kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1969 from zytek/fix-1949 

Resolve DNS Hosted Zone ID while building IAM policy
This commit is contained in:
Justin Santa Barbara 2017-02-23 10:21:39 -05:00 committed by GitHub
parent 08419fcae8 26fac5e17d
commit e09037dff0
5 changed files with 70 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/model/context.go
View File

@ -33,6 +33,7 @@ type KopsModelContext struct {
Cluster *kops.Cluster Cluster *kops.Cluster
Region string Region string
HostedZoneID string // used to set up route53 IAM policy
InstanceGroups []*kops.InstanceGroup InstanceGroups []*kops.InstanceGroup
SSHPublicKeys [][]byte SSHPublicKeys [][]byte

1
pkg/model/iam.go
View File

@ -160,6 +160,7 @@ func (b *IAMModelBuilder) buildAWSIAMPolicy(role kops.InstanceGroupRole) (string
Cluster: b.Cluster, Cluster: b.Cluster,
Role: role, Role: role,
Region: b.Region, Region: b.Region,
HostedZoneID: b.HostedZoneID,
} }
policy, err := pb.BuildAWSIAMPolicy() policy, err := pb.BuildAWSIAMPolicy()

59
pkg/model/iam/iam_builder.go
View File

@ -71,6 +71,7 @@ type IAMPolicyBuilder struct {
Cluster *api.Cluster Cluster *api.Cluster
Role api.InstanceGroupRole Role api.InstanceGroupRole
Region string Region string
HostedZoneID string
} }
func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) { func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
@ -101,25 +102,6 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
Resource: wildcard, Resource: wildcard,
}) })
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::hostedzone/" + b.Cluster.Spec.DNSZone}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:ListHostedZones"}),
Resource: wildcard,
})
} }
{ {
@ -148,25 +130,6 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
Resource: wildcard, Resource: wildcard,
}) })
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::hostedzone/" + b.Cluster.Spec.DNSZone}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:ListHostedZones"}),
Resource: wildcard,
})
p.Statement = append(p.Statement, &IAMStatement{ p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow, Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"elasticloadbalancing:*"}), Action: stringorslice.Slice([]string{"elasticloadbalancing:*"}),
@ -212,6 +175,26 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
} }
} }
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::hostedzone/" + b.HostedZoneID}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:GetChange"}),
Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: stringorslice.Slice([]string{"route53:ListHostedZones"}),
Resource: wildcard,
})
// For S3 IAM permissions, we grant permissions to subtrees. So find the parents; // For S3 IAM permissions, we grant permissions to subtrees. So find the parents;
// we don't need to grant mypath and mypath/child. // we don't need to grant mypath and mypath/child.
var roots []string var roots []string

72
tests/integration/minimal/cloudformation.json
View File

@ -550,6 +550,27 @@
"*" "*"
] ]
}, },
{
"Action": [
"elasticloadbalancing:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{ {
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
@ -578,27 +599,6 @@
"Resource": [ "Resource": [
"*" "*"
] ]
},
{
"Action": [
"elasticloadbalancing:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Effect": "Allow",
"Resource": [
"*"
]
} }
], ],
"Version": "2012-10-17" "Version": "2012-10-17"
@ -625,6 +625,21 @@
"*" "*"
] ]
}, },
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{ {
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
@ -653,21 +668,6 @@
"Resource": [ "Resource": [
"*" "*"
] ]
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": [
"*"
]
} }
], ],
"Version": "2012-10-17" "Version": "2012-10-17"

5
upup/pkg/fi/cloudup/apply_cluster.go
View File

@ -346,6 +346,11 @@ func (c *ApplyClusterCmd) Run() error {
if err != nil { if err != nil {
return err return err
} }
dnszone, err := findZone(cluster, cloud)
if err != nil {
return err
}
modelContext.HostedZoneID = dnszone.ID()
clusterTags, err := buildCloudupTags(cluster) clusterTags, err := buildCloudupTags(cluster)
if err != nil { if err != nil {