From 683799c9ab5e51116952eb4a6dd490ac65aec81f Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Thu, 30 Nov 2017 22:22:31 -0300 Subject: [PATCH] Add missing permissions for NLB creation --- pkg/model/iam/iam_builder.go | 17 +++++++++++++++++ .../iam/tests/iam_builder_master_strict.json | 18 ++++++++++++++++++ .../tests/iam_builder_master_strict_ecr.json | 18 ++++++++++++++++++ 3 files changed, 53 insertions(+) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index b513bc3f331c8..f044141bd9af8 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -617,6 +617,23 @@ func addMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice, legac ), Resource: resource, }) + + p.Statement = append(p.Statement, &Statement{ + Sid: "kopsK8sNLBMasterPermsRestrictive", + Effect: StatementEffectAllow, + Action: stringorslice.Of( + "elasticloadbalancing:CreateListener", // aws_loadbalancer.go + "elasticloadbalancing:DescribeListeners", // aws_loadbalancer.go + "elasticloadbalancing:CreateTargetGroup", // aws_loadbalancer.go + "elasticloadbalancing:DescribeTargetGroups", // aws_loadbalancer.go + "elasticloadbalancing:RegisterTargets", // aws_loadbalancer.go + "elasticloadbalancing:DescribeTargetHealth", // aws_loadbalancer.go + "elasticloadbalancing:AddTags", // aws_loadbalancer.go + "elasticloadbalancing:ModifyTargetGroup", // aws_loadbalancer.go + "ec2:DescribeVpcs", // aws_loadbalancer.go + ), + Resource: resource, + }) } } diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index b2195d5583ab5..aaf210447189e 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -103,6 +103,24 @@ "*" ] }, + { + "Sid": "kopsK8sNLBMasterPermsRestrictive", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyTargetGroup", + "ec2:DescribeVpcs" + ], + "Resource": [ + "*" + ] + }, { "Sid": "kopsMasterCertIAMPerms", "Effect": "Allow", diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index 628fc7f82b805..a62faf51a0c76 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -103,6 +103,24 @@ "*" ] }, + { + "Sid": "kopsK8sNLBMasterPermsRestrictive", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyTargetGroup", + "ec2:DescribeVpcs" + ], + "Resource": [ + "*" + ] + }, { "Sid": "kopsMasterCertIAMPerms", "Effect": "Allow",