Merge pull request #15145 from zetaab/rems3access

remove AWS S3 access from nodes if using none dns
2023-02-12 13:29:31 -08:00 · 2023-02-12 13:29:31 -08:00 · bd0a779287
parent c06874127a e7c4506e36
commit bd0a779287
2 changed files with 5 additions and 15 deletions
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -465,10 +465,12 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {

 	b.addNodeupPermissions(p, r.enableLifecycleHookPermissions)

+	if !b.Cluster.UsesNoneDNS() {
 		var err error
 		if p, err = b.AddS3Permissions(p); err != nil {
 			return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
 		}
+	}

 	if b.Cluster.Spec.IAM != nil && b.Cluster.Spec.IAM.AllowContainerRegistry {
 		addECRPermissions(p)
--- a/tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_nodes.minimal.example.com_policy
+++ b/tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_nodes.minimal.example.com_policy
@ -1,17 +1,5 @@
 {
  "Statement": [
-    {
-      "Action": [
-        "s3:GetBucketLocation",
-        "s3:GetEncryptionConfiguration",
-        "s3:ListBucket",
-        "s3:ListBucketVersions"
-      ],
-      "Effect": "Allow",
-      "Resource": [
-        "arn:aws-test:s3:::placeholder-read-bucket"
-      ]
-    },
    {
      "Action": [
        "autoscaling:DescribeAutoScalingInstances",