Skip to content

Commit

Permalink
Merge pull request #11086 from justinsb/controlplane_should_not_need_…
Browse files Browse the repository at this point in the history
…dns_permissions

Don't add control-plane DNS permissions with UseServiceAccountIAM
  • Loading branch information
k8s-ci-robot authored Mar 20, 2021
2 parents bf2105b + d7683d8 commit 2b46042
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions pkg/model/iam/iam_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,10 +257,12 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys), b.Cluster.Spec.IAM.Legacy)
}

if b.Cluster.Spec.IAM.Legacy {
addLegacyDNSControllerPermissions(b, p)
if !b.UseServiceAccountIAM {
if b.Cluster.Spec.IAM.Legacy {
addLegacyDNSControllerPermissions(b, p)
}
AddDNSControllerPermissions(b, p)
}
AddDNSControllerPermissions(b, p)

if b.Cluster.Spec.IAM.Legacy || b.Cluster.Spec.IAM.AllowContainerRegistry {
addECRPermissions(p)
Expand Down

0 comments on commit 2b46042

Please sign in to comment.