Skip to content

Commit

Permalink
Merge pull request #3976 from aledbf/missing-elb-permission
Browse files Browse the repository at this point in the history 
Automatic merge from submit-queue.

Add missing permissions for NLB creation

Without this permissions is not possible to create a network load balancer (alpha in k8s >= 1.9)
  • Loading branch information
Kubernetes Submit Queue authored Dec 4, 2017
2 parents e633bb4 + 683799c commit 26d931e
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 0 deletions.
17 changes: 17 additions & 0 deletions pkg/model/iam/iam_builder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -617,6 +617,23 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac
),
Resource: resource,
})

p.Statement = append(p.Statement, &Statement{
Sid: "kopsK8sNLBMasterPermsRestrictive",
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"elasticloadbalancing:CreateListener", // aws_loadbalancer.go
"elasticloadbalancing:DescribeListeners", // aws_loadbalancer.go
"elasticloadbalancing:CreateTargetGroup", // aws_loadbalancer.go
"elasticloadbalancing:DescribeTargetGroups", // aws_loadbalancer.go
"elasticloadbalancing:RegisterTargets", // aws_loadbalancer.go
"elasticloadbalancing:DescribeTargetHealth", // aws_loadbalancer.go
"elasticloadbalancing:AddTags", // aws_loadbalancer.go
"elasticloadbalancing:ModifyTargetGroup", // aws_loadbalancer.go
"ec2:DescribeVpcs", // aws_loadbalancer.go
),
Resource: resource,
})
}
}

Expand Down
18 changes: 18 additions & 0 deletions pkg/model/iam/tests/iam_builder_master_strict.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,24 @@
"*"
]
},
{
"Sid": "kopsK8sNLBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ModifyTargetGroup",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
},
{
"Sid": "kopsMasterCertIAMPerms",
"Effect": "Allow",
Expand Down
18 changes: 18 additions & 0 deletions pkg/model/iam/tests/iam_builder_master_strict_ecr.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,24 @@
"*"
]
},
{
"Sid": "kopsK8sNLBMasterPermsRestrictive",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ModifyTargetGroup",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
},
{
"Sid": "kopsMasterCertIAMPerms",
"Effect": "Allow",
Expand Down

0 comments on commit 26d931e

Please sign in to comment.