kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add permission needed for service-linked role creation 

Attempting to fix:
  - https://github.com/kubernetes/kops/issues/16218

by adding the permission needed for the AWS CCM to create a service-linked role for the elastic lb service.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
This commit is contained in:
Arnaud Meukam 2024-01-04 23:19:14 +01:00
parent 0300a3b858
commit ce340c6059
No known key found for this signature in database
GPG Key ID: E127D6541A5EBDDB
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/model/iam/iam_builder.go
View File

@ -831,6 +831,7 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
"elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetHealth",
"iam:CreateServiceLinkedRole",
"kms:DescribeKey", "kms:DescribeKey",
) )
@ -884,7 +885,7 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
} }
} }
// AddAWSLoadbalancerControllerPermissions adds the permissions needed for the AWS Load Balancer Controller to the givnen policy // AddAWSLoadbalancerControllerPermissions adds the permissions needed for the AWS Load Balancer Controller to the given policy
func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2, enableShield bool) { func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2, enableShield bool) {
p.unconditionalAction.Insert( p.unconditionalAction.Insert(
"cognito-idp:DescribeUserPoolClient", "cognito-idp:DescribeUserPoolClient",