Add additional Describe permissions required for Romana CNI

2017-11-06 09:31:09 +00:00 · 2017-11-06 09:31:09 +00:00 · d2b8741455
parent df69d047f8
commit d2b8741455
1 changed files with 25 additions and 0 deletions
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -182,6 +182,10 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) {
 		addECRPermissions(p)
 	}

+	if b.Cluster.Spec.Networking.Romana != nil {
+		addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy)
+	}
+
 	return p, nil
 }

@ -676,6 +680,27 @@ func addRoute53ListHostedZonesPermission(p *Policy) {
 	})
 }

+func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) {
+	if legacyIAM {
+		// Legacy IAM provides ec2:*, so no additional permissions required
+		return
+	} else {
+		// Romana requires additional Describe permissions
+		// Comments are which Romana component makes the call
+		p.Statement = append(p.Statement,
+			&Statement{
+				Sid:    "kopsK8sEC2MasterPermsRomanaCNI",
+				Effect: StatementEffectAllow,
+				Action: stringorslice.Slice([]string{
+					"ec2:DescribeAvailabilityZones", // vpcrouter
+					"ec2:DescribeVpcs",              // vpcrouter
+				}),
+				Resource: resource,
+			},
+		)
+	}
+}
+
 func createResource(b *PolicyBuilder) stringorslice.StringOrSlice {
 	var resource stringorslice.StringOrSlice
 	if b.ResourceARN != nil {