Skip to content

Commit a97c430

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #17705 from hakman/aws-fix-missing-permissions
aws: Fix missing permissions for CCM and LBC
2 parents cf5c050 + 331e6bc commit a97c430

File tree

71 files changed

+106
-2
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

71 files changed

+106
-2
lines changed

pkg/model/iam/iam_builder.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -874,6 +874,7 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
874874
"ec2:DescribeSecurityGroups",
875875
"ec2:DescribeSubnets",
876876
"ec2:DescribeVpcs",
877+
"ec2:DescribeInstanceTopology",
877878
"elasticloadbalancing:DescribeLoadBalancers",
878879
"elasticloadbalancing:DescribeLoadBalancerAttributes",
879880
"elasticloadbalancing:DescribeListeners",
@@ -953,8 +954,11 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2,
953954
"ec2:DescribeVpcPeeringConnections",
954955
"ec2:DescribeVpcs",
955956
"ec2:DescribeAccountAttributes",
957+
"ec2:GetSecurityGroupsForVpc",
956958

959+
"elasticloadbalancing:DescribeCapacityReservation",
957960
"elasticloadbalancing:DescribeListeners",
961+
"elasticloadbalancing:DescribeListenerAttributes",
958962
"elasticloadbalancing:DescribeListenerCertificates",
959963
"elasticloadbalancing:DescribeLoadBalancers",
960964
"elasticloadbalancing:DescribeLoadBalancerAttributes",
@@ -963,6 +967,7 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2,
963967
"elasticloadbalancing:DescribeTargetGroups",
964968
"elasticloadbalancing:DescribeTargetGroupAttributes",
965969
"elasticloadbalancing:DescribeTargetHealth",
970+
"elasticloadbalancing:DescribeTrustStores",
966971
)
967972
if enableWAF {
968973
p.unconditionalAction.Insert(
@@ -1004,9 +1009,12 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2,
10041009
"elasticloadbalancing:DeleteRule",
10051010
"elasticloadbalancing:DeleteTargetGroup",
10061011
"elasticloadbalancing:DeregisterTargets",
1012+
"elasticloadbalancing:ModifyCapacityReservation",
10071013
"elasticloadbalancing:ModifyListener",
1014+
"elasticloadbalancing:ModifyListenerAttributes",
10081015
"elasticloadbalancing:ModifyLoadBalancerAttributes",
10091016
"elasticloadbalancing:ModifyRule",
1017+
"elasticloadbalancing:SetRulePriorities",
10101018
"elasticloadbalancing:ModifyTargetGroup",
10111019
"elasticloadbalancing:ModifyTargetGroupAttributes",
10121020
"elasticloadbalancing:RegisterTargets",

pkg/model/iam/tests/iam_builder_master_gossip.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@
111111
"ec2:DescribeAccountAttributes",
112112
"ec2:DescribeAvailabilityZones",
113113
"ec2:DescribeImages",
114+
"ec2:DescribeInstanceTopology",
114115
"ec2:DescribeInstanceTypes",
115116
"ec2:DescribeInstances",
116117
"ec2:DescribeLaunchTemplateVersions",

pkg/model/iam/tests/iam_builder_master_gossip_ecr.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@
111111
"ec2:DescribeAccountAttributes",
112112
"ec2:DescribeAvailabilityZones",
113113
"ec2:DescribeImages",
114+
"ec2:DescribeInstanceTopology",
114115
"ec2:DescribeInstanceTypes",
115116
"ec2:DescribeInstances",
116117
"ec2:DescribeLaunchTemplateVersions",

pkg/model/iam/tests/iam_builder_master_strict.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@
111111
"ec2:DescribeAccountAttributes",
112112
"ec2:DescribeAvailabilityZones",
113113
"ec2:DescribeImages",
114+
"ec2:DescribeInstanceTopology",
114115
"ec2:DescribeInstanceTypes",
115116
"ec2:DescribeInstances",
116117
"ec2:DescribeLaunchTemplateVersions",

pkg/model/iam/tests/iam_builder_master_strict_ecr.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@
111111
"ec2:DescribeAccountAttributes",
112112
"ec2:DescribeAvailabilityZones",
113113
"ec2:DescribeImages",
114+
"ec2:DescribeInstanceTopology",
114115
"ec2:DescribeInstanceTypes",
115116
"ec2:DescribeInstances",
116117
"ec2:DescribeLaunchTemplateVersions",

tests/integration/update_cluster/additionalobjects/data/aws_iam_role_policy_masters.additionalobjects.example.com_policy

