diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go b/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go index 5a63225fbf..bc81ecef29 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cloud_provider_integration_control_plane.go @@ -67,6 +67,7 @@ func (t Template) cloudProviderControlPlaneAwsPolicy() *iamv1.PolicyDocument { "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index 905403cedd..7588385433 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -159,6 +159,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument { "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", @@ -413,7 +414,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { "arn:*:iam::*:role/*", }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "iam:GetPolicy", }, @@ -421,7 +423,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { t.generateAWSManagedPolicyARN(eksClusterPolicyName), }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "eks:DescribeCluster", "eks:ListClusters", @@ -447,7 +450,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { "arn:*:eks:*:*:nodegroup/*/*/*", }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "ec2:AssociateVpcCidrBlock", "ec2:DisassociateVpcCidrBlock", @@ -466,7 +470,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { "*", }, Effect: iamv1.EffectAllow, - }, { + }, + { Action: iamv1.Actions{ "iam:PassRole", }, diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml index 3afd943654..06b4fc3df2 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml index 4c25142282..e716a43262 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml index b342bfeb92..55cf12f65c 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -224,6 +225,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml index 31468775d6..73e1b077ac 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml index 5f6e9ffa21..1d51794187 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml @@ -57,6 +57,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -224,6 +225,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml index 7e4564e7b4..41787af70d 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml @@ -57,6 +57,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -224,6 +225,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml index 5a0c91d1bb..351cfd9301 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml index 1010746967..7a4433a254 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml index 7880019781..de59b4d6e5 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml index be85872a9e..215b2de6e8 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml index 037f81cc82..6cfee44e29 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml index c1f9a0ca90..dfa786e693 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml @@ -57,6 +57,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -224,6 +225,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml index 659616c606..e38a22aac6 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml index 327487795c..0ba2d5fc7d 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml @@ -53,6 +53,7 @@ Resources: - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners @@ -218,6 +219,7 @@ Resources: - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer