From c6f84a12dddea86b2ce26ad96137feb908e0d545 Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Mon, 19 Sep 2016 13:08:31 -0400
Subject: [PATCH] Support ECR roles on the master also

Fix #467
---
 upup/pkg/fi/cloudup/iam_builder.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/upup/pkg/fi/cloudup/iam_builder.go b/upup/pkg/fi/cloudup/iam_builder.go
index c65f368678..d25a2648b3 100644
--- a/upup/pkg/fi/cloudup/iam_builder.go
+++ b/upup/pkg/fi/cloudup/iam_builder.go
@@ -72,7 +72,12 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
 			Action:   []string{"route53:*"},
 			Resource: []string{"*"},
 		})
+	}
 
+	{
+		// We provide ECR access on the nodes (naturally), but we also provide access on the master.
+		// We shouldn't be running lots of pods on the master, but it is perfectly reasonable to run
+		// a private logging pod or similar.
 		p.Statement = append(p.Statement, &IAMStatement{
 			Effect: IAMStatementEffectAllow,
 			Action: []string{