Skip to content

Commit 19bac18

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #4132 from ryan-dyer-sp/Issue-4046
4046 - Add AssumeRole and update appropriate tests
2 parents 6827ce3 + 49832b3 commit 19bac18

File tree

7 files changed

+502
-0
lines changed

7 files changed

+502
-0
lines changed

cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cmd/clusterawsadm/api/bootstrap/v1beta1/types.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -224,6 +224,9 @@ type AWSIAMConfigurationSpec struct {
224224
// TODO: This field could be a pointer, but it seems it breaks setting default values?
225225
// +optional
226226
S3Buckets S3Buckets `json:"s3Buckets,omitempty"`
227+
228+
// AllowAssumeRole enables the sts:AssumeRole permission within the CAPA policies
229+
AllowAssumeRole bool `json:"allowAssumeRole,omitempty"`
227230
}
228231

229232
// GetObjectKind returns the AAWSIAMConfiguration's TypeMeta.

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -252,6 +252,15 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
252252
})
253253
}
254254
}
255+
if t.Spec.AllowAssumeRole {
256+
statement = append(statement, iamv1.StatementEntry{
257+
Effect: iamv1.EffectAllow,
258+
Resource: t.allowedEC2InstanceProfiles(),
259+
Action: iamv1.Actions{
260+
"sts:AssumeRole",
261+
},
262+
})
263+
}
255264
if t.Spec.S3Buckets.Enable {
256265
statement = append(statement, iamv1.StatementEntry{
257266
Effect: iamv1.EffectAllow,

0 commit comments

Comments
 (0)