From 4e9b45b32405026463e20b7bc0567013a63d01c5 Mon Sep 17 00:00:00 2001 From: Matthew Wong Date: Wed, 9 Jun 2021 13:52:48 -0700 Subject: [PATCH 1/2] Allow master to touch volumes tagged with kubernetes.io/cluster/:owned --- pkg/model/iam/iam_builder.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index e15c4512c7f28..e5481c8308e96 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -905,6 +905,25 @@ func addMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, clust }, }, }, + &Statement{ + Effect: StatementEffectAllow, + Action: stringorslice.Of( + "ec2:AttachVolume", // aws.go + "ec2:AuthorizeSecurityGroupIngress", // aws.go + "ec2:CreateRoute", // aws.go + "ec2:DeleteRoute", // aws.go + "ec2:DeleteSecurityGroup", // aws.go + "ec2:DeleteVolume", // aws.go + "ec2:DetachVolume", // aws.go + "ec2:RevokeSecurityGroupIngress", // aws.go + ), + Resource: resource, + Condition