Remove redundant permissions

kubernetes · Jun 20, 2021 · 5844837 · 5844837
1 parent f59af29
commit 5844837
Show file tree

Hide file tree

Showing 59 changed files with 1,193 additions and 2,583 deletions.
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -1057,21 +1057,6 @@ func AddMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, clust
 				},
 			},
 		},
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Of(
-				"ec2:AttachVolume",                  // aws.go
-				"ec2:AuthorizeSecurityGroupIngress", // aws.go
-				"ec2:DeleteSecurityGroup",           // aws.go
-				"ec2:RevokeSecurityGroupIngress",    // aws.go
-			),
-			Resource: resource,
-			Condition: Condition{
-				"StringEquals": map[string]string{
-					"ec2:ResourceTag/kubernetes.io/cluster/" + clusterName: "owned",
-				},
-			},
-		},
 	)
 }
 
@@ -1080,44 +1065,36 @@ func AddMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice) {
 	p.Statement = append(p.Statement, &Statement{
 		Effect: StatementEffectAllow,
 		Action: stringorslice.Of(
-			"elasticloadbalancing:AddTags",                                 // aws_loadbalancer.go
-			"elasticloadbalancing:AttachLoadBalancerToSubnets",             // aws_loadbalancer.go
-			"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",       // aws_loadbalancer.go
+			"ec2:DescribeVpcs",                                             // aws_loadbalancer.go
+			"elasticloadbalancing:DescribeLoadBalancers",                   // aws.go
+			"elasticloadbalancing:DescribeLoadBalancerAttributes",          // aws.go
+			"elasticloadbalancing:DescribeListeners",                       // aws_loadbalancer.go
+			"elasticloadbalancing:DescribeLoadBalancerPolicies",            // aws_loadbalancer.go
+			"elasticloadbalancing:DescribeTargetGroups",                    // aws_loadbalancer.go
+			"elasticloadbalancing:DescribeTargetHealth",                    // aws_loadbalancer.go
+			"elasticloadbalancing:CreateListener",                          // aws_loadbalancer.go
+			"elasticloadbalancing:CreateTargetGroup",                       // aws_loadbalancer.go
 			"elasticloadbalancing:CreateLoadBalancer",                      // aws_loadbalancer.go
 			"elasticloadbalancing:CreateLoadBalancerPolicy",                // aws_loadbalancer.go
 			"elasticloadbalancing:CreateLoadBalancerListeners",             // aws_loadbalancer.go
-			"elasticloadbalancing:ConfigureHealthCheck",                    // aws_loadbalancer.go
 			"elasticloadbalancing:DeleteLoadBalancer",                      // aws.go
 			"elasticloadbalancing:DeleteLoadBalancerListeners",             // aws_loadbalancer.go
-			"elasticloadbalancing:DescribeLoadBalancers",                   // aws.go
-			"elasticloadbalancing:DescribeLoadBalancerAttributes",          // aws.go
+			"elasticloadbalancing:DeleteListener",                          // aws_loadbalancer.go
+			"elasticloadbalancing:DeleteTargetGroup",                       // aws_loadbalancer.go
+			"elasticloadbalancing:AddTags",                                 // aws_loadbalancer.go
+			"elasticloadbalancing:ModifyLoadBalancerAttributes",            // aws_loadbalancer.go
+			"elasticloadbalancing:ModifyListener",                          // aws_loadbalancer.go
+			"elasticloadbalancing:ModifyTargetGroup",                       // aws_loadbalancer.go
+			"elasticloadbalancing:AttachLoadBalancerToSubnets",             // aws_loadbalancer.go
+			"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",       // aws_loadbalancer.go
+			"elasticloadbalancing:ConfigureHealthCheck",                    // aws_loadbalancer.go
 			"elasticloadbalancing:DetachLoadBalancerFromSubnets",           // aws_loadbalancer.go
 			"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",     // aws_loadbalancer.go
-			"elasticloadbalancing:ModifyLoadBalancerAttributes",            // aws_loadbalancer.go
 			"elasticloadbalancing:RegisterInstancesWithLoadBalancer",       // aws_loadbalancer.go
 			"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", // aws_loadbalancer.go
-		),
-		Resource: resource,
-	})
-
-	p.Statement = append(p.Statement, &Statement{
-		Effect: StatementEffectAllow,
-		Action: stringorslice.Of(
-			"ec2:DescribeVpcs",                                       // aws_loadbalancer.go
-			"elasticloadbalancing:AddTags",                           // aws_loadbalancer.go
-			"elasticloadbalancing:CreateListener",                    // aws_loadbalancer.go
-			"elasticloadbalancing:CreateTargetGroup",                 // aws_loadbalancer.go
-			"elasticloadbalancing:DeleteListener",                    // aws_loadbalancer.go
-			"elasticloadbalancing:DeleteTargetGroup",                 // aws_loadbalancer.go
-			"elasticloadbalancing:DeregisterTargets",                 // aws_loadbalancer.go
-			"elasticloadbalancing:DescribeListeners",                 // aws_loadbalancer.go
-			"elasticloadbalancing:DescribeLoadBalancerPolicies",      // aws_loadbalancer.go
-			"elasticloadbalancing:DescribeTargetGroups",              // aws_loadbalancer.go
-			"elasticloadbalancing:DescribeTargetHealth",              // aws_loadbalancer.go
-			"elasticloadbalancing:ModifyListener",                    // aws_loadbalancer.go
-			"elasticloadbalancing:ModifyTargetGroup",                 // aws_loadbalancer.go
-			"elasticloadbalancing:RegisterTargets",                   // aws_loadbalancer.go
-			"elasticloadbalancing:SetLoadBalancerPoliciesOfListener", // aws_loadbalancer.go
+			"elasticloadbalancing:DeregisterTargets",                       // aws_loadbalancer.go
+			"elasticloadbalancing:RegisterTargets",                         // aws_loadbalancer.go
+			"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",       // aws_loadbalancer.go
 		),
 		Resource: resource,
 	})

diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json
@@ -46,23 +46,6 @@
         "*"
       ]
     },
-    {
-      "Action": [
-        "ec2:AttachVolume",
-        "ec2:AuthorizeSecurityGroupIngress",
-        "ec2:DeleteSecurityGroup",
-        "ec2:RevokeSecurityGroupIngress"
-      ],
-      "Condition": {
-        "StringEquals": {
-          "ec2:ResourceTag/kubernetes.io/cluster/iam-builder-test.k8s.local": "owned"
-        }
-      },
-      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
-    },
     {
       "Action": "autoscaling:CompleteLifecycleAction",
       "Condition": {
@@ -118,43 +101,34 @@
     },
     {
       "Action": [
-        "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:AttachLoadBalancerToSubnets",
-        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+        "ec2:DescribeVpcs",
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+        "elasticloadbalancing:DescribeListeners",
+        "elasticloadbalancing:DescribeLoadBalancerPolicies",
+        "elasticloadbalancing:DescribeTargetGroups",
+        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:CreateTargetGroup",
         "elasticloadbalancing:CreateLoadBalancer",
         "elasticloadbalancing:CreateLoadBalancerPolicy",
         "elasticloadbalancing:CreateLoadBalancerListeners",
-        "elasticloadbalancing:ConfigureHealthCheck",
         "elasticloadbalancing:DeleteLoadBalancer",
         "elasticloadbalancing:DeleteLoadBalancerListeners",
-        "elasticloadbalancing:DescribeLoadBalancers",
-        "elasticloadbalancing:DescribeLoadBalancerAttributes",
-        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
-        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
-        "elasticloadbalancing:ModifyLoadBalancerAttributes",
-        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
-        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
-      ],
-      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
-    },
-    {
-      "Action": [
-        "ec2:DescribeVpcs",
-        "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:CreateListener",
-        "elasticloadbalancing:CreateTargetGroup",
         "elasticloadbalancing:DeleteListener",
         "elasticloadbalancing:DeleteTargetGroup",
-        "elasticloadbalancing:DeregisterTargets",
-        "elasticloadbalancing:DescribeListeners",
-        "elasticloadbalancing:DescribeLoadBalancerPolicies",
-        "elasticloadbalancing:DescribeTargetGroups",
-        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
         "elasticloadbalancing:ModifyListener",
         "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:AttachLoadBalancerToSubnets",
+        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+        "elasticloadbalancing:ConfigureHealthCheck",
+        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
+        "elasticloadbalancing:DeregisterTargets",
         "elasticloadbalancing:RegisterTargets",
         "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
       ],

diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json
@@ -46,23 +46,6 @@
         "*"
       ]
     },
-    {
-      "Action": [
-        "ec2:AttachVolume",
-        "ec2:AuthorizeSecurityGroupIngress",
-        "ec2:DeleteSecurityGroup",
-        "ec2:RevokeSecurityGroupIngress"
-      ],
-      "Condition": {
-        "StringEquals": {
-          "ec2:ResourceTag/kubernetes.io/cluster/iam-builder-test.k8s.local": "owned"
-        }
-      },
-      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
-    },
     {
       "Action": "autoscaling:CompleteLifecycleAction",
       "Condition": {
@@ -118,43 +101,34 @@
     },
     {
       "Action": [
-        "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:AttachLoadBalancerToSubnets",
-        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+        "ec2:DescribeVpcs",
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+        "elasticloadbalancing:DescribeListeners",
+        "elasticloadbalancing:DescribeLoadBalancerPolicies",
+        "elasticloadbalancing:DescribeTargetGroups",
+        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:CreateTargetGroup",
         "elasticloadbalancing:CreateLoadBalancer",
         "elasticloadbalancing:CreateLoadBalancerPolicy",
         "elasticloadbalancing:CreateLoadBalancerListeners",
-        "elasticloadbalancing:ConfigureHealthCheck",
         "elasticloadbalancing:DeleteLoadBalancer",
         "elasticloadbalancing:DeleteLoadBalancerListeners",
-        "elasticloadbalancing:DescribeLoadBalancers",
-        "elasticloadbalancing:DescribeLoadBalancerAttributes",
-        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
-        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
-        "elasticloadbalancing:ModifyLoadBalancerAttributes",
-        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
-        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
-      ],
-      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ]
-    },
-    {
-      "Action": [
-        "ec2:DescribeVpcs",
-        "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:CreateListener",
-        "elasticloadbalancing:CreateTargetGroup",
         "elasticloadbalancing:DeleteListener",
         "elasticloadbalancing:DeleteTargetGroup",
-        "elasticloadbalancing:DeregisterTargets",
-        "elasticloadbalancing:DescribeListeners",
-        "elasticloadbalancing:DescribeLoadBalancerPolicies",
-        "elasticloadbalancing:DescribeTargetGroups",
-        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
         "elasticloadbalancing:ModifyListener",
         "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:AttachLoadBalancerToSubnets",
+        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+        "elasticloadbalancing:ConfigureHealthCheck",
+        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
+        "elasticloadbalancing:DeregisterTargets",
         "elasticloadbalancing:RegisterTargets",
         "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
       ],

diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json
@@ -1207,23 +1207,6 @@
                 "*"
               ]
             },
-            {
-              "Action": [
-                "ec2:AttachVolume",
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:DeleteSecurityGroup",
-                "ec2:RevokeSecurityGroupIngress"
-              ],
-              "Condition": {
-                "StringEquals": {
-                  "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned"
-                }
-              },
-              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
-            },
             {
               "Action": "autoscaling:DescribeAutoScalingInstances",
               "Effect": "Allow",
@@ -1310,23 +1293,6 @@
                 "*"
               ]
             },
-            {
-              "Action": [
-                "ec2:AttachVolume",
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:DeleteSecurityGroup",
-                "ec2:RevokeSecurityGroupIngress"
-              ],
-              "Condition": {
-                "StringEquals": {
-                  "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned"
-                }
-              },
-              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
-            },
             {
               "Action": "autoscaling:CompleteLifecycleAction",
               "Condition": {
@@ -1382,43 +1348,34 @@
             },
             {
               "Action": [
-                "elasticloadbalancing:AddTags",
-                "elasticloadbalancing:AttachLoadBalancerToSubnets",
-                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+                "ec2:DescribeVpcs",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeListeners",
+                "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                "elasticloadbalancing:DescribeTargetGroups",
+                "elasticloadbalancing:DescribeTargetHealth",
+                "elasticloadbalancing:CreateListener",
+                "elasticloadbalancing:CreateTargetGroup",
                 "elasticloadbalancing:CreateLoadBalancer",
                 "elasticloadbalancing:CreateLoadBalancerPolicy",
                 "elasticloadbalancing:CreateLoadBalancerListeners",
-                "elasticloadbalancing:ConfigureHealthCheck",
                 "elasticloadbalancing:DeleteLoadBalancer",
                 "elasticloadbalancing:DeleteLoadBalancerListeners",
-                "elasticloadbalancing:DescribeLoadBalancers",
-                "elasticloadbalancing:DescribeLoadBalancerAttributes",
-                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
-                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
-                "elasticloadbalancing:ModifyLoadBalancerAttributes",
-                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
-                "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
-              ],
-              "Effect": "Allow",
-              "Resource": [
-                "*"
-              ]
-            },
-            {
-              "Action": [
-                "ec2:DescribeVpcs",
-                "elasticloadbalancing:AddTags",
-                "elasticloadbalancing:CreateListener",
-                "elasticloadbalancing:CreateTargetGroup",
                 "elasticloadbalancing:DeleteListener",
                 "elasticloadbalancing:DeleteTargetGroup",
-                "elasticloadbalancing:DeregisterTargets",
-                "elasticloadbalancing:DescribeListeners",
-                "elasticloadbalancing:DescribeLoadBalancerPolicies",
-                "elasticloadbalancing:DescribeTargetGroups",
-                "elasticloadbalancing:DescribeTargetHealth",
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:ModifyTargetGroup",
+                "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+                "elasticloadbalancing:ConfigureHealthCheck",
+                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+                "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
+                "elasticloadbalancing:DeregisterTargets",
                 "elasticloadbalancing:RegisterTargets",
                 "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
               ],