diff --git a/pkg/model/components/addonmanifests/BUILD.bazel b/pkg/model/components/addonmanifests/BUILD.bazel index 82a5b03dbe..8efb85ce40 100644 --- a/pkg/model/components/addonmanifests/BUILD.bazel +++ b/pkg/model/components/addonmanifests/BUILD.bazel @@ -11,6 +11,7 @@ go_library( "//pkg/featureflag:go_default_library", "//pkg/kubemanifest:go_default_library", "//pkg/model:go_default_library", + "//pkg/model/components/addonmanifests/awscloudcontrollermanager:go_default_library", "//pkg/model/components/addonmanifests/awsebscsidriver:go_default_library", "//pkg/model/components/addonmanifests/awsloadbalancercontroller:go_default_library", "//pkg/model/components/addonmanifests/clusterautoscaler:go_default_library", diff --git a/pkg/model/components/addonmanifests/awscloudcontrollermanager/BUILD.bazel b/pkg/model/components/addonmanifests/awscloudcontrollermanager/BUILD.bazel new file mode 100644 index 0000000000..096c9015e5 --- /dev/null +++ b/pkg/model/components/addonmanifests/awscloudcontrollermanager/BUILD.bazel @@ -0,0 +1,12 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["iam.go"], + importpath = "k8s.io/kops/pkg/model/components/addonmanifests/awscloudcontrollermanager", + visibility = ["//visibility:public"], + deps = [ + "//pkg/model/iam:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/types:go_default_library", + ], +) diff --git a/pkg/model/components/addonmanifests/awscloudcontrollermanager/iam.go b/pkg/model/components/addonmanifests/awscloudcontrollermanager/iam.go new file mode 100644 index 0000000000..c75654b6db --- /dev/null +++ b/pkg/model/components/addonmanifests/awscloudcontrollermanager/iam.go @@ -0,0 +1,46 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package awscloudcontrollermanager + +import ( + "k8s.io/apimachinery/pkg/types" + "k8s.io/kops/pkg/model/iam" +) + +// ServiceAccount represents the service-account used by the AWS Cloud Controller Manager. +// It implements iam.Subject to get AWS IAM permissions. +type ServiceAccount struct { +} + +var _ iam.Subject = &ServiceAccount{} + +// BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role. +func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) { + clusterName := b.Cluster.ObjectMeta.Name + p := iam.NewPolicy(clusterName) + iam.AddCCMPermissions(p, b.Cluster.Spec.Networking.Kubenet != nil) + iam.AddLegacyCCMPermissions(p) + return p, nil +} + +// ServiceAccount returns the kubernetes service account used. +func (r *ServiceAccount) ServiceAccount() (types.NamespacedName, bool) { + return types.NamespacedName{ + Namespace: "kube-system", + Name: "aws-cloud-controller-manager", + }, true +} diff --git a/pkg/model/components/addonmanifests/remap.go b/pkg/model/components/addonmanifests/remap.go index a2647e99dd..f52593e69f 100644 --- a/pkg/model/components/addonmanifests/remap.go +++ b/pkg/model/components/addonmanifests/remap.go @@ -28,6 +28,7 @@ import ( "k8s.io/kops/pkg/featureflag" "k8s.io/kops/pkg/kubemanifest" "k8s.io/kops/pkg/model" + "k8s.io/kops/pkg/model/components/addonmanifests/awscloudcontrollermanager" "k8s.io/kops/pkg/model/components/addonmanifests/awsebscsidriver" "k8s.io/kops/pkg/model/components/addonmanifests/awsloadbalancercontroller" "k8s.io/kops/pkg/model/components/addonmanifests/clusterautoscaler" @@ -123,6 +124,8 @@ func getWellknownServiceAccount(name string) iam.Subject { return &awsebscsidriver.ServiceAccount{} case "aws-node-termination-handler": return &nodeterminationhandler.ServiceAccount{} + case "aws-cloud-controller-manager": + return &awscloudcontrollermanager.ServiceAccount{} default: return nil } diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 62789e9739..466f1993b4 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -315,8 +315,6 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addEtcdManagerPermissions(p) addNodeupPermissions(p, false) - AddCCMPermissions(p, clusterName, b.Cluster.Spec.Networking.Kubenet != nil) - AddLegacyCCMPermissions(p) var err error if p, err = b.AddS3Permissions(p); err != nil { @@ -330,11 +328,22 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { // Protokube needs dns-controller permissions in instance role even if UseServiceAccountIAM. AddDNSControllerPermissions(b, p) + // If cluster does not use external CCM, the master IAM Role needs CCM permissions + if b.Cluster.Spec.ExternalCloudControllerManager == nil { + AddCCMPermissions(p, b.Cluster.Spec.Networking.Kubenet != nil) + AddLegacyCCMPermissions(p) + } + if !b.UseServiceAccountIAM { esc := b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) AddAWSEBSCSIDriverPermissions(p, esc) + if b.Cluster.Spec.ExternalCloudControllerManager != nil { + AddCCMPermissions(p, b.Cluster.Spec.Networking.Kubenet != nil) + AddLegacyCCMPermissions(p) + } + if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) { AddAWSLoadbalancerControllerPermissions(p) } @@ -764,6 +773,13 @@ func addEtcdManagerPermissions(p *Policy) { ) p.Statement = append(p.Statement, + &Statement{ + Effect: StatementEffectAllow, + Action: stringorslice.Slice([]string{ + "ec2:DescribeVolumes", // aws.go + }), + Resource: resource, + }, &Statement{ Effect: StatementEffectAllow, Action: stringorslice.Of( @@ -788,7 +804,7 @@ func AddLegacyCCMPermissions(p *Policy) { ) } -func AddCCMPermissions(p *Policy, clusterName string, cloudRoutes bool) { +func AddCCMPermissions(p *Policy, cloudRoutes bool) { resource := stringorslice.Slice([]string{"*"}) p.unconditionalAction.Insert( @@ -877,7 +893,7 @@ func AddCCMPermissions(p *Policy, clusterName string, cloudRoutes