From 92689c51c6db89d51f2ede2cd6e303c8bbce1dfc Mon Sep 17 00:00:00 2001
From: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Date: Thu, 24 Jan 2019 18:25:37 +0900
Subject: [PATCH 1/2] Add permission for CreateTag on ENI to amazon-vpc-cni-k8s

Although amazon-vpc-cni-k8s adds tag to ENI, kops does not add the
permission. Hence it does not work by default.

This patch adds the permission for CreateTag on ENI to
amazon-vpc-cni-k8s's nodes policy.
---
 pkg/model/iam/iam_builder.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index b2d9606308829..dece45f9a6c81 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -877,6 +877,13 @@ func addAmazonVPCCNIPermissions(p *Policy, resource stringorslice.StringOrSlice,
 			}),
 			Resource: resource,
 		},
+		&Statement{
+			Effect: StatementEffectAllow,
+			Action: stringorslice.Slice([]string{
+				"ec2:CreateTags",
+			}),
+			Resource: stringorslice.Slice([]string{"arn:aws:ec2:*:*:network-interface/*"}),
+		},
 	)
 }
 

From bedc944672df731ce2f33afe8add5ce04ca45981 Mon Sep 17 00:00:00 2001
From: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Date: Mon, 28 Jan 2019 09:13:52 +0900
Subject: [PATCH 2/2] Update docs for IAM policy

---
 docs/networking.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/networking.md b/docs/networking.md
index 62fc8e490e7ff..d9c75d06ddd01 100644
--- a/docs/networking.md
+++ b/docs/networking.md
@@ -363,6 +363,11 @@ $ kops create cluster \
     "Resource": [
       "*"
     ]
+  },
+  {
+    "Effect": "Allow",
+    "Action": "ec2:CreateTags",
+    "Resource": "arn:aws:ec2:*:*:network-interface/*"
   }
 ```