diff --git a/docs/example-iam-policy.json b/docs/example-iam-policy.json index 8ac21f13b2..311e99e2db 100644 --- a/docs/example-iam-policy.json +++ b/docs/example-iam-policy.json @@ -1,191 +1,269 @@ { - "Version": "2012-10-17", - "Statement": [ + "Version" : "2012-10-17", + "Statement" : [ { - "Effect": "Allow", - "Action": [ + "Effect" : "Allow", + "Action" : [ "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeSnapshots", - "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus" ], - "Resource": "*" + "Resource" : "*" }, { - "Effect": "Allow", - "Action": [ - "ec2:CreateSnapshot", - "ec2:ModifyVolume" + "Effect" : "Allow", + "Action" : [ + "ec2:CreateVolume", + "ec2:CopyVolumes" ], - "Resource": "arn:aws:ec2:*:*:volume/*" + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "aws:RequestTag/ebs.csi.aws.com/cluster" : "true" + } + } }, { - "Effect": "Allow", - "Action": [ + "Effect" : "Allow", + "Action" : [ + "ec2:CreateVolume", "ec2:CopyVolumes" ], - "Resource": [ - "arn:aws:ec2:*:*:volume/vol-*" - ] + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "aws:RequestTag/CSIVolumeName" : "*" + } + } }, { - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:DetachVolume" + "Effect" : "Allow", + "Action" : [ + "ec2:CopyVolumes" ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:instance/*" - ] + "Resource" : "arn:aws:ec2:*:*:volume/vol-*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" + } + } }, { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume", - "ec2:EnableFastSnapshotRestores" + "Effect" : "Allow", + "Action" : [ + "ec2:CopyVolumes" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*" + "Resource" : "arn:aws:ec2:*:*:volume/vol-*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*" + } + } }, { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" + "Effect" : "Allow", + "Action" : [ + "ec2:CreateSnapshot" ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" + "Resource" : "arn:aws:ec2:*:*:snapshot/*", + "Condition" : { + "StringLike" : { + "aws:RequestTag/CSIVolumeSnapshotName" : "*" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:CreateSnapshot" ], - "Condition": { - "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot", - "CopyVolumes" - ] + "Resource" : "arn:aws:ec2:*:*:snapshot/*", + "Condition" : { + "StringLike" : { + "aws:RequestTag/ebs.csi.aws.com/cluster" : "true" } } }, { - "Effect": "Allow", - "Action": [ - "ec2:DeleteTags" + "Effect" : "Allow", + "Action" : [ + "ec2:CreateSnapshot", + "ec2:ModifyVolume" ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" + } + } }, { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume", - "ec2:CopyVolumes" + "Effect" : "Allow", + "Action" : [ + "ec2:ModifyVolume" ], - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*" } } }, { - "Effect": "Allow", - "Action": [ + "Effect" : "Allow", + "Action" : [ "ec2:CreateVolume", - "ec2:CopyVolumes" + "ec2:EnableFastSnapshotRestores" ], - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "StringLike": { - "aws:RequestTag/CSIVolumeName": "*" + "Resource" : "arn:aws:ec2:*:*:snapshot/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" } } }, { - "Effect": "Allow", - "Action": [ + "Effect" : "Allow", + "Action" : [ + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource" : "arn:aws:ec2:*:*:instance/*" + }, + { + "Effect" : "Allow", + "Action" : [ "ec2:DeleteVolume" ], - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" } } }, { - "Effect": "Allow", - "Action": [ + "Effect" : "Allow", + "Action" : [ "ec2:DeleteVolume" ], - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeName": "*" + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/CSIVolumeName" : "*" } } }, { - "Effect": "Allow", - "Action": [ + "Effect" : "Allow", + "Action" : [ "ec2:DeleteVolume" ], - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*" } } }, { - "Effect": "Allow", - "Action": [ - "ec2:CreateSnapshot" + "Effect" : "Allow", + "Action" : [ + "ec2:DeleteSnapshot", + "ec2:LockSnapshot" + ], + "Resource" : "arn:aws:ec2:*:*:snapshot/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/CSIVolumeSnapshotName" : "*" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:DeleteSnapshot", + "ec2:LockSnapshot" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringLike": { - "aws:RequestTag/CSIVolumeSnapshotName": "*" + "Resource" : "arn:aws:ec2:*:*:snapshot/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" } } }, { - "Effect": "Allow", - "Action": [ - "ec2:CreateSnapshot" + "Effect" : "Allow", + "Action" : [ + "ec2:CreateTags" + ], + "Resource" : [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + "Condition" : { + "StringEquals" : { + "ec2:CreateAction" : [ + "CreateVolume", + "CreateSnapshot", + "CopyVolumes" + ] } } }, { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" + "Effect" : "Allow", + "Action" : [ + "ec2:CreateTags" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + "Resource" : "arn:aws:ec2:*:*:volume/*", + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" } } }, { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" + "Effect" : "Allow", + "Action" : [ + "ec2:DeleteTags" + ], + "Resource" : [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" } } } diff --git a/hack/e2e/eksctl/cluster.yaml b/hack/e2e/eksctl/cluster.yaml index 2c7f42ae4c..63c751a8d3 100644 --- a/hack/e2e/eksctl/cluster.yaml +++ b/hack/e2e/eksctl/cluster.yaml @@ -26,17 +26,21 @@ iam: - metadata: name: ebs-csi-controller-sa namespace: kube-system - wellKnownPolicies: - ebsCSIController: true attachPolicy: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Action: - - ec2:CopyVolumes - Resource: "arn:aws:ec2:*:*:volume/vol-*" + - ec2:DescribeAvailabilityZones + - ec2:DescribeInstances + - ec2:DescribeSnapshots + - ec2:DescribeVolumes + - ec2:DescribeVolumesModifications + - ec2:DescribeVolumeStatus + Resource: "*" - Effect: Allow Action: + - ec2:CreateVolume - ec2:CopyVolumes Resource: "arn:aws:ec2:*:*:volume/*" Condition: @@ -44,19 +48,127 @@ iam: "aws:RequestTag/ebs.csi.aws.com/cluster": "true" - Effect: Allow Action: + - ec2:CreateVolume - ec2:CopyVolumes Resource: "arn:aws:ec2:*:*:volume/*" Condition: StringLike: "aws:RequestTag/CSIVolumeName": "*" + - Effect: Allow + Action: + - ec2:CopyVolumes + Resource: "arn:aws:ec2:*:*:volume/vol-*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + - Effect: Allow + Action: + - ec2:CreateSnapshot + Resource: "arn:aws:ec2:*:*:snapshot/*" + Condition: + StringLike: + "aws:RequestTag/CSIVolumeSnapshotName": "*" + - Effect: Allow + Action: + - ec2:CreateSnapshot + Resource: "arn:aws:ec2:*:*:snapshot/*" + Condition: + StringLike: + "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + - Effect: Allow + Action: + - ec2:CreateSnapshot + - ec2:ModifyVolume + Resource: "arn:aws:ec2:*:*:volume/*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + - Effect: Allow + Action: + - ec2:CreateVolume + - ec2:EnableFastSnapshotRestores + Resource: "arn:aws:ec2:*:*:snapshot/*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + - Effect: Allow + Action: + - ec2:AttachVolume + - ec2:DetachVolume + Resource: "arn:aws:ec2:*:*:volume/*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + - Effect: Allow + Action: + - ec2:AttachVolume + - ec2:DetachVolume + Resource: "arn:aws:ec2:*:*:instance/*" + - Effect: Allow + Action: + - ec2:DeleteVolume + Resource: "arn:aws:ec2:*:*:volume/*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + - Effect: Allow + Action: + - ec2:DeleteVolume + Resource: "arn:aws:ec2:*:*:volume/*" + Condition: + StringLike: + "ec2:ResourceTag/CSIVolumeName": "*" + - Effect: Allow + Action: + - ec2:DeleteVolume + Resource: "arn:aws:ec2:*:*:volume/*" + Condition: + StringLike: + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" + - Effect: Allow + Action: + - ec2:DeleteSnapshot + - ec2:LockSnapshot + Resource: "arn:aws:ec2:*:*:snapshot/*" + Condition: + StringLike: + "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + - Effect: