kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3795 from KashifSaadat/iam-kube-router 

Automatic merge from submit-queue.

Add Node IAM permissions to access kube-router key in S3.

Fixes #3792 

An additional S3 IAM permission is added to the nodes policy when `Networking.Kuberouter` is specified.
This commit is contained in:
Kubernetes Submit Queue 2017-11-09 22:41:59 -08:00 committed by GitHub
parent 918450f6f6 029d0c0393
commit ec5496520d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/model/iam/iam_builder.go
View File

@ -348,6 +348,17 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
strings.Join([]string{b.IAMPrefix(), ":s3:::", iamS3Path, "/secrets/dockerconfig"}, ""),
),
})
if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Kuberouter != nil {
p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sS3NodeBucketGetKuberouter",
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"s3:Get*"}),
Resource: stringorslice.Of(
strings.Join([]string{b.IAMPrefix(), ":s3:::", iamS3Path, "/pki/private/kube-router/*"}, ""),
),
})
}
}
}
} else if _, ok := vfsPath.(*vfs.MemFSPath); ok {