Skip to content

Commit

Permalink
Merge pull request #11843 from olemarkus/reduce-policy-size-further
Browse files Browse the repository at this point in the history 
Reduce policy size further
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot committed Jul 4, 2021
2 parents 577c7ec + aad2912 commit cf834ce
Show file tree
Hide file tree
Showing 118 changed files with 6,679 additions and 11,424 deletions.
8 changes: 4 additions & 4 deletions pkg/model/components/addonmanifests/awsebscsidriver/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ var _ iam.Subject = &ServiceAccount{}

// BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
p := &iam.Policy{
Version: iam.PolicyDefaultVersion,
}

clusterName := b.Cluster.ObjectMeta.Name
p := iam.NewPolicy(clusterName)

addSnapshotControllerPermissions := b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled)
iam.AddAWSEBSCSIDriverPermissions(p, b.Cluster.ObjectMeta.Name, addSnapshotControllerPermissions)
iam.AddAWSEBSCSIDriverPermissions(p, addSnapshotControllerPermissions)

return p, nil
}
Expand Down
1 change: 0 additions & 1 deletion pkg/model/components/addonmanifests/awsloadbalancercontroller/BUILD.bazel
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 5 additions & 9 deletions pkg/model/components/addonmanifests/awsloadbalancercontroller/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ package awsloadbalancercontroller
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/kops/pkg/model/iam"
"k8s.io/kops/pkg/util/stringorslice"
)

// ServiceAccount represents the service-account used by the dns-controller.
Expand All @@ -31,15 +30,12 @@ var _ iam.Subject = &ServiceAccount{}

// BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
p := &iam.Policy{
Version: iam.PolicyDefaultVersion,
}

resource := stringorslice.Slice([]string{"*"})
clusterName := b.Cluster.ObjectMeta.Name
iam.AddAWSLoadbalancerControllerPermissions(p, resource, clusterName)
iam.AddMasterEC2Policies(p, resource, clusterName)
iam.AddMasterELBPolicies(p, resource)
p := iam.NewPolicy(clusterName)

iam.AddAWSLoadbalancerControllerPermissions(p)
iam.AddMasterEC2Policies(p)
iam.AddMasterELBPolicies(p)

return p, nil
}
Expand Down
8 changes: 4 additions & 4 deletions pkg/model/components/addonmanifests/clusterautoscaler/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ var _ iam.Subject = &ServiceAccount{}

// BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
p := &iam.Policy{
Version: iam.PolicyDefaultVersion,
}

iam.AddClusterAutoscalerPermissions(p, b.Cluster.ObjectMeta.Name)
clusterName := b.Cluster.ObjectMeta.Name
p := iam.NewPolicy(clusterName)

iam.AddClusterAutoscalerPermissions(p)

return p, nil
}
Expand Down
5 changes: 2 additions & 3 deletions pkg/model/components/addonmanifests/dnscontroller/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,8 @@ var _ iam.Subject = &ServiceAccount{}

// BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role.
func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) {
p := &iam.Policy{
Version: iam.PolicyDefaultVersion,
}
clusterName := b.Cluster.ObjectMeta.Name
p := iam.NewPolicy(clusterName)

iam.AddDNSControllerPermissions(b, p)

Expand Down
Loading

0 comments on commit cf834ce

Please sign in to comment.