Use NewPolicy for the non-master roles

2021-07-01 09:17:10 +02:00 · 2021-07-01 09:17:10 +02:00 · 9885714957
parent 19833e6b73
commit 9885714957
21 changed files with 43 additions and 133 deletions
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -384,9 +384,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 	resource := createResource(b)

-	p := &Policy{
-		Version: PolicyDefaultVersion,
-	}
+	p := NewPolicy(b.Cluster.GetClusterName())

 	addNodeEC2Policies(p, resource)
 	addASLifecyclePolicies(p, resource, b.Cluster.GetName(), r.enableLifecycleHookPermissions)
@ -418,19 +416,11 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {

 // BuildAWSPolicy generates a custom policy for a bastion host.
 func (r *NodeRoleBastion) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
-	resource := createResource(b)
-
-	p := &Policy{
-		Version: PolicyDefaultVersion,
-	}
+	p := NewPolicy(b.Cluster.GetClusterName())

 	// Bastion hosts currently don't require any specific permissions.
 	// A trivial permission is granted, because empty policies are not allowed.
-	p.Statement = append(p.Statement, &Statement{
-		Effect:   StatementEffectAllow,
-		Action:   stringorslice.Slice([]string{"ec2:DescribeRegions"}),
-		Resource: resource,
-	})
+	p.unconditionalAction.Insert("ec2:DescribeRegions")

 	return p, nil
 }
--- a/pkg/model/iam/tests/iam_builder_bastion.json
+++ b/pkg/model/iam/tests/iam_builder_bastion.json
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_bastions.bastionuserdata.example.com_policy
+++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_bastions.bastionuserdata.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json
+++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json
@ -1448,13 +1448,9 @@
        "PolicyDocument": {
          "Statement": [
            {
-              "Action": [
-                "ec2:DescribeRegions"
-              ],
+              "Action": "ec2:DescribeRegions",
              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
+              "Resource": "*"
            }
          ],
          "Version": "2012-10-17"
--- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_bastions.private-shared-ip.example.com_policy
+++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_bastions.private-shared-ip.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_bastions.private-shared-subnet.example.com_policy
+++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_bastions.private-shared-subnet.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatecalico/cloudformation.json
+++ b/tests/integration/update_cluster/privatecalico/cloudformation.json
@ -1604,13 +1604,9 @@
        "PolicyDocument": {
          "Statement": [
            {
-              "Action": [
-                "ec2:DescribeRegions"
-              ],
+              "Action": "ec2:DescribeRegions",
              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
+              "Resource": "*"
            }
          ],
          "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_bastions.privatecalico.example.com_policy
+++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_bastions.privatecalico.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy
+++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatecilium/cloudformation.json
+++ b/tests/integration/update_cluster/privatecilium/cloudformation.json
@ -1590,13 +1590,9 @@
        "PolicyDocument": {
          "Statement": [
            {
-              "Action": [
-                "ec2:DescribeRegions"
-              ],
+              "Action": "ec2:DescribeRegions",
              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
+              "Resource": "*"
            }
          ],
          "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_bastions.privatecilium.example.com_policy
+++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_bastions.privatecilium.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatecilium2/cloudformation.json
+++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json
@ -1590,13 +1590,9 @@
        "PolicyDocument": {
          "Statement": [
            {
-              "Action": [
-                "ec2:DescribeRegions"
-              ],
+              "Action": "ec2:DescribeRegions",
              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
+              "Resource": "*"
            }
          ],
          "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_bastions.privatecilium.example.com_policy
+++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_bastions.privatecilium.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json
+++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json
@ -1623,13 +1623,9 @@
        "PolicyDocument": {
          "Statement": [
            {
-              "Action": [
-                "ec2:DescribeRegions"
-              ],
+              "Action": "ec2:DescribeRegions",
              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
+              "Resource": "*"
            }
          ],
          "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_bastions.privateciliumadvanced.example.com_policy
+++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_bastions.privateciliumadvanced.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_bastions.privatedns1.example.com_policy
+++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_bastions.privatedns1.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_bastions.privatedns2.example.com_policy
+++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_bastions.privatedns2.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_bastions.privateflannel.example.com_policy
+++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_bastions.privateflannel.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_bastions.privatekopeio.example.com_policy
+++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_bastions.privatekopeio.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_bastions.privateweave.example.com_policy
+++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_bastions.privateweave.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
--- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_bastions.unmanaged.example.com_policy
+++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_bastions.unmanaged.example.com_policy
@ -1,13 +1,9 @@
 {
  "Statement": [
    {
-      "Action": [
-        "ec2:DescribeRegions"
-      ],
+      "Action": "ec2:DescribeRegions",
      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
+      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"