Skip to content

Commit

Permalink
iam_builder.go: ensure kube-router src/dst permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
aauren committed Mar 31, 2024
1 parent d3e4d74 commit 821ab18
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions pkg/model/iam/iam_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -468,6 +468,10 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
addCalicoSrcDstCheckPermissions(p)
}

if b.Cluster.Spec.Networking.KubeRouter != nil {
addKubeRouterSrcDstCheckPermissions(p)
}

return p, nil
}

Expand Down Expand Up @@ -769,6 +773,12 @@ func addCalicoSrcDstCheckPermissions(p *Policy) {
)
}

func addKubeRouterSrcDstCheckPermissions(p *Policy) {
p.unconditionalAction.Insert(
"ec2:ModifyInstanceAttribute",
)
}

func (b *PolicyBuilder) addNodeupPermissions(p *Policy, enableHookSupport bool) {
addCertIAMPolicies(p)
addKMSGenerateRandomPolicies(p)
Expand Down

0 comments on commit 821ab18

Please sign in to comment.