Allow + Action: + - ec2:DeleteSnapshot + - ec2:LockSnapshot + Resource: "arn:aws:ec2:*:*:snapshot/*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" - Effect: Allow Action: - ec2:CreateTags Resource: - "arn:aws:ec2:*:*:volume/*" + - "arn:aws:ec2:*:*:snapshot/*" Condition: StringEquals: - "ec2:CreateAction": "CopyVolumes" + "ec2:CreateAction": + - CreateVolume + - CreateSnapshot + - CopyVolumes + - Effect: Allow + Action: + - ec2:CreateTags + Resource: "arn:aws:ec2:*:*:volume/*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + - Effect: Allow + Action: + - ec2:DeleteTags + Resource: + - "arn:aws:ec2:*:*:volume/*" + - "arn:aws:ec2:*:*:snapshot/*" + Condition: + StringLike: + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" managedNodeGroups: - name: ng-linux amiFamily: {{ .Env.AMI_FAMILY }} diff --git a/hack/e2e/kops/patch-cluster.yaml b/hack/e2e/kops/patch-cluster.yaml index b734e49e0d..3e8486de55 100644 --- a/hack/e2e/kops/patch-cluster.yaml +++ b/hack/e2e/kops/patch-cluster.yaml @@ -47,7 +47,6 @@ spec: "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeSnapshots", - "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus" @@ -57,94 +56,112 @@ spec: { "Effect": "Allow", "Action": [ - "ec2:CreateSnapshot", - "ec2:ModifyVolume" + "ec2:CreateVolume", + "ec2:CopyVolumes" ], - "Resource": "arn:aws:ec2:*:*:volume/*" + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + } + } }, { "Effect": "Allow", "Action": [ + "ec2:CreateVolume", "ec2:CopyVolumes" ], - "Resource": [ - "arn:aws:ec2:*:*:volume/vol-*" - ] + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "StringLike": { + "aws:RequestTag/CSIVolumeName": "*" + } + } }, { "Effect": "Allow", "Action": [ - "ec2:AttachVolume", - "ec2:DetachVolume" + "ec2:CopyVolumes" ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:instance/*" - ] + "Resource": "arn:aws:ec2:*:*:volume/vol-*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + } }, { "Effect": "Allow", "Action": [ - "ec2:CreateVolume", - "ec2:EnableFastSnapshotRestores" + "ec2:CreateSnapshot" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*" + "Resource": "arn:aws:ec2:*:*:snapshot/*", + "Condition": { + "StringLike": { + "aws:RequestTag/CSIVolumeSnapshotName": "*" + } + } }, { "Effect": "Allow", "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" + "ec2:CreateSnapshot" ], + "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { - "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot", - "CopyVolumes" - ] + "StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ - "ec2:DeleteTags" + "ec2:CreateSnapshot", + "ec2:ModifyVolume" ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + } }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume", - "ec2:CopyVolumes" + "ec2:EnableFastSnapshotRestores" ], - "Resource": "arn:aws:ec2:*:*:volume/*", + "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ - "ec2:CreateVolume", - "ec2:CopyVolumes" + "ec2:AttachVolume", + "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringLike": { - "aws:RequestTag/CSIVolumeName": "*" + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource": "arn:aws:ec2:*:*:instance/*" + }, { "Effect": "Allow", "Action": [ @@ -184,45 +201,69 @@ spec: { "Effect": "Allow", "Action": [ - "ec2:CreateSnapshot" + "ec2:DeleteSnapshot", + "ec2:LockSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { - "aws:RequestTag/CSIVolumeSnapshotName": "*" + "ec2:ResourceTag/CSIVolumeSnapshotName": "*" } } }, { "Effect": "Allow", "Action": [ - "ec2:CreateSnapshot" + "ec2:DeleteSnapshot", + "ec2:LockSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ - "ec2:DeleteSnapshot" + "ec2:CreateTags" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ], + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot", + "CopyVolumes" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringLike": { - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ - "ec2:DeleteSnapshot" + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"