kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1969 from zytek/fix-1949 

Resolve DNS Hosted Zone ID while building IAM policy
This commit is contained in:
Justin Santa Barbara 2017-02-23 10:21:39 -05:00 committed by GitHub
parent 08419fcae8 26fac5e17d
commit e09037dff0
5 changed files with 70 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/model/context.go
View File

@ -33,6 +33,7 @@ type KopsModelContext struct {
Cluster *kops.Cluster
Region string
HostedZoneID string // used to set up route53 IAM policy
InstanceGroups []*kops.InstanceGroup
SSHPublicKeys [][]byte

7
pkg/model/iam.go
View File

@ -157,9 +157,10 @@ func (b *IAMModelBuilder) Build(c *fi.ModelBuilderContext) error {
// buildAWSIAMPolicy produces the AWS IAM policy for the given role
func (b *IAMModelBuilder) buildAWSIAMPolicy(role kops.InstanceGroupRole) (string, error) {
pb := &iam.IAMPolicyBuilder{
Cluster: b.Cluster,
Role: role,
Region: b.Region,
Cluster: b.Cluster,
Role: role,
Region: b.Region,
HostedZoneID: b.HostedZoneID,
}
policy, err := pb.BuildAWSIAMPolicy()

65
pkg/model/iam/iam_builder.go
View File

@ -68,9 +68,10 @@ func (l *IAMStatement) Equal(r *IAMStatement) bool {
}
type IAMPolicyBuilder struct {
Cluster *api.Cluster
Role api.InstanceGroupRole
Region string
Cluster *api.Cluster
Role api.InstanceGroupRole
Region string
HostedZoneID string
}
func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
@ -101,25 +102,6 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
Resource: wildcard,
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::hostedzone/" + b.Cluster.Spec.DNSZone}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:ListHostedZones"}),
Resource: wildcard,
})
}
{
@ -148,25 +130,6 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
Resource: wildcard,
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::hostedzone/" + b.Cluster.Spec.DNSZone}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:ListHostedZones"}),
Resource: wildcard,
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"elasticloadbalancing:*"}),
@ -212,6 +175,26 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
}
}
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::hostedzone/" + b.HostedZoneID}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:ListHostedZones"}),
Resource: wildcard,
})
// For S3 IAM permissions, we grant permissions to subtrees. So find the parents;
// we don't need to grant mypath and mypath/child.
var roots []string

72
tests/integration/minimal/cloudformation.json
View File

@ -550,6 +550,27 @@
"*"
]
},
{
"Action": [
"elasticloadbalancing:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"route53:ChangeResourceRecordSets",
@ -578,27 +599,6 @@
"Resource": [
"*"
]
},
{
"Action": [
"elasticloadbalancing:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"
@ -625,6 +625,21 @@
"*"
]
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"route53:ChangeResourceRecordSets",
@ -653,21 +668,6 @@
"Resource": [
"*"
]
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"

5
upup/pkg/fi/cloudup/apply_cluster.go
View File

@ -346,6 +346,11 @@ func (c *ApplyClusterCmd) Run() error {
if err != nil {
return err
}
dnszone, err := findZone(cluster, cloud)
if err != nil {
return err
}
modelContext.HostedZoneID = dnszone.ID()
clusterTags, err := buildCloudupTags(cluster)
if err != nil {