Merge pull request #11571 from olemarkus/snapshot-tighten-deletion

Only allow deletion of snapshots owned by the cluster
kubernetes · May 23, 2021 · 5e720e9 · 5e720e9
2 parents 9235f35 + 0004bce
commit 5e720e9
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -344,7 +344,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 	}
 
 	if b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) {
-		addSnapshotPersmissions(p)
+		addSnapshotPersmissions(p, b.Cluster.GetName())
 	}
 	return p, nil
 }
@@ -783,17 +783,29 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, resource stringorslice.S
 	)
 }
 
-func addSnapshotPersmissions(p *Policy) {
+func addSnapshotPersmissions(p *Policy, clusterName string) {
 	p.Statement = append(p.Statement, &Statement{
 		Effect: StatementEffectAllow,
 		Action: stringorslice.Of(
 			"ec2:CreateSnapshot",
-			"ec2:DeleteSnapshot",
 			"ec2:DescribeAvailabilityZones",
 			"ec2:DescribeSnapshots",
 		),
 		Resource: stringorslice.Slice([]string{"*"}),
 	})
+	p.Statement = append(p.Statement, &Statement{
+		Effect: StatementEffectAllow,
+		Action: stringorslice.Of(
+			"ec2:DeleteSnapshot",
+		),
+		Resource: stringorslice.Slice([]string{"*"}),
+		Condition: Condition{
+			"StringEquals": map[string]string{
+				"aws:ResourceTag/KubernetesCluster": clusterName,
+			},
+		},
+	})
+
 }
 
 // addLegacyDNSControllerPermissions adds legacy IAM permissions used by the node roles.