policy Statement Object: // http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement type Statement struct { - Sid string Effect StatementEffect Action stringorslice.StringOrSlice Resource stringorslice.StringOrSlice @@ -237,7 +235,6 @@ func (b *PolicyBuilder) BuildAWSPolicyBastion() (*Policy, error) { // Bastion hosts currently don't require any specific permissions. // A trivial permission is granted, because empty policies are not allowed. p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sBastion", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"ec2:DescribeRegions"}), Resource: resource, @@ -305,7 +302,7 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { sort.Strings(roots) - for i, root := range roots { + for _, root := range roots { vfsPath, err := vfs.Context.BuildVfsPath(root) if err != nil { return nil, fmt.Errorf("cannot parse VFS path %q: %v", root, err) @@ -315,15 +312,7 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { iamS3Path := s3Path.Bucket() + "/" + s3Path.Key() iamS3Path = strings.TrimSuffix(iamS3Path, "/") - sidSuffix := "" - if len(roots) > 1 { - // Avoid collisions with multiple buckets - // Sids are limited to A-Z,a-z,0-9 - sidSuffix = strconv.Itoa(i) - } - p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sS3GetListBucket" + sidSuffix, Effect: StatementEffectAllow, Action: stringorslice.Of("s3:GetBucketLocation", "s3:ListBucket"), Resource: stringorslice.Slice([]string{ @@ -333,7 +322,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { if b.Cluster.Spec.IAM.Legacy { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sS3BucketFullAccess" + sidSuffix, Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"s3:*"}), Resource: stringorslice.Of( @@ -343,7 +331,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { } else { if b.Role == kops.InstanceGroupRoleMaster { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sS3MasterBucketFullGet" + sidSuffix, Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"s3:Get*"}), Resource: stringorslice.Of( @@ -352,7 +339,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { }) } else if b.Role == kops.InstanceGroupRoleNode { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sS3NodeBucketSelectiveGet" + sidSuffix, Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"s3:Get*"}), Resource: stringorslice.Of( @@ -372,7 +358,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { // @check if kuberoute is enabled and permit access to the private key if b.Cluster.Spec.Networking.Kuberouter != nil { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sS3NodeBucketGetKuberouter" + sidSuffix, Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"s3:Get*"}), Resource: stringorslice.Of( @@ -384,7 +369,6 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) { // @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default if b.Cluster.Spec.Networking.Calico != nil { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sS3NodeBucketGetCalicoClient" + sidSuffix, Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"s3:Get*"}), Resource: stringorslice.Of( @@ -494,7 +478,6 @@ func addECRPermissions(p *Policy) { // a private logging pod or similar. // At this point we allow all regions with ECR, since ECR is region specific. p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sECR", Effect: StatementEffectAllow, Action: stringorslice.Of( "ecr:GetAuthorizationToken", @@ -518,7 +501,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) { hostedZoneID = strings.TrimPrefix(hostedZoneID, "hostedzone/") p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sRoute53Change", Effect: StatementEffectAllow, Action: stringorslice.Of("route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets", @@ -527,7 +509,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) { }) p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sRoute53GetChanges", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"route53:GetChange"}), Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}), @@ -535,7 +516,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) { wildcard := stringorslice.Slice([]string{"*"}) p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sRoute53ListZones", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"route53:ListHostedZones"}), Resource: wildcard, @@ -545,7 +525,6 @@ func addRoute53Permissions(p *Policy, hostedZoneID