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,7 @@
173173
"ec2:DescribeAccountAttributes",
174174
"ec2:DescribeAvailabilityZones",
175175
"ec2:DescribeImages",
176+
"ec2:DescribeInstanceTopology",
176177
"ec2:DescribeInstanceTypes",
177178
"ec2:DescribeInstances",
178179
"ec2:DescribeLaunchTemplateVersions",

tests/integration/update_cluster/apiservernodes/data/aws_iam_role_policy_masters.minimal.example.com_policy

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,7 @@
173173
"ec2:DescribeAccountAttributes",
174174
"ec2:DescribeAvailabilityZones",
175175
"ec2:DescribeImages",
176+
"ec2:DescribeInstanceTopology",
176177
"ec2:DescribeInstanceTypes",
177178
"ec2:DescribeInstances",
178179
"ec2:DescribeLaunchTemplateVersions",

tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
"autoscaling:DescribeAutoScalingGroups",
3939
"autoscaling:DescribeTags",
4040
"ec2:DescribeAvailabilityZones",
41+
"ec2:DescribeInstanceTopology",
4142
"ec2:DescribeInstances",
4243
"ec2:DescribeRegions",
4344
"ec2:DescribeRouteTables",

tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,9 @@
4747
"ec2:DescribeSubnets",
4848
"ec2:DescribeVpcPeeringConnections",
4949
"ec2:DescribeVpcs",
50+
"ec2:GetSecurityGroupsForVpc",
51+
"elasticloadbalancing:DescribeCapacityReservation",
52+
"elasticloadbalancing:DescribeListenerAttributes",
5053
"elasticloadbalancing:DescribeListenerCertificates",
5154
"elasticloadbalancing:DescribeListeners",
5255
"elasticloadbalancing:DescribeLoadBalancerAttributes",
@@ -55,7 +58,8 @@
5558
"elasticloadbalancing:DescribeTags",
5659
"elasticloadbalancing:DescribeTargetGroupAttributes",
5760
"elasticloadbalancing:DescribeTargetGroups",
58-
"elasticloadbalancing:DescribeTargetHealth"
61+
"elasticloadbalancing:DescribeTargetHealth",
62+
"elasticloadbalancing:DescribeTrustStores"
5963
],
6064
"Effect": "Allow",
6165
"Resource": "*"
@@ -72,7 +76,9 @@
7276
"elasticloadbalancing:DeleteRule",
7377
"elasticloadbalancing:DeleteTargetGroup",
7478
"elasticloadbalancing:DeregisterTargets",
79+
"elasticloadbalancing:ModifyCapacityReservation",
7580
"elasticloadbalancing:ModifyListener",
81+
"elasticloadbalancing:ModifyListenerAttributes",
7682
"elasticloadbalancing:ModifyLoadBalancerAttributes",
7783
"elasticloadbalancing:ModifyRule",
7884
"elasticloadbalancing:ModifyTargetGroup",
@@ -81,6 +87,7 @@
8187
"elasticloadbalancing:RemoveListenerCertificates",
8288
"elasticloadbalancing:RemoveTags",
8389
"elasticloadbalancing:SetIpAddressType",
90+
"elasticloadbalancing:SetRulePriorities",
8491
"elasticloadbalancing:SetSecurityGroups",
8592
"elasticloadbalancing:SetSubnets"
8693
],

tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,7 @@
173173
"ec2:DescribeAccountAttributes",
174174
"ec2:DescribeAvailabilityZones",
175175
"ec2:DescribeImages",
176+
"ec2:DescribeInstanceTopology",
176177
"ec2:DescribeInstanceTypes",
177178
"ec2:DescribeInstances",
178179
"ec2:DescribeLaunchTemplateVersions",

0 commit comments

Comments
 (0)