From cd247f0b3a48df8093aac1abb86912e42fb634f9 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Thu, 17 Feb 2022 22:36:22 +0100 Subject: [PATCH] Add missing permissions to aws lbc for irsa --- pkg/model/iam/iam_builder.go | 59 ++++++++++---- ....kube-system.sa.minimal.example.com_policy | 76 ++++++++++++++++++- ....kube-system.sa.minimal.example.com_policy | 76 ++++++++++++++++++- ....kube-system.sa.minimal.example.com_policy | 76 ++++++++++++++++++- ..._policy_masters.minimal.example.com_policy | 41 +++++++++- ..._policy_masters.minimal.example.com_policy | 41 +++++++++- 6 files changed, 346 insertions(+), 23 deletions(-) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 3d0ec13f71..c865e2db87 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -953,28 +953,61 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) { // AddAWSLoadbalancerControllerPermissions adds the permissions needed for the aws load balancer controller to the givnen policy func AddAWSLoadbalancerControllerPermissions(p *Policy) { p.unconditionalAction.Insert( - "ec2:DescribeAvailabilityZones", - "ec2:DescribeNetworkInterfaces", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:CreateRule", - "acm:ListCertificates", "acm:DescribeCertificate", + "acm:ListCertificates", + + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeVpcs", + "ec2:DescribeAccountAttributes", + + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", ) p.clusterTaggedAction.Insert( "ec2:AuthorizeSecurityGroupIngress", // aws.go "ec2:DeleteSecurityGroup", // aws.go "ec2:RevokeSecurityGroupIngress", // aws.go - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:ModifyRule", - "elasticloadbalancing:DeleteRule", - "elasticloadbalancing:AddTags", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + ) + p.clusterTaggedCreateAction.Insert( + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup", + ) + p.AddEC2CreateAction( + []string{ + "CreateSecurityGroup", + }, + []string{ + "security-group", + }, ) } diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy index b2d55cb7f1..05493bee20 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -1,16 +1,58 @@ { "Statement": [ + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", + "ec2:CreateAction": [ + "CreateSecurityGroup" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, { "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", + "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", "ec2:DescribeNetworkInterfaces", - "elasticloadbalancing:CreateRule", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth" ], "Effect": "Allow", @@ -22,10 +64,19 @@ "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RemoveTags" + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets" ], "Condition": { "StringEquals": { @@ -34,6 +85,27 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateSecurityGroup", + "Effect": "Allow", + "Resource": "arn:aws-test:ec2:*:*:vpc/*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy index b2d55cb7f1..05493bee20 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -1,16 +1,58 @@ { "Statement": [ + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", + "ec2:CreateAction": [ + "CreateSecurityGroup" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, { "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", + "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", "ec2:DescribeNetworkInterfaces", - "elasticloadbalancing:CreateRule", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth" ], "Effect": "Allow", @@ -22,10 +64,19 @@ "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RemoveTags" + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets" ], "Condition": { "StringEquals": { @@ -34,6 +85,27 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateSecurityGroup", + "Effect": "Allow", + "Resource": "arn:aws-test:ec2:*:*:vpc/*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy index b2d55cb7f1..05493bee20 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -1,16 +1,58 @@ { "Statement": [ + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", + "ec2:CreateAction": [ + "CreateSecurityGroup" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, { "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", + "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", "ec2:DescribeNetworkInterfaces", - "elasticloadbalancing:CreateRule", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth" ], "Effect": "Allow", @@ -22,10 +64,19 @@ "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RemoveTags" + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets" ], "Condition": { "StringEquals": { @@ -34,6 +85,27 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateSecurityGroup", + "Effect": "Allow", + "Resource": "arn:aws-test:ec2:*:*:vpc/*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy index decd77a759..0b5dafc1cc 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -163,6 +163,39 @@ "arn:aws-test:ec2:*:*:security-group/*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", + "ec2:CreateAction": [ + "CreateSecurityGroup" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, { "Action": [ "ec2:CreateTags" @@ -196,6 +229,7 @@ "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", @@ -215,7 +249,6 @@ "ec2:UnassignPrivateIpAddresses", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", @@ -271,8 +304,11 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets" ], "Condition": { "StringEquals": { @@ -289,6 +325,7 @@ "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup" ], "Condition": { diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index a05762f9bc..4cec161122 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -163,6 +163,39 @@ "arn:aws-test:ec2:*:*:snapshot/*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", + "ec2:CreateAction": [ + "CreateSecurityGroup" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:security-group/*" + ] + }, { "Action": [ "ec2:CreateTags" @@ -196,6 +229,7 @@ "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", @@ -215,7 +249,6 @@ "ec2:UnassignPrivateIpAddresses", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", @@ -271,8 +304,11 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets" ], "Condition": { "StringEquals": { @@ -289,6 +325,7 @@ "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup" ], "Condition": {