From a15957da2f801cf4e64836dc766a9017d52b65f8 Mon Sep 17 00:00:00 2001 From: Peter Rifel Date: Mon, 4 Jan 2021 20:26:25 -0600 Subject: [PATCH] IRSA - continue adding route53 permisions to masters These are needed by protokube to create the kops-controller DNS record to allow nodes to bootstrap. See these logs: https://storage.googleapis.com/kubernetes-jenkins/logs/e2e-kops-grid-scenario-public-jwks/1345956556562239488/artifacts/ip-172-20-48-1.sa-east-1.compute.internal/protokube.log ``` I0104 05:03:51.264472 6482 dnscache.go:74] querying all DNS zones (no cached results) I0104 05:03:51.264570 6482 route53.go:53] AWS request: route53 ListHostedZones W0104 05:03:51.389485 6482 dnscontroller.go:124] Unexpected error in DNS controller, will retry: error querying for zones: error querying for DNS zones: AccessDenied: User: arn:aws:sts::768319786644:assumed-role/masters.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io/i-05b1db10d1a5b8637 is not authorized to perform: route53:ListHostedZones ``` and the nodeup logs on nodes that couldn't join the cluster: ``` Jan 04 04:55:53.500187 ip-172-20-38-84 nodeup[2070]: W0104 04:55:53.500117 2070 executor.go:131] error running task "BootstrapClient/BootstrapClient" (9m52s remaining to succeed): Post "https://kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io:3988/bootstrap": dial tcp: lookup kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io on 127.0.0.53:53: no such host ``` --- pkg/model/iam/iam_builder.go | 8 ++--- ..._policy_masters.minimal.example.com_policy | 29 +++++++++++++++++++ 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index e2808fab7b..01de3cd3ff 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -257,12 +257,10 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys), b.Cluster.Spec.IAM.Legacy) } - if !b.UseServiceAccountIAM { - if b.Cluster.Spec.IAM.Legacy { - addLegacyDNSControllerPermissions(b, p) - } - AddDNSControllerPermissions(b, p) + if b.Cluster.Spec.IAM.Legacy { + addLegacyDNSControllerPermissions(b, p) } + AddDNSControllerPermissions(b, p) if b.Cluster.Spec.IAM.Legacy || b.Cluster.Spec.IAM.AllowContainerRegistry { addECRPermissions(p) diff --git a/tests/integration/update_cluster/public-jwks/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks/data/aws_iam_role_policy_masters.minimal.example.com_policy index 5fabb0ca67..47e801abe7 100644 --- a/tests/integration/update_cluster/public-jwks/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -135,6 +135,35 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] } ], "Version": "2012-10-17"