NewPolicy function for instantiating policy struct

2021-07-01 08:39:43 +02:00 · 2021-07-01 08:39:43 +02:00 · d8bf4dcae1
parent 4bf0fae33a
commit d8bf4dcae1
5 changed files with 45 additions and 18 deletions
--- a/pkg/model/components/addonmanifests/awsebscsidriver/iam.go
+++ b/pkg/model/components/addonmanifests/awsebscsidriver/iam.go
@ -31,9 +31,9 @@ var _ iam.Subject = &ServiceAccount{}

 // BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
 func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
-	p := &iam.Policy{
-		Version: iam.PolicyDefaultVersion,
-	}
+
+	clusterName := b.Cluster.ObjectMeta.Name
+	p := iam.NewPolicy(clusterName)

 	addSnapshotControllerPermissions := b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled)
 	iam.AddAWSEBSCSIDriverPermissions(p, b.Cluster.ObjectMeta.Name, addSnapshotControllerPermissions)
--- a/pkg/model/components/addonmanifests/awsloadbalancercontroller/iam.go
+++ b/pkg/model/components/addonmanifests/awsloadbalancercontroller/iam.go
@ -31,12 +31,9 @@ var _ iam.Subject = &ServiceAccount{}

 // BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
 func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
-	p := &iam.Policy{
-		Version: iam.PolicyDefaultVersion,
-	}
-
 	resource := stringorslice.Slice([]string{"*"})
 	clusterName := b.Cluster.ObjectMeta.Name
+	p := iam.NewPolicy(clusterName)
 	iam.AddAWSLoadbalancerControllerPermissions(p, resource, clusterName)
 	iam.AddMasterEC2Policies(p, resource, clusterName)
 	iam.AddMasterELBPolicies(p, resource)
--- a/pkg/model/components/addonmanifests/clusterautoscaler/iam.go
+++ b/pkg/model/components/addonmanifests/clusterautoscaler/iam.go
@ -30,9 +30,9 @@ var _ iam.Subject = &ServiceAccount{}

 // BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
 func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
-	p := &iam.Policy{
-		Version: iam.PolicyDefaultVersion,
-	}
+
+	clusterName := b.Cluster.ObjectMeta.Name
+	p := iam.NewPolicy(clusterName)

 	iam.AddClusterAutoscalerPermissions(p, b.Cluster.ObjectMeta.Name)

--- a/pkg/model/components/addonmanifests/dnscontroller/iam.go
+++ b/pkg/model/components/addonmanifests/dnscontroller/iam.go
@ -30,9 +30,8 @@ var _ iam.Subject = &ServiceAccount{}

 // BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
 func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
-	p := &iam.Policy{
-		Version: iam.PolicyDefaultVersion,
-	}
+	clusterName := b.Cluster.ObjectMeta.Name
+	p := iam.NewPolicy(clusterName)

 	iam.AddDNSControllerPermissions(b, p)

--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -49,12 +49,35 @@ const PolicyDefaultVersion = "2012-10-17"

 // Policy Struct is a collection of fields that form a valid AWS policy document
 type Policy struct {
-	Statement []*Statement
-	Version   string
+	clusterName         string
+	unconditionalAction sets.String
+	clusterTaggedAction sets.String
+	Statement           []*Statement
+	Version             string
 }

 // AsJSON converts the policy document to JSON format (parsable by AWS)
 func (p *Policy) AsJSON() (string, error) {
+	if len(p.unconditionalAction) > 0 {
+		p.Statement = append(p.Statement, &Statement{
+			Effect:   StatementEffectAllow,
+			Action:   stringorslice.Of(p.unconditionalAction.List()...),
+			Resource: stringorslice.String("*"),
+		})
+	}
+	if len(p.clusterTaggedAction) > 0 {
+		p.Statement = append(p.Statement, &Statement{
+			Effect:   StatementEffectAllow,
+			Action:   stringorslice.Of(p.clusterTaggedAction.List()...),
+			Resource: stringorslice.String("*"),
+			Condition: Condition{
+				"StringEquals": map[string]string{
+					"aws:ResourceTag/KubernetesCluster": p.clusterName,
+				},
+			},
+		})
+	}
+
 	j, err := json.MarshalIndent(p, "", "  ")
 	if err != nil {
 		return "", fmt.Errorf("error marshaling policy to JSON: %v", err)
@ -236,13 +259,21 @@ func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error) {
 	return p, nil
 }

+func NewPolicy(clusterName string) *Policy {
+	p := &Policy{
+		Version:             PolicyDefaultVersion,
+		clusterName:         clusterName,
+		unconditionalAction: sets.NewString(),
+		clusterTaggedAction: sets.NewString(),
+	}
+	return p
+}
+
 // BuildAWSPolicy generates a custom policy for a Kubernetes master.
 func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 	resource := createResource(b)

-	p := &Policy{
-		Version: PolicyDefaultVersion,
-	}
+	p := NewPolicy(b.Cluster.GetClusterName())

 	AddMasterEC2Policies(p, resource, b.Cluster.GetName())
 	addASLifecyclePolicies(p, resource, b.Cluster.GetName(), r.warmPool)