mirror of https://github.com/kubernetes/kops.git
200 lines
5.9 KiB
JSON
200 lines
5.9 KiB
JSON
{
|
|
"Statement": [
|
|
{
|
|
"Action": "ec2:AttachVolume",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local",
|
|
"aws:ResourceTag/k8s.io/role/master": "1"
|
|
}
|
|
},
|
|
"Effect": "Allow",
|
|
"Resource": [
|
|
"*"
|
|
]
|
|
},
|
|
{
|
|
"Action": [
|
|
"s3:Get*"
|
|
],
|
|
"Effect": "Allow",
|
|
"Resource": "arn:aws-test:s3:::kops-tests/iam-builder-test.k8s.local/*"
|
|
},
|
|
{
|
|
"Action": [
|
|
"s3:GetBucketLocation",
|
|
"s3:GetEncryptionConfiguration",
|
|
"s3:ListBucket",
|
|
"s3:ListBucketVersions"
|
|
],
|
|
"Effect": "Allow",
|
|
"Resource": [
|
|
"arn:aws-test:s3:::kops-tests"
|
|
]
|
|
},
|
|
{
|
|
"Action": "ec2:CreateTags",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"ec2:CreateAction": [
|
|
"CreateVolume",
|
|
"CreateSnapshot"
|
|
]
|
|
}
|
|
},
|
|
"Effect": "Allow",
|
|
"Resource": [
|
|
"arn:aws-test:ec2:*:*:volume/*",
|
|
"arn:aws-test:ec2:*:*:snapshot/*"
|
|
]
|
|
},
|
|
{
|
|
"Action": "ec2:CreateTags",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local",
|
|
"ec2:CreateAction": [
|
|
"CreateVolume",
|
|
"CreateSnapshot"
|
|
]
|
|
}
|
|
},
|
|
"Effect": "Allow",
|
|
"Resource": [
|
|
"arn:aws-test:ec2:*:*:volume/*",
|
|
"arn:aws-test:ec2:*:*:snapshot/*"
|
|
]
|
|
},
|
|
{
|
|
"Action": [
|
|
"ec2:CreateTags",
|
|
"ec2:DeleteTags"
|
|
],
|
|
"Condition": {
|
|
"Null": {
|
|
"aws:RequestTag/KubernetesCluster": "true"
|
|
},
|
|
"StringEquals": {
|
|
"aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local"
|
|
}
|
|
},
|
|
"Effect": "Allow",
|
|
"Resource": [
|
|
"arn:aws-test:ec2:*:*:volume/*",
|
|
"arn:aws-test:ec2:*:*:snapshot/*"
|
|
]
|
|
},
|
|
{
|
|
"Action": [
|
|
"autoscaling:DescribeAutoScalingGroups",
|
|
"autoscaling:DescribeAutoScalingInstances",
|
|
"autoscaling:DescribeLaunchConfigurations",
|
|
"autoscaling:DescribeTags",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateTags",
|
|
"ec2:DescribeAccountAttributes",
|
|
"ec2:DescribeInstanceTypes",
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeLaunchTemplateVersions",
|
|
"ec2:DescribeRegions",
|
|
"ec2:DescribeRouteTables",
|
|
"ec2:DescribeSecurityGroups",
|
|
"ec2:DescribeSubnets",
|
|
"ec2:DescribeTags",
|
|
"ec2:DescribeVolumes",
|
|
"ec2:DescribeVolumesModifications",
|
|
"ec2:DescribeVpcs",
|
|
"ecr:BatchCheckLayerAvailability",
|
|
"ecr:BatchGetImage",
|
|
"ecr:DescribeRepositories",
|
|
"ecr:GetAuthorizationToken",
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"ecr:GetRepositoryPolicy",
|
|
"ecr:ListImages",
|
|
"elasticloadbalancing:AddTags",
|
|
"elasticloadbalancing:CreateListener",
|
|
"elasticloadbalancing:CreateTargetGroup",
|
|
"elasticloadbalancing:DescribeListeners",
|
|
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
|
"elasticloadbalancing:DescribeLoadBalancerPolicies",
|
|
"elasticloadbalancing:DescribeLoadBalancers",
|
|
"elasticloadbalancing:DescribeTargetGroups",
|
|
"elasticloadbalancing:DescribeTargetHealth",
|
|
"elasticloadbalancing:RegisterTargets",
|
|
"iam:GetServerCertificate",
|
|
"iam:ListServerCertificates",
|
|
"kms:CreateGrant",
|
|
"kms:Decrypt",
|
|
"kms:DescribeKey",
|
|
"kms:Encrypt",
|
|
"kms:GenerateDataKey*",
|
|
"kms:GenerateRandom",
|
|
"kms:ReEncrypt*"
|
|
],
|
|
"Effect": "Allow",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Action": [
|
|
"autoscaling:SetDesiredCapacity",
|
|
"autoscaling:TerminateInstanceInAutoScalingGroup",
|
|
"ec2:AttachVolume",
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
"ec2:CreateRoute",
|
|
"ec2:DeleteRoute",
|
|
"ec2:DeleteSecurityGroup",
|
|
"ec2:DeleteVolume",
|
|
"ec2:DetachVolume",
|
|
"ec2:ModifyInstanceAttribute",
|
|
"ec2:ModifyVolume",
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
"elasticloadbalancing:AddTags",
|
|
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
|
|
"elasticloadbalancing:AttachLoadBalancerToSubnets",
|
|
"elasticloadbalancing:ConfigureHealthCheck",
|
|
"elasticloadbalancing:CreateLoadBalancerListeners",
|
|
"elasticloadbalancing:CreateLoadBalancerPolicy",
|
|
"elasticloadbalancing:DeleteListener",
|
|
"elasticloadbalancing:DeleteLoadBalancer",
|
|
"elasticloadbalancing:DeleteLoadBalancerListeners",
|
|
"elasticloadbalancing:DeleteTargetGroup",
|
|
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
|
|
"elasticloadbalancing:DeregisterTargets",
|
|
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
|
|
"elasticloadbalancing:ModifyListener",
|
|
"elasticloadbalancing:ModifyLoadBalancerAttributes",
|
|
"elasticloadbalancing:ModifyTargetGroup",
|
|
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
|
|
"elasticloadbalancing:RegisterTargets",
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
|
|
],
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local"
|
|
}
|
|
},
|
|
"Effect": "Allow",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Action": [
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateSnapshot",
|
|
"ec2:CreateVolume",
|
|
"elasticloadbalancing:CreateListener",
|
|
"elasticloadbalancing:CreateLoadBalancer",
|
|
"elasticloadbalancing:CreateTargetGroup"
|
|
],
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local"
|
|
}
|
|
},
|
|
"Effect": "Allow",
|
|
"Resource": "*"
|
|
}
|
|
],
|
|
"Version": "2012-10-17"
|
|
}
|