string) { func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) { if legacyIAM { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sKMSEncryptedVolumesLegacyPerms", Effect: StatementEffectAllow, Action: stringorslice.Of( "kms:ListGrants", @@ -557,7 +536,6 @@ func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIA // TODO could use "kms:ViaService" Condition Key here? p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sKMSEncryptedVolumes", Effect: StatementEffectAllow, Action: stringorslice.Of( "kms:CreateGrant", @@ -572,9 +550,8 @@ func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIA } func addNodeEC2Policies(p *Policy, resource stringorslice.StringOrSlice) { - // Protokube makes a DescribeInstances call + // Protokube makes a DescribeInstances call, DescribeRegions when finding S3 State Bucket p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sEC2NodePerms", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"ec2:DescribeInstances", "ec2:DescribeRegions"}), Resource: resource, @@ -582,10 +559,10 @@ func addNodeEC2Policies(p *Policy, resource stringorslice.StringOrSlice) { } func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) { + // The legacy IAM policy grants full ec2 API access if legacyIAM { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sEC2MasterPermsFullAccess", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"ec2:*"}), Resource: resource, @@ -606,7 +583,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac // Comments are which cloudprovider code file makes the call p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sEC2MasterPermsDescribeResources", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "ec2:DescribeInstances", // aws.go @@ -619,7 +595,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac Resource: resource, }, &Statement{ - Sid: "kopsK8sEC2MasterPermsAllResources", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "ec2:CreateSecurityGroup", // aws.go @@ -630,7 +605,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac Resource: resource, }, &Statement{ - Sid: "kopsK8sEC2MasterPermsTaggedResources", Effect: StatementEffectAllow, Action: stringorslice.Of( "ec2:AttachVolume", // aws.go @@ -656,7 +630,6 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, legac func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) { if legacyIAM { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sELBMasterPermsFullAccess", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{"elasticloadbalancing:*"}), Resource: resource, @@ -664,7 +637,6 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac } else { // Comments are which cloudprovider code file makes the call p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sELBMasterPermsRestrictive", Effect: StatementEffectAllow, Action: stringorslice.Of( "elasticloadbalancing:AddTags", // aws_loadbalancer.go @@ -688,7 +660,6 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac }) p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sNLBMasterPermsRestrictive", Effect: StatementEffectAllow, Action: stringorslice.Of( "ec2:DescribeVpcs", // aws_loadbalancer.go @@ -714,7 +685,6 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) { if legacyIAM { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sASMasterPerms", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "autoscaling:DescribeAutoScalingGroups", @@ -733,7 +703,6 @@ func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacy // TODO: Make optional only if using autoscalers p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sASMasterPermsAllResources", Effect: StatementEffectAllow, Action: stringorslice.Of( "autoscaling:DescribeAutoScalingGroups", // aws_instancegroups.go @@ -744,7 +713,6 @@ func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacy Resource: resource, }, &Statement{ - Sid: "kopsK8sASMasterPermsTaggedResources", Effect: StatementEffectAllow, Action: stringorslice.Of( "autoscaling:SetDesiredCapacity", // aws_manager.go @@ -765,7 +733,6 @@ func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, legacy func addCertIAMPolicies(p *Policy, resource stringorslice.StringOrSlice) { // TODO: Make optional only if using IAM SSL Certs on ELBs p.Statement = append(p.Statement, &Statement{ - Sid: "kopsMasterCertIAMPerms", Effect: StatementEffectAllow, Action: stringorslice.Of( "iam:ListServerCertificates", @@ -793,7 +760,6 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le // Comments are which Romana component makes the call p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sEC2RomanaCNIMasterPermsAllResources", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "ec2:DescribeAvailabilityZones", // vpcrouter @@ -802,7 +768,6 @@ func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, le Resource: resource, }, &Statement{ - Sid: "kopsK8sEC2RomanaCNIMasterPermsTaggedResources", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "ec2:CreateRoute", // vpcrouter @@ -827,7 +792,6 @@ func addAmazonVPCCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, } else { p.Statement = append(p.Statement, &Statement{ - Sid: "kopsK8sEC2NodeAmazonVPCPerms", Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "ec2:CreateNetworkInterface", diff --git a/pkg/model/iam/iam_builder_test.go b/pkg/model/iam/iam_builder_test.go index 58775fa3d9..02dadc47a8 100644 --- a/pkg/model/iam/iam_builder_test.go +++ b/pkg/model/iam/iam_builder_test.go @@ -39,18 +39,16 @@ func TestRoundTrip(t *testing.T) { Effect: StatementEffectAllow, Action: stringorslice.Of("ec2:DescribeRegions"), Resource: stringorslice.Of("*"), - Sid: "foo", }, - JSON: "{\"Sid\":\"foo\",\"Effect\":\"Allow\",\"Action\":\"ec2:DescribeRegions\",\"Resource\":\"*\"}", + JSON: "{\"Effect\":\"Allow\",\"Action\":\"ec2:DescribeRegions\",\"Resource\":\"*\"}", }, { IAM: &Statement{ Effect: StatementEffectDeny, Action: stringorslice.Of("ec2:DescribeRegions", "ec2:DescribeInstances"), Resource: stringorslice.Of("a", "b"), - Sid: "foo", }, - JSON: "{\"Sid\":\"foo\",\"Effect\":\"Deny\",\"Action\":[\"ec2:DescribeRegions\",\"ec2:DescribeInstances\"],\"Resource\":[\"a\",\"b\"]}", + JSON: "{\"Effect\":\"Deny\",\"Action\":[\"ec2:DescribeRegions\",\"ec2:DescribeInstances\"],\"Resource\":[\"a\",\"b\"]}", }, } for _, g := range grid { diff --git a/pkg/model/iam/tests/iam_builder_bastion.json b/pkg/model/iam/tests/iam_builder_bastion.json index af6d926ba3..9b9b4726a0 100644 --- a/pkg/model/iam/tests/iam_builder_bastion.json +++ b/pkg/model/iam/tests/iam_builder_bastion.json @@ -2,7 +2,6 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "kopsK8sBastion", "Effect": "Allow", "Action": [ "ec2:DescribeRegions" diff --git a/pkg/model/iam/tests/iam_builder_master_legacy.json b/pkg/model/iam/tests/iam_builder_master_legacy.json index c375621cd5..7cee097a73 100644 --- a/pkg/model/iam/tests/iam_builder_master_legacy.json +++ b/pkg/model/iam/tests/iam_builder_master_legacy.json @@ -2,7 +2,6 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "kopsK8sEC2MasterPermsFullAccess", "Effect": "Allow", "Action": [ "ec2:*" @@ -12,7 +11,6 @@ ] }, { - "Sid": "kopsK8sASMasterPerms", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", @@ -29,7 +27,6 @@ ] }, { - "Sid": "kopsK8sELBMasterPermsFullAccess", "Effect": "Allow", "Action": [ "elasticloadbalancing:*" @@ -39,7 +36,6 @@ ] }, { - "Sid": "kopsMasterCertIAMPerms", "Effect": "Allow", "Action": [ "iam:ListServerCertificates", @@ -50,7 +46,6 @@ ] }, { - "Sid": "kopsK8sS3GetListBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", @@ -61,7 +56,6 @@ ] }, { - "Sid": "kopsK8sS3BucketFullAccess", "Effect": "Allow", "Action": [ "s3:*" @@ -69,7 +63,6 @@ "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" }, { - "Sid": "kopsK8sKMSEncryptedVolumesLegacyPerms", "Effect": "Allow", "Action": [ "kms:ListGrants", @@ -82,7 +75,6 @@ ] }, { - "Sid": "kopsK8sKMSEncryptedVolumes", "Effect": "Allow", "Action": [ "kms:CreateGrant", @@ -99,7 +91,6 @@ ] }, { - "Sid": "", "Effect": "Allow", "Action": [ "route53:ListHostedZones" @@ -109,7 +100,6 @@ ] }, { - "Sid": "kopsK8sECR", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 53d9d4bebf..c1868a54c7 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -2,7 +2,6 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "kopsK8sEC2MasterPermsDescribeResources", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", @@ -17,7 +16,6 @@ ] }, { - "Sid": "kopsK8sEC2MasterPermsAllResources", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", @@ -30,7 +28,6 @@ ] }, { - "Sid": "kopsK8sEC2MasterPermsTaggedResources", "Effect": "Allow", "Action": [ "ec2:AttachVolume", @@ -52,7 +49,6 @@ } }, { - "Sid": "kopsK8sASMasterPermsAllResources", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", @@ -65,7 +61,6 @@ ] }, { - "Sid": "kopsK8sASMasterPermsTaggedResources", "Effect": "Allow", "Action": [ "autoscaling:SetDesiredCapacity", @@ -82,7 +77,6 @@ } }, { - "Sid": "kopsK8sELBMasterPermsRestrictive", "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", @@ -107,7 +101,6 @@ ] }, { - "Sid": "kopsK8sNLBMasterPermsRestrictive", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", @@ -130,7 +123,6 @@ ] }, { - "Sid": "kopsMasterCertIAMPerms", "Effect": "Allow", "Action": [ "iam:ListServerCertificates", @@ -141,7 +133,6 @@ ] }, { - "Sid": "kopsK8sS3GetListBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", @@ -152,7 +143,6 @@ ] }, { - "Sid": "kopsK8sS3MasterBucketFullGet", "Effect": "Allow", "Action": [ "s3:Get*" @@ -160,7 +150,6 @@ "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" }, { - "Sid": "kopsK8sKMSEncryptedVolumes", "Effect": "Allow", "Action": [ "kms:CreateGrant", diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index d297f754a4..36bf056902 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -2,7 +2,6 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "kopsK8sEC2MasterPermsDescribeResources", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", @@ -17,7 +16,6 @@ ] }, { - "Sid": "kopsK8sEC2MasterPermsAllResources", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", @@ -30,7 +28,6 @@ ] }, { - "Sid": "kopsK8sEC2MasterPermsTaggedResources", "Effect": "Allow", "Action": [ "ec2:AttachVolume", @@ -52,7 +49,6 @@ } }, { - "Sid": "kopsK8sASMasterPermsAllResources", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", @@ -65,7 +61,6 @@ ] }, { - "Sid": "kopsK8sASMasterPermsTaggedResources", "Effect": "Allow", "Action": [ "autoscaling:SetDesiredCapacity", @@ -82,7 +77,6 @@ } }, { - "Sid": "kopsK8sELBMasterPermsRestrictive", "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", @@ -107,7 +101,6 @@ ] }, { - "Sid": "kopsK8sNLBMasterPermsRestrictive", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", @@ -130,7 +123,6 @@ ] }, { - "Sid": "kopsMasterCertIAMPerms", "Effect": "Allow", "Action": [ "iam:ListServerCertificates", @@ -141,7 +133,6 @@ ] }, { - "Sid": "kopsK8sS3GetListBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", @@ -152,7 +143,6 @@ ] }, { - "Sid": "kopsK8sS3MasterBucketFullGet", "Effect": "Allow", "Action": [ "s3:Get*" @@ -160,7 +150,6 @@ "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" }, { - "Sid": "kopsK8sKMSEncryptedVolumes", "Effect": "Allow", "Action": [ "kms:CreateGrant", @@ -177,7 +166,6 @@ ] }, { - "Sid": "kopsK8sECR", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", diff --git a/pkg/model/iam/tests/iam_builder_node_legacy.json b/pkg/model/iam/tests/iam_builder_node_legacy.json index 93a7f0ff58..1c330cbf37 100644 --- a/pkg/model/iam/tests/iam_builder_node_legacy.json +++ b/pkg/model/iam/tests/iam_builder_node_legacy.json @@ -2,7 +2,6 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "kopsK8sEC2NodePerms", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", @@ -13,7 +12,6 @@ ] }, { - "Sid": "kopsK8sS3GetListBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", @@ -24,7 +22,6 @@ ] }, { - "Sid": "kopsK8sS3BucketFullAccess", "Effect": "Allow", "Action": [ "s3:*" @@ -32,7 +29,6 @@ "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" }, { - "Sid": "", "Effect": "Allow", "Action": [ "route53:ListHostedZones" @@ -42,7 +38,6 @@ ] }, { - "Sid": "kopsK8sECR", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", diff --git a/pkg/model/iam/tests/iam_builder_node_strict.json b/pkg/model/iam/tests/iam_builder_node_strict.json index 5fedddd64e..1d28f2718a 100644 --- a/pkg/model/iam/tests/iam_builder_node_strict.json +++ b/pkg/model/iam/tests/iam_builder_node_strict.json @@ -2,7 +2,6 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "kopsK8sEC2NodePerms", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", @@ -13,7 +12,6 @@ ] }, { - "Sid": "kopsK8sS3GetListBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", @@ -24,7 +22,6 @@ ] }, { - "Sid": "kopsK8sS3NodeBucketSelectiveGet", "Effect": "Allow", "Action": [ "s3:Get*" diff --git a/pkg/model/iam/tests/iam_builder_node_strict_ecr.json b/pkg/model/iam/tests/iam_builder_node_strict_ecr.json index 57668f218b..10053f1c0d 100644 --- a/pkg/model/iam/tests/iam_builder_node_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_node_strict_ecr.json @@ -2,7 +2,6 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "kopsK8sEC2NodePerms", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", @@ -13,7 +12,6 @@ ] }, { - "Sid": "kopsK8sS3GetListBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", @@ -24,7 +22,6 @@ ] }, { - "Sid": "kopsK8sS3NodeBucketSelectiveGet", "Effect": "Allow", "Action": [ "s3:Get*" @@ -42,7 +39,6 @@ ] }, { - "Sid": "kopsK8sECR", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", diff --git a/tests/integration/update_cluster/additional_user-data/cloudformation.json b/tests/integration/update_cluster/additional_user-data/cloudformation.json index 46ae0a850f..c3452f602f 100644 --- a/tests/integration/update_cluster/additional_user-data/cloudformation.json +++ b/tests/integration/update_cluster/additional_user-data/cloudformation.json @@ -629,8 +629,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sEC2MasterPermsFullAccess" + ] }, { "Action": [ @@ -646,8 +645,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sASMasterPerms" + ] }, { "Action": [ @@ -656,8 +654,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sELBMasterPermsFullAccess" + ] }, { "Action": [ @@ -667,8 +664,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsMasterCertIAMPerms" + ] }, { "Action": [ @@ -679,8 +675,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ], - "Sid": "kopsK8sRoute53Change" + ] }, { "Action": [ @@ -689,8 +684,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::change/*" - ], - "Sid": "kopsK8sRoute53GetChanges" + ] }, { "Action": [ @@ -699,8 +693,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sRoute53ListZones" + ] }, { "Action": [ @@ -709,8 +702,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "" + ] }, { "Action": [ @@ -725,8 +717,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sECR" + ] } ], "Version": "2012-10-17" @@ -752,8 +743,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sEC2NodePerms" + ] }, { "Action": [ @@ -764,8 +754,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ], - "Sid": "kopsK8sRoute53Change" + ] }, { "Action": [ @@ -774,8 +763,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::change/*" - ], - "Sid": "kopsK8sRoute53GetChanges" + ] }, { "Action": [ @@ -784,8 +772,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sRoute53ListZones" + ] }, { "Action": [ @@ -794,8 +781,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "" + ] }, { "Action": [ @@ -810,8 +796,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sECR" + ] } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json b/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json index 0740c6156f..d30a158435 100644 --- a/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json +++ b/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json @@ -629,8 +629,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sEC2MasterPermsFullAccess" + ] }, { "Action": [ @@ -646,8 +645,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sASMasterPerms" + ] }, { "Action": [ @@ -656,8 +654,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sELBMasterPermsFullAccess" + ] }, { "Action": [ @@ -667,8 +664,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsMasterCertIAMPerms" + ] }, { "Action": [ @@ -679,8 +675,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ], - "Sid": "kopsK8sRoute53Change" + ] }, { "Action": [ @@ -689,8 +684,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::change/*" - ], - "Sid": "kopsK8sRoute53GetChanges" + ] }, { "Action": [ @@ -699,8 +693,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sRoute53ListZones" + ] }, { "Action": [ @@ -709,8 +702,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "" + ] }, { "Action": [ @@ -725,8 +717,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sECR" + ] } ], "Version": "2012-10-17" @@ -752,8 +743,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sEC2NodePerms" + ] }, { "Action": [ @@ -764,8 +754,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ], - "Sid": "kopsK8sRoute53Change" + ] }, { "Action": [ @@ -774,8 +763,7 @@ "Effect": "Allow", "Resource": [ "arn:aws:route53:::change/*" - ], - "Sid": "kopsK8sRoute53GetChanges" + ] }, { "Action": [ @@ -784,8 +772,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sRoute53ListZones" + ] }, { "Action": [ @@ -794,8 +781,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "" + ] }, { "Action": [ @@ -810,8 +796,7 @@ "Effect": "Allow", "Resource": [ "*" - ], - "Sid": "kopsK8sECR" + ] } ], "Version": "2012-10-17"