From 7832150f298248eb219145bd080079b16f9cb3cf Mon Sep 17 00:00:00 2001 From: Richard Case Date: Tue, 15 Oct 2024 07:59:09 +0100 Subject: [PATCH] fix: add missing permissions for nlb This adds a missing permission required when using nlbs. Signed-off-by: Richard Case --- .../cloud_provider_integration_control_plane.go | 1 + .../bootstrap/cluster_api_controller.go | 13 +++++++++---- .../bootstrap/fixtures/customsuffix.yaml | 2 ++ .../cloudformation/bootstrap/fixtures/default.yaml | 2 ++ .../fixtures/with_all_secret_backends.yaml | 2 ++ .../bootstrap/fixtures/with_allow_assume_role.yaml | 2 ++ .../bootstrap/fixtures/with_bootstrap_user.yaml | 2 ++ .../fixtures/with_custom_bootstrap_user.yaml | 2 ++ .../fixtures/with_different_instance_profiles.yaml | 2 ++ .../bootstrap/fixtures/with_eks_console.yaml | 2 ++ .../bootstrap/fixtures/with_eks_default_roles.yaml | 2 ++ .../bootstrap/fixtures/with_eks_disable.yaml | 2 ++ .../bootstrap/fixtures/with_eks_kms_prefix.yaml | 2 ++ .../bootstrap/fixtures/with_extra_statements.yaml | 2 ++ .../bootstrap/fixtures/with_s3_bucket.yaml | 2 ++ .../bootstrap/fixtures/with_ssm_secret_backend.yaml | 2 ++ 16 files changed, 38 insertions(+), 4 deletions(-) diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go b/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go index 5a63225fbf..bc81ecef29 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go @@ -67,6 +67,7 @@ func (t Template) cloudProviderControlPlaneAwsPolicy() *iamv1.PolicyDocument { "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index f3cb407c75..049de10431 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -161,6 +161,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument { "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", @@ -415,7 +416,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { "arn:*:iam::*:role/*", }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "iam:GetPolicy", }, @@ -423,7 +425,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { t.generateAWSManagedPolicyARN(eksClusterPolicyName), }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "eks:DescribeCluster", "eks:ListClusters", @@ -449,7 +452,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { "arn:*:eks:*:*:nodegroup/*/*/*", }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "ec2:AssociateVpcCidrBlock", "ec2:DisassociateVpcCidrBlock", @@ -468,7 +472,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { "*", }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "iam:PassRole", }, diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml index 5031f59964..7909fe12d5 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml index aae74b87be..a9290741ba 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml index 0929a3a64a..fa7b5a4d95 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -226,6 +227,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml index f5d47e6d2b..2390d86097 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml index d391de851b..930b879c2e 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml @@ -57,6 +57,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -226,6 +227,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml index 8ebe0836cd..50b9bb3182 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml @@ -57,6 +57,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -226,6 +227,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml index aae239179d..478967b404 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml index 02f1b6b74a..ae2e279062 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml index 9ce2db9f3c..3ca015276a 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml index cf9a249319..57c08e20cc 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml index 18467a9df7..0bacb55e5c 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml index 8c4af02490..b864e1c1b3 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml @@ -57,6 +57,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -226,6 +227,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml index e1f1e332ed..b376d7cab8 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml index 4f282a6394..edc07671d6 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -220,6 +221,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer