kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow filefs to be used to mock s3 policies

This commit is contained in:
Ole Markus With 2021-07-01 15:00:38 +02:00
parent 2e4a1ae143
commit a98bfdb64f
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/model/iam/iam_builder.go
View File

@ -498,11 +498,16 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
case *vfs.MemFSPath:
// Tests - we emulate the s3 permissions so that we can get an idea of the full policy
klog.Warningf("ignoring memfs path %q for IAM policy builder", vfsPath)
iamS3Path := "placeholder-read-bucket/" + path.Location()
b.buildS3GetStatements(p, iamS3Path)
s3Buckets.Insert("placeholder-read-bucket")
case *vfs.FSPath:
// tests - we emulate the s3 permissions so that we can get an idea of the full policy
iamS3path := "placeholder-read-bucket/" + strings.TrimPrefix(path.Path(), "file://")
b.buildS3GetStatements(p, iamS3path)
s3Buckets.Insert("placeholder-read-bucket")
case *vfs.VaultPath:
// Vault access needs to come from somewhere else
klog.Warningf("ignoring valult path %q for IAM policy builder", vfsPath)
@ -530,6 +535,10 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
iamS3Path := "placeholder-write-bucket/" + path.Location()
b.buildS3WriteStatements(p, iamS3Path)
s3Buckets.Insert("placeholder-write-bucket")
case *vfs.FSPath:
iamS3path := "placeholder-read-bucket/" + strings.TrimPrefix(path.Path(), "file://")
b.buildS3WriteStatements(p, iamS3path)
s3Buckets.Insert("placeholder-read-bucket")
default:
return nil, fmt.Errorf("unknown writeable path, can't apply IAM policy: %q", vfsPath)
}