Skip to content

Commit

Permalink
bump controller iam policy to v2.4.7
Browse files Browse the repository at this point in the history
  • Loading branch information
alebedev87 committed Oct 26, 2023
1 parent 5270440 commit 5bd86f4
Show file tree
Hide file tree
Showing 7 changed files with 657 additions and 74 deletions.
24 changes: 21 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,16 @@ IAMCTL_OUTPUT_DIR ?= ./pkg/controllers/awsloadbalancercontroller
# Generated file name.
IAMCTL_OUTPUT_FILE ?= iam_policy.go

IAMCTL_OUTPUT_MINIFY_FILE ?= iam_policy_minify.go

# Go Package of the generated file.
IAMCTL_GO_PACKAGE ?= awsloadbalancercontroller

# File name of the generated CredentialsRequest CR.
IAMCTL_OUTPUT_CR_FILE ?= ./hack/controller/controller-credentials-request.yaml

IAMCTL_OUTPUT_MINIFY_CR_FILE ?= ./hack/controller/controller-credentials-request-minify.yaml

# Built go binary path.
IAMCTL_BINARY ?= ./bin/iamctl

Expand Down Expand Up @@ -127,13 +131,27 @@ vet: ## Run go vet against code.

.PHONY: iamctl-gen
iamctl-gen: iamctl-build iam-gen
$(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/iam-policy.json -o $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) -p $(IAMCTL_GO_PACKAGE) -c $(IAMCTL_OUTPUT_CR_FILE)
go fmt -mod=vendor $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE)
go vet -mod=vendor $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE)
# generate controller's IAM policy without minify.
@# This policy is for STS clusters as it's turned into a role policy which is limited to 10240 by AWS.
$(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/iam-policy.json -o $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) -p $(IAMCTL_GO_PACKAGE) -c $(IAMCTL_OUTPUT_CR_FILE) -n -s

# generate controller's IAM policy with minify.
@# This policy is for non STS clusters as it's turned into an inline policy which is limited to 2048 by AWS.
$(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/iam-policy.json -o $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_MINIFY_FILE) -p $(IAMCTL_GO_PACKAGE) -f GetIAMPolicyMinify -c $(IAMCTL_OUTPUT_MINIFY_CR_FILE)

go fmt -mod=vendor $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_MINIFY_FILE)
go vet -mod=vendor $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_MINIFY_FILE)

# generate operator's IAM policy.
@# The operator's policy is small enough to fit into both limits: inline and role.
$(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/operator-iam-policy.json -o ./pkg/operator/$(IAMCTL_OUTPUT_FILE) -p operator -n
go fmt -mod=vendor ./pkg/operator/$(IAMCTL_OUTPUT_FILE)
go vet -mod=vendor ./pkg/operator/$(IAMCTL_OUTPUT_FILE)

