From 9d1e11c73a5a6ec5adb0bc37125bea149b30b2af Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Sat, 30 Oct 2021 05:41:04 +0300 Subject: [PATCH] Allow kops-controller to describe network interfaces --- pkg/model/iam/iam_builder.go | 10 ++++++++++ .../minimal-ipv6-calico/cloudformation.json | 1 + ...role_policy_masters.minimal-ipv6.example.com_policy | 1 + .../minimal-ipv6-cilium/cloudformation.json | 1 + ...role_policy_masters.minimal-ipv6.example.com_policy | 1 + .../update_cluster/minimal-ipv6/cloudformation.json | 1 + ...role_policy_masters.minimal-ipv6.example.com_policy | 1 + 7 files changed, 16 insertions(+) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 01899ff4e0..337d7c1ff1 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -326,6 +326,10 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addEtcdManagerPermissions(p) b.addNodeupPermissions(p, false) + if b.Cluster.Spec.IsKopsControllerIPAM() { + addKopsControllerIPAMPermissions(p) + } + var err error if p, err = b.AddS3Permissions(p); err != nil { return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err) @@ -775,6 +779,12 @@ func (b *PolicyBuilder) addNodeupPermissions(p *Policy, enableHookSupport bool) } } +func addKopsControllerIPAMPermissions(p *Policy) { + p.unconditionalAction.Insert( + "ec2:DescribeNetworkInterfaces", + ) +} + func addEtcdManagerPermissions(p *Policy) { p.unconditionalAction.Insert( "ec2:DescribeVolumes", // aws.go diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json index 3d2e27c940..6cf1d99ade 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json @@ -1295,6 +1295,7 @@ "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index e051ecada4..e45aa4f433 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -152,6 +152,7 @@ "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json index 974cb7cdb2..d1024cf0da 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json @@ -1281,6 +1281,7 @@ "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 017f45ffa4..1cd1fdd86c 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -152,6 +152,7 @@ "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index 974cb7cdb2..d1024cf0da 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1281,6 +1281,7 @@ "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 017f45ffa4..1cd1fdd86c 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -152,6 +152,7 @@ "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups",