Skip to content

Commit

Permalink
Merge pull request #4095 from reactiveops/fix_3883
Browse files Browse the repository at this point in the history 
Automatic merge from submit-queue.

Adds permissions for ELB and NLB req'd by 1.9

Adds appropriate IAM permissions to Masters (in restrictive mode) for ELB and NLB.

Closes #3883
  • Loading branch information
Kubernetes Submit Queue authored Dec 17, 2017
2 parents 7768729 + 59bc52a commit 0bfb273
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 18 deletions.
24 changes: 15 additions & 9 deletions pkg/model/iam/iam_builder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -599,6 +599,7 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac
Sid: "kopsK8sELBMasterPermsRestrictive",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"elasticloadbalancing:AddTags", // aws_loadbalancer.go
"elasticloadbalancing:AttachLoadBalancerToSubnets", // aws_loadbalancer.go
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", // aws_loadbalancer.go
"elasticloadbalancing:CreateLoadBalancer", // aws_loadbalancer.go
Expand All @@ -622,15 +623,20 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac
Sid: "kopsK8sNLBMasterPermsRestrictive",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"elasticloadbalancing:CreateListener", // aws_loadbalancer.go
"elasticloadbalancing:DescribeListeners", // aws_loadbalancer.go
"elasticloadbalancing:CreateTargetGroup", // aws_loadbalancer.go
"elasticloadbalancing:DescribeTargetGroups", // aws_loadbalancer.go
"elasticloadbalancing:RegisterTargets", // aws_loadbalancer.go
"elasticloadbalancing:DescribeTargetHealth", // aws_loadbalancer.go
"elasticloadbalancing:AddTags", // aws_loadbalancer.go
"elasticloadbalancing:ModifyTargetGroup", // aws_loadbalancer.go
"ec2:DescribeVpcs", // aws_loadbalancer.go
"ec2:DescribeVpcs", // aws_loadbalancer.go
"elasticloadbalancing:AddTags", // aws_loadbalancer.go
"elasticloadbalancing:CreateListener", // aws_loadbalancer.go
"elasticloadbalancing:CreateTargetGroup", // aws_loadbalancer.go
"elasticloadbalancing:DeleteListener", // aws_loadbalancer.go
"elasticloadbalancing:DeleteTargetGroup", // aws_loadbalancer.go
"elasticloadbalancing:DescribeListeners", // aws_loadbalancer.go
"elasticloadbalancing:DescribeLoadBalancerPolicies", // aws_loadbalancer.go
"elasticloadbalancing:DescribeTargetGroups", // aws_loadbalancer.go
"elasticloadbalancing:DescribeTargetHealth", // aws_loadbalancer.go
"elasticloadbalancing:ModifyListener", // aws_loadbalancer.go
"elasticloadbalancing:ModifyTargetGroup", // aws_loadbalancer.go
"elasticloadbalancing:RegisterTargets", // aws_loadbalancer.go
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener", // aws_loadbalancer.go
),
Resource: resource,
})
Expand Down
14 changes: 10 additions & 4 deletions pkg/model/iam/tests/iam_builder_master_strict.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@
"Sid": "kopsK8sELBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancer",
Expand All @@ -108,15 +109,20 @@
"Sid": "kopsK8sNLBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyTargetGroup",
"ec2:DescribeVpcs"
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
],
"Resource": [
"*"
Expand Down
16 changes: 11 additions & 5 deletions pkg/model/iam/tests/iam_builder_master_strict_ecr.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
{
"Version": "2012-10-17",
"Statement": [
{
Expand Down Expand Up @@ -84,6 +84,7 @@
"Sid": "kopsK8sELBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancer",
Expand All @@ -108,15 +109,20 @@
"Sid": "kopsK8sNLBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyTargetGroup",
"ec2:DescribeVpcs"
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
],
"Resource": [
"*"
Expand Down

0 comments on commit 0bfb273

Please sign in to comment.