kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Scope route53 permissions to DNS_ZONE only

This commit is contained in:
Jakub Paweł Głazik 2017-02-12 18:31:07 +01:00
parent bceed6dfaf
commit f50f010d2f
1 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
pkg/model/iam/iam_builder.go
View File

@ -83,21 +83,23 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
Resource: []string{"*"},
})
// No longer needed in 1.3
//p.Statement = append(p.Statement, &IAMStatement{
// Effect: IAMStatementEffectAllow,
// Action: []string{ "ec2:AttachVolume" },
// Resource: []string{"*"},
//})
//p.Statement = append(p.Statement, &IAMStatement{
// Effect: IAMStatementEffectAllow,
// Action: []string{ "ec2:DetachVolume" },
// Resource: []string{"*"},
//})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: []string{"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"},
Resource: []string{"arn:aws:route53:::hostedzone/" + b.Cluster.Spec.DNSZone},
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: []string{"route53:*"},
Action: []string{"route53:GetChange"},
Resource: []string{"arn:aws:route53:::change/*"},
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: []string{"route53:ListHostedZones"},
Resource: []string{"*"},
})
}
@ -128,9 +130,22 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
Resource: []string{"*"},
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: []string{"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZone"},
Resource: []string{"arn:aws:route53:::hostedzone/" + b.Cluster.Spec.DNSZone},
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: []string{"route53:*"},
Action: []string{"route53:GetChange"},
Resource: []string{"arn:aws:route53:::change/*"},
})
p.Statement = append(p.Statement, &IAMStatement{
Effect: IAMStatementEffectAllow,
Action: []string{"route53:ListHostedZones"},
Resource: []string{"*"},
})