bool) { Condition: Condition{ "StringEquals": map[string]string{ - "aws:RequestTag/KubernetesCluster": clusterName, + "aws:RequestTag/KubernetesCluster": p.clusterName, }, }, }, diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 1add2a9d53..fe7305f330 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -1,5 +1,14 @@ { "Statement": [ + { + "Action": [ + "ec2:DescribeVolumes" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "ec2:AttachVolume", "Condition": { @@ -13,6 +22,25 @@ "*" ] }, + { + "Action": [ + "s3:Get*" + ], + "Effect": "Allow", + "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" + }, + { + "Action": [ + "s3:GetBucketLocation", + "s3:GetEncryptionConfiguration", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::kops-tests" + ] + }, { "Action": "ec2:CreateTags", "Condition": { @@ -49,25 +77,6 @@ "*" ] }, - { - "Action": [ - "s3:Get*" - ], - "Effect": "Allow", - "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::kops-tests" - ] - }, { "Action": [ "ec2:CreateVolume" diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index 69a40d6701..ccb0f2f9d0 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -1,5 +1,14 @@ { "Statement": [ + { + "Action": [ + "ec2:DescribeVolumes" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "ec2:AttachVolume", "Condition": { @@ -13,6 +22,25 @@ "*" ] }, + { + "Action": [ + "s3:Get*" + ], + "Effect": "Allow", + "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" + }, + { + "Action": [ + "s3:GetBucketLocation", + "s3:GetEncryptionConfiguration", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::kops-tests" + ] + }, { "Action": "ec2:CreateTags", "Condition": { @@ -49,25 +77,6 @@ "*" ] }, - { - "Action": [ - "s3:Get*" - ], - "Effect": "Allow", - "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::kops-tests" - ] - }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index 63bbe64e70..ee4a9f4f1e 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1217,47 +1217,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1345,6 +1318,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index eea06f2af1..1710195103 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index fdd96cc0c7..9fa74f0fd2 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "bastionuserdata.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "bastionuserdata.example.com" + "aws:ResourceTag/KubernetesCluster": "bastionuserdata.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "bastionuserdata.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index f6c193d00a..ba2f5eddd8 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1567,47 +1567,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "complex.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "complex.example.com" + "aws:ResourceTag/KubernetesCluster": "complex.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1695,6 +1668,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index c02543326e..20dace975a 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "complex.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "complex.example.com" + "aws:ResourceTag/KubernetesCluster": "complex.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index 6a17f7cad3..158b689178 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "compress.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "compress.example.com" + "aws:ResourceTag/KubernetesCluster": "compress.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "compress.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index da3c1d10a4..66e3b986ad 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -953,47 +953,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "containerd.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "containerd.example.com" + "aws:ResourceTag/KubernetesCluster": "containerd.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1081,6 +1054,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index da3c1d10a4..66e3b986ad 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -953,47 +953,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "containerd.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "containerd.example.com" + "aws:ResourceTag/KubernetesCluster": "containerd.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1081,6 +1054,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index a503c4cfb7..7c528fe0ee 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -953,47 +953,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "docker.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "docker.example.com" + "aws:ResourceTag/KubernetesCluster": "docker.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1081,6 +1054,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "docker.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index 89dbba5c11..58e36080b7 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "existingsg.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "existingsg.example.com" + "aws:ResourceTag/KubernetesCluster": "existingsg.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "existingsg.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index c8856e0202..b32f22e995 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -969,47 +969,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "externallb.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externallb.example.com" + "aws:ResourceTag/KubernetesCluster": "externallb.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1097,6 +1070,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index 7d7714d0a6..0a9cdd5020 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "externallb.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externallb.example.com" + "aws:ResourceTag/KubernetesCluster": "externallb.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index 9f1dd20672..300f5b5462 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "externalpolicies.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externalpolicies.example.com" + "aws:ResourceTag/KubernetesCluster": "externalpolicies.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externalpolicies.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index 653d3db39f..9710d11557 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "ha.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "ha.example.com" + "aws:ResourceTag/KubernetesCluster": "ha.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "ha.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index d5fddadc14..174cf75583 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index 970804c680..63f8b01dd7 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index 7370f4c2a8..d80712f762 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -953,47 +953,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-etcd.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-etcd.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-etcd.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1081,6 +1054,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-etcd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index fe904898bb..f0fa333d02 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -949,47 +949,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1077,6 +1050,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index d5fddadc14..174cf75583 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index 796df70185..9e9c78a20d 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1130,47 +1130,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1258,6 +1231,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index e8abd7551c..9b8491cb85 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index 76b565d889..3278d4376a 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-json.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-json.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-json.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-json.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy index a30857d1b5..d21622ac5b 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-warmpool.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index 427b897259..9af123a782 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -953,47 +953,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1081,6 +1054,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index d5fddadc14..174cf75583 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index 865f9a9252..8f2ab76bed 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.k8s.local", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.k8s.local" + "aws:ResourceTag/KubernetesCluster": "minimal.k8s.local", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -100,6 +73,42 @@ "arn:aws:s3:::placeholder-write-bucket" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index fe580bf7c8..32898f63a7 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1672,47 +1672,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1800,6 +1773,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 86fde89df7..50cde88e5a 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index 642a861788..4c60e0e430 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1673,47 +1673,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1801,6 +1774,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 86fde89df7..50cde88e5a 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index 0726d181d4..fb09de86d0 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1063,47 +1063,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1191,6 +1164,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index 2cbd3c3f46..f5fc1f369f 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index 4fe25a3a4b..d2dfb44be5 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1469,47 +1469,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1597,6 +1570,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index 3bcc3285d2..1c45df2ffb 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index 053290b563..75a3ffc794 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-subnet.example.com" + "aws:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-subnet.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index d9d1d85a50..d5fe649c70 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1625,47 +1625,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1753,6 +1726,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index a2495a0c4e..52d6f76935 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index 816cad8dbf..ed9d462876 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecanal.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecanal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 5ac2ecb4ae..4ac9885826 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1611,47 +1611,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1739,6 +1712,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index a78a0f1bed..f1e22f8f61 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index 3ea820cc2c..a6aedee34a 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1611,47 +1611,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1739,6 +1712,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index a78a0f1bed..f1e22f8f61 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 4833bae53d..3b3ffbf359 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1644,47 +1644,20 @@ "PolicyDocument": { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -1782,6 +1755,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index 3fb841830f..de5567256d 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -139,6 +112,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index 166c8622d8..02b189a5aa 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatedns1.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatedns1.example.com" + "aws:ResourceTag/KubernetesCluster": "privatedns1.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatedns1.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index 47f8507afa..6e18da6b7b 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatedns2.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatedns2.example.com" + "aws:ResourceTag/KubernetesCluster": "privatedns2.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatedns2.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 5ca8fd4d07..51cb793c02 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateflannel.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateflannel.example.com" + "aws:ResourceTag/KubernetesCluster": "privateflannel.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateflannel.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index f6ea2fcb8f..e340b618e3 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatekopeio.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatekopeio.example.com" + "aws:ResourceTag/KubernetesCluster": "privatekopeio.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatekopeio.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 0ad57eb3ff..3761c84aba 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateweave.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateweave.example.com" + "aws:ResourceTag/KubernetesCluster": "privateweave.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateweave.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index eea06f2af1..1710195103 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index 97bb5875ce..fe5321afe1 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "sharedsubnet.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "sharedsubnet.example.com" + "aws:ResourceTag/KubernetesCluster": "sharedsubnet.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "sharedsubnet.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 194df49ef8..286f391b8a 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "sharedvpc.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "sharedvpc.example.com" + "aws:ResourceTag/KubernetesCluster": "sharedvpc.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "sharedvpc.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index 40263a0f7f..4637d5db46 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "unmanaged.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "unmanaged.example.com" + "aws:ResourceTag/KubernetesCluster": "unmanaged.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "unmanaged.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index d5fddadc14..174cf75583 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,47 +1,20 @@ { "Statement": [ { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, + "Action": [ + "ec2:DescribeVolumes" + ], "Effect": "Allow", "Resource": [ "*" ] }, { - "Action": "ec2:CreateTags", + "Action": "ec2:AttachVolume", "Condition": { "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com", + "aws:ResourceTag/k8s.io/role/master": "1" } }, "Effect": "Allow", @@ -129,6 +102,42 @@ "*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:CreateVolume" diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel index eb409b3430..f5e9553c7a 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/BUILD.bazel @@ -17,6 +17,7 @@ go_library( "//pkg/model:go_default_library", "//pkg/model/awsmodel:go_default_library", "//pkg/model/components/addonmanifests:go_default_library", + "//pkg/model/components/addonmanifests/awscloudcontrollermanager:go_default_library", "//pkg/model/components/addonmanifests/awsebscsidriver:go_default_library", "//pkg/model/components/addonmanifests/awsloadbalancercontroller:go_default_library", "//pkg/model/components/addonmanifests/clusterautoscaler:go_default_library", diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go index 70807ba6e2..b1ad3157be 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go @@ -29,6 +29,7 @@ import ( "k8s.io/kops/pkg/model" "k8s.io/kops/pkg/model/awsmodel" "k8s.io/kops/pkg/model/components/addonmanifests" + "k8s.io/kops/pkg/model/components/addonmanifests/awscloudcontrollermanager" "k8s.io/kops/pkg/model/components/addonmanifests/awsebscsidriver" "k8s.io/kops/pkg/model/components/addonmanifests/awsloadbalancercontroller" "k8s.io/kops/pkg/model/components/addonmanifests/clusterautoscaler" @@ -905,6 +906,9 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann Id: id, }) } + if b.UseServiceAccountIAM() { + serviceAccountRoles = append(serviceAccountRoles, &awscloudcontrollermanager.ServiceAccount{}) + } } if b.Cluster.Spec.CloudConfig != nil && b.Cluster.Spec.CloudConfig.AWSEBSCSIDriver != nil && fi.BoolValue(b.Cluster.Spec.CloudConfig.AWSEBSCSIDriver.Enabled) { key := "aws-ebs-csi-driver.addons.k8s.io"