kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15145 from zetaab/rems3access 

remove AWS S3 access from nodes if using none dns
This commit is contained in:
Kubernetes Prow Robot 2023-02-12 13:29:31 -08:00 committed by GitHub
parent c06874127a e7c4506e36
commit bd0a779287
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/model/iam/iam_builder.go
View File

@ -465,10 +465,12 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
b.addNodeupPermissions(p, r.enableLifecycleHookPermissions) b.addNodeupPermissions(p, r.enableLifecycleHookPermissions)
if !b.Cluster.UsesNoneDNS() {
var err error var err error
if p, err = b.AddS3Permissions(p); err != nil { if p, err = b.AddS3Permissions(p); err != nil {
return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err) return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
} }
}
if b.Cluster.Spec.IAM != nil && b.Cluster.Spec.IAM.AllowContainerRegistry { if b.Cluster.Spec.IAM != nil && b.Cluster.Spec.IAM.AllowContainerRegistry {
addECRPermissions(p) addECRPermissions(p)

12
tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_nodes.minimal.example.com_policy
View File

@ -1,17 +1,5 @@
{ {
"Statement": [ "Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:GetEncryptionConfiguration",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws-test:s3:::placeholder-read-bucket"
]
},
{ {
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeAutoScalingInstances",