From 5d1e7bcf82f2d4231962aa21378d1444e42763c2 Mon Sep 17 00:00:00 2001 From: Justin SB Date: Tue, 1 Sep 2020 11:34:42 -0400 Subject: [PATCH] Refactor IAM route53 construction This helps for the JWKS / ServiceAccount role support. --- pkg/model/iam/iam_builder.go | 47 ++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 4b20bfc02842a..e7c921f0f0c7e 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -169,13 +169,7 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) { addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys), b.Cluster.Spec.IAM.Legacy) } - if b.HostedZoneID != "" { - b.addRoute53Permissions(p, b.HostedZoneID) - } - - if b.Cluster.Spec.IAM.Legacy { - addRoute53ListHostedZonesPermission(p) - } + b.addRoute53Permissions(p) if b.Cluster.Spec.IAM.Legacy || b.Cluster.Spec.IAM.AllowContainerRegistry { addECRPermissions(p) @@ -211,12 +205,7 @@ func (b *PolicyBuilder) BuildAWSPolicyNode() (*Policy, error) { return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err) } - if b.Cluster.Spec.IAM.Legacy { - if b.HostedZoneID != "" { - b.addRoute53Permissions(p, b.HostedZoneID) - } - addRoute53ListHostedZonesPermission(p) - } + b.addRoute53Permissions(p) if b.Cluster.Spec.IAM.Legacy || b.Cluster.Spec.IAM.AllowContainerRegistry { addECRPermissions(p) @@ -581,11 +570,30 @@ func addECRPermissions(p *Policy) { }) } -func (b *PolicyBuilder) addRoute53Permissions(p *Policy, hostedZoneID string) { +func (b *PolicyBuilder) addRoute53Permissions(p *Policy) { + // Only the master (unless in legacy mode) + if b.Role != kops.InstanceGroupRoleMaster && !b.Cluster.Spec.IAM.Legacy { + return + } + + // Legacy IAM permissions for node roles + if b.Cluster.Spec.IAM.Legacy { + wildcard := stringorslice.Slice([]string{"*"}) + p.Statement = append(p.Statement, &Statement{ + Effect: StatementEffectAllow, + Action: stringorslice.Slice([]string{"route53:ListHostedZones"}), + Resource: wildcard, + }) + } + + // Permissions to mutate the specific zone + if b.HostedZoneID == "" { + return + } // TODO: Route53 currently not supported in China, need to check and fail/return // Remove /hostedzone/ prefix (if present) - hostedZoneID = strings.TrimPrefix(hostedZoneID, "/") + hostedZoneID := strings.TrimPrefix(b.HostedZoneID, "/") hostedZoneID = strings.TrimPrefix(hostedZoneID, "hostedzone/") p.Statement = append(p.Statement, &Statement{ @@ -835,15 +843,6 @@ func addCertIAMPolicies(p *Policy, resource stringorslice.StringOrSlice) { }) } -func addRoute53ListHostedZonesPermission(p *Policy) { - wildcard := stringorslice.Slice([]string{"*"}) - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{"route53:ListHostedZones"}), - Resource: wildcard, - }) -} - func addLyftVPCPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) { if legacyIAM { // Legacy IAM provides ec2:*, so no additional permissions required