From da0ce7ccb867a0476b2e809587c5058c3445fbb7 Mon Sep 17 00:00:00 2001 From: Aaron U'Ren Date: Sat, 30 Mar 2024 22:19:01 -0500 Subject: [PATCH] iam_builder.go: ensure kube-router src/dst permissions --- pkg/model/iam/iam_builder.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 6fee94d5fdc79..49ef3ea99e839 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -468,6 +468,10 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addCalicoSrcDstCheckPermissions(p) } + if b.Cluster.Spec.Networking.KubeRouter != nil { + addKubeRouterSrcDstCheckPermissions(p) + } + return p, nil } @@ -769,6 +773,12 @@ func addCalicoSrcDstCheckPermissions(p *Policy) { ) } +func addKubeRouterSrcDstCheckPermissions(p *Policy) { + p.unconditionalAction.Insert( + "ec2:ModifyInstanceAttribute", + ) +} + func (b *PolicyBuilder) addNodeupPermissions(p *Policy, enableHookSupport bool) { addCertIAMPolicies(p) addKMSGenerateRandomPolicies(p)