# The operator's CredentialsRequest is the source of truth for the operator's IAM policy.
# It's required to generate IAM role for STS clusters using ccoctl (docs/prerequisites.md#option-1-using-ccoctl).
# The below rule generates a corresponding AWS IAM policy JSON which can be used in AWS CLI commands (docs/prerequisites.md#option-2-using-the-aws-cli).
# The operator's IAM policy as go code is generated from the JSON policy and used in the operator to self provision credentials at startup.
.PHONY: iam-gen
iam-gen:
./hack/generate-iam-from-credrequest.sh ./hack/operator-credentials-request.yaml ./hack/operator-permission-policy.json
Expand Down
22 changes: 22 additions & 0 deletions assets/iam-policy.json
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,28 @@
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
Expand Down
68 changes: 68 additions & 0 deletions hack/controller/controller-credentials-request-minify.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: aws-load-balancer-controller
namespace: openshift-cloud-credential-operator
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- action:
- acm:DescribeCertificate
- acm:ListCertificates
- cognito-idp:DescribeUserPoolClient
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateSecurityGroup
- ec2:CreateTags
- ec2:DeleteSecurityGroup
- ec2:DeleteTags
- ec2:Describe*
- ec2:GetCoipPoolUsage
- ec2:RevokeSecurityGroupIngress
- elasticloadbalancing:AddListenerCertificates
- elasticloadbalancing:AddTags
- elasticloadbalancing:CreateListener
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateRule
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:DeleteListener
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:DeleteRule
- elasticloadbalancing:DeleteTargetGroup
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:Describe*
- elasticloadbalancing:ModifyListener
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:ModifyRule
- elasticloadbalancing:ModifyTargetGroup
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:RegisterTargets
- elasticloadbalancing:RemoveListenerCertificates
- elasticloadbalancing:RemoveTags
- elasticloadbalancing:SetIpAddressType
- elasticloadbalancing:SetSecurityGroups
- elasticloadbalancing:SetSubnets
- elasticloadbalancing:SetWebAcl
- iam:CreateServiceLinkedRole
- iam:GetServerCertificate
- iam:ListServerCertificates
- shield:CreateProtection
- shield:DeleteProtection
- shield:DescribeProtection
- shield:GetSubscriptionState
- waf-regional:AssociateWebACL
- waf-regional:DisassociateWebACL
- waf-regional:GetWebACL
- waf-regional:GetWebACLForResource
- wafv2:AssociateWebACL
- wafv2:DisassociateWebACL
- wafv2:GetWebACL
- wafv2:GetWebACLForResource
effect: Allow
resource: "*"
secretRef:
name: aws-load-balancer-controller-cluster
namespace: aws-load-balancer-operator
serviceAccountNames:
- aws-load-balancer-controller-cluster
222 changes: 187 additions & 35 deletions hack/controller/controller-credentials-request.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,56 +9,208 @@ spec:
kind: AWSProviderSpec
statementEntries:
- action:
- acm:DescribeCertificate
- acm:ListCertificates
- iam:CreateServiceLinkedRole
effect: Allow
resource: "*"
policyCondition:
"StringEquals":
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
- action:
- ec2:DescribeAccountAttributes
- ec2:DescribeAddresses
- ec2:DescribeAvailabilityZones
- ec2:DescribeInternetGateways
- ec2:DescribeVpcs
- ec2:DescribeVpcPeeringConnections
- ec2:DescribeSubnets
- ec2:DescribeSecurityGroups
- ec2:DescribeInstances
- ec2:DescribeNetworkInterfaces
- ec2:DescribeTags
- ec2:GetCoipPoolUsage
- ec2:DescribeCoipPools
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeLoadBalancerAttributes
- elasticloadbalancing:DescribeListeners
- elasticloadbalancing:DescribeListenerCertificates
- elasticloadbalancing:DescribeSSLPolicies
- elasticloadbalancing:DescribeRules
- elasticloadbalancing:DescribeTargetGroups
- elasticloadbalancing:DescribeTargetGroupAttributes
- elasticloadbalancing:DescribeTargetHealth
- elasticloadbalancing:DescribeTags
effect: Allow
resource: "*"
- action:
- cognito-idp:DescribeUserPoolClient
- acm:ListCertificates
- acm:DescribeCertificate
- iam:ListServerCertificates
- iam:GetServerCertificate
- waf-regional:GetWebACL
- waf-regional:GetWebACLForResource
- waf-regional:AssociateWebACL
- waf-regional:DisassociateWebACL
- wafv2:GetWebACL
- wafv2:GetWebACLForResource
- wafv2:AssociateWebACL
- wafv2:DisassociateWebACL
- shield:GetSubscriptionState
- shield:DescribeProtection
- shield:CreateProtection
- shield:DeleteProtection
effect: Allow
resource: "*"
- action:
- ec2:AuthorizeSecurityGroupIngress
- ec2:RevokeSecurityGroupIngress
effect: Allow
resource: "*"
- action:
- ec2:CreateSecurityGroup
effect: Allow
resource: "*"
- action:
- ec2:CreateTags
effect: Allow
resource: "arn:aws:ec2:*:*:security-group/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
"StringEquals":
"ec2:CreateAction": "CreateSecurityGroup"
- action:
- ec2:CreateTags
- ec2:DeleteSecurityGroup
- ec2:DeleteTags
- ec2:Describe*
- ec2:GetCoipPoolUsage
effect: Allow
resource: "arn:aws:ec2:*:*:security-group/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "true"
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- action:
- ec2:AuthorizeSecurityGroupIngress
- ec2:RevokeSecurityGroupIngress
- elasticloadbalancing:AddListenerCertificates
- elasticloadbalancing:AddTags
- elasticloadbalancing:CreateListener
- ec2:DeleteSecurityGroup
effect: Allow
resource: "*"
policyCondition:
"Null":
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- action:
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateRule
- elasticloadbalancing:CreateTargetGroup
effect: Allow
resource: "*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
- action:
- elasticloadbalancing:CreateListener
- elasticloadbalancing:DeleteListener
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:CreateRule
- elasticloadbalancing:DeleteRule
- elasticloadbalancing:DeleteTargetGroup
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:Describe*
- elasticloadbalancing:ModifyListener
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:ModifyRule
- elasticloadbalancing:ModifyTargetGroup
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:RegisterTargets
- elasticloadbalancing:RemoveListenerCertificates
effect: Allow
resource: "*"
- action:
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "true"
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- action:
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "true"
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- action:
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "true"
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- action:
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
- action:
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*"
- action:
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*"
- action:
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
- action:
- elasticloadbalancing:AddTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
"StringEquals":
"elasticloadbalancing:CreateAction": ["CreateTargetGroup","CreateLoadBalancer"]
- action:
- elasticloadbalancing:AddTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
"StringEquals":
"elasticloadbalancing:CreateAction": ["CreateTargetGroup","CreateLoadBalancer"]
- action:
- elasticloadbalancing:AddTags
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
policyCondition:
"Null":
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
"StringEquals":
"elasticloadbalancing:CreateAction": ["CreateTargetGroup","CreateLoadBalancer"]
- action:
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:SetIpAddressType
- elasticloadbalancing:SetSecurityGroups
- elasticloadbalancing:SetSubnets
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:ModifyTargetGroup
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:DeleteTargetGroup
effect: Allow
resource: "*"
policyCondition:
"Null":
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
- action:
- elasticloadbalancing:RegisterTargets
- elasticloadbalancing:DeregisterTargets
effect: Allow
resource: "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
- action:
- elasticloadbalancing:SetWebAcl
- iam:CreateServiceLinkedRole
- iam:GetServerCertificate
- iam:ListServerCertificates
- shield:CreateProtection
- shield:DeleteProtection
- shield:DescribeProtection
- shield:GetSubscriptionState
- waf-regional:AssociateWebACL
- waf-regional:DisassociateWebACL
- waf-regional:GetWebACL
- waf-regional:GetWebACLForResource
- wafv2:AssociateWebACL
- wafv2:DisassociateWebACL
- wafv2:GetWebACL
- wafv2:GetWebACLForResource
- elasticloadbalancing:ModifyListener
- elasticloadbalancing:AddListenerCertificates
- elasticloadbalancing:RemoveListenerCertificates
- elasticloadbalancing:ModifyRule
effect: Allow
resource: "*"
secretRef:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ func desiredCredentialsRequest(name types.NamespacedName, secretRef corev1.Objec

func createProviderConfig(codec *cco.ProviderCodec, config *albo.AWSLoadBalancerCredentialsRequestConfig) (*runtime.RawExtension, error) {
providerSpec := &cco.AWSProviderSpec{
StatementEntries: GetIAMPolicy().Statement,
StatementEntries: GetIAMPolicyMinify().Statement,
}
if config != nil && config.STSIAMRoleARN != "" {
providerSpec.STSIAMRoleARN = config.STSIAMRoleARN
Expand Down
Loading

0 comments on commit 5bd86f4

Please sign in to comment.