Support ECR roles on the master also

Fix #467
2016-09-19 13:08:31 -04:00 · 2016-09-19 13:08:31 -04:00 · c6f84a12dd
parent 04a7d74091
commit c6f84a12dd
1 changed files with 5 additions and 0 deletions
--- a/upup/pkg/fi/cloudup/iam_builder.go
+++ b/upup/pkg/fi/cloudup/iam_builder.go
@ -72,7 +72,12 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
 			Action:   []string{"route53:*"},
 			Resource: []string{"*"},
 		})
+	}

+	{
+		// We provide ECR access on the nodes (naturally), but we also provide access on the master.
+		// We shouldn't be running lots of pods on the master, but it is perfectly reasonable to run
+		// a private logging pod or similar.
 		p.Statement = append(p.Statement, &IAMStatement{
 			Effect: IAMStatementEffectAllow,
 			Action: []string{