From 82d86cdff234d2d3e04be33b3ed1a9f161b5870c Mon Sep 17 00:00:00 2001 From: Connor Catlett Date: Thu, 14 Nov 2024 23:29:25 +0000 Subject: [PATCH] [WIP] Update IAM policy Signed-off-by: Connor Catlett --- docs/example-iam-policy.json | 99 +++++++++++++++----------------- hack/e2e/kops/patch-cluster.yaml | 98 +++++++++++++++---------------- 2 files changed, 91 insertions(+), 106 deletions(-) diff --git a/docs/example-iam-policy.json b/docs/example-iam-policy.json index 6c12061455..4f16ca21c5 100644 --- a/docs/example-iam-policy.json +++ b/docs/example-iam-policy.json @@ -4,61 +4,59 @@ { "Effect": "Allow", "Action": [ - "ec2:CreateSnapshot", - "ec2:AttachVolume", - "ec2:DetachVolume", - "ec2:ModifyVolume", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:EnableFastSnapshotRestores" + "ec2:DescribeVolumesModifications" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ - "ec2:CreateTags" + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:CreateSnapshot" ], - "Resource": [ - "arn:*:ec2:*:*:volume/*", - "arn:*:ec2:*:*:snapshot/*" - ] + "Resource": "arn:aws:ec2:*:*:volume/*" }, { "Effect": "Allow", "Action": [ - "ec2:DeleteTags" + "ec2:CreateTags" ], "Resource": [ - "arn:*:ec2:*:*:volume/*", - "arn:*:ec2:*:*:snapshot/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" ], - "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] } } }, { "Effect": "Allow", "Action": [ - "ec2:CreateVolume" + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" ], - "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "aws:RequestTag/CSIVolumeName": "*" + "StringNotLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "*", + "aws:RequestTag/CSIVolumeName": "*", + "aws:RequestTag/CSIVolumeSnapshotName": "*", + "aws:RequestTag/kubernetes.io/created-for/pvc/name": "*" } } }, @@ -67,53 +65,45 @@ "Action": [ "ec2:CreateVolume" ], - "Resource": "arn:*:ec2:*:*:snapshot/*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + "ForAnyValue:StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true", + "aws:RequestTag/CSIVolumeName": "*" } } }, { "Effect": "Allow", "Action": [ - "ec2:DeleteVolume" + "ec2:CreateVolume" ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeName": "*" - } - } + "Resource": "arn:aws:ec2:*:*:snapshot/*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" + "ForAnyValue:StringLike": { + "aws:ResourceTag/ebs.csi.aws.com/cluster": "true", + "aws:ResourceTag/CSIVolumeName": "*", + "aws:ResourceTag/kubernetes.io/created-for/pvc/name": "*" } } }, { "Effect": "Allow", "Action": [ - "ec2:DeleteSnapshot" + "ec2:CreateSnapshot" ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + "ForAnyValue:StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true", + "aws:RequestTag/CSIVolumeSnapshotName": "*" } } }, @@ -122,10 +112,11 @@ "Action": [ "ec2:DeleteSnapshot" ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + "ForAnyValue:StringLike": { + "aws:ResourceTag/ebs.csi.aws.com/cluster": "true", + "aws:ResourceTag/CSIVolumeSnapshotName": "*" } } } diff --git a/hack/e2e/kops/patch-cluster.yaml b/hack/e2e/kops/patch-cluster.yaml index ef15f9befc..78af5d0025 100644 --- a/hack/e2e/kops/patch-cluster.yaml +++ b/hack/e2e/kops/patch-cluster.yaml @@ -30,61 +30,62 @@ spec: { "Effect": "Allow", "Action": [ - "ec2:CreateSnapshot", - "ec2:AttachVolume", - "ec2:DetachVolume", - "ec2:ModifyVolume", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:EnableFastSnapshotRestores" + "ec2:DescribeVolumesModifications" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ - "ec2:CreateTags" + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:CreateSnapshot" ], "Resource": [ - "arn:*:ec2:*:*:volume/*", - "arn:*:ec2:*:*:snapshot/*" + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ - "ec2:DeleteTags" + "ec2:CreateTags" ], "Resource": [ - "arn:*:ec2:*:*:volume/*", - "arn:*:ec2:*:*:snapshot/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" ], - "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] } } }, { "Effect": "Allow", "Action": [ - "ec2:CreateVolume" + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" ], - "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "aws:RequestTag/CSIVolumeName": "*" + "StringNotLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "*", + "aws:RequestTag/CSIVolumeName": "*", + "aws:RequestTag/CSIVolumeSnapshotName": "*", + "aws:RequestTag/kubernetes.io/created-for/pvc/name": "*" } } }, @@ -93,53 +94,45 @@ spec: "Action": [ "ec2:CreateVolume" ], - "Resource": "arn:*:ec2:*:*:snapshot/*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + "ForAnyValue:StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true", + "aws:RequestTag/CSIVolumeName": "*" } } }, { "Effect": "Allow", "Action": [ - "ec2:DeleteVolume" + "ec2:CreateVolume" ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeName": "*" - } - } + "Resource": "arn:aws:ec2:*:*:snapshot/*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" + "ForAnyValue:StringLike": { + "aws:ResourceTag/ebs.csi.aws.com/cluster": "true", + "aws:ResourceTag/CSIVolumeName": "*", + "aws:ResourceTag/kubernetes.io/created-for/pvc/name": "*" } } }, { "Effect": "Allow", "Action": [ - "ec2:DeleteSnapshot" + "ec2:CreateSnapshot" ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + "ForAnyValue:StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true", + "aws:RequestTag/CSIVolumeSnapshotName": "*" } } }, @@ -148,10 +141,11 @@ spec: "Action": [ "ec2:DeleteSnapshot" ], - "Resource": "*", + "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + "ForAnyValue:StringLike": { + "aws:ResourceTag/ebs.csi.aws.com/cluster": "true", + "aws:ResourceTag/CSIVolumeSnapshotName": "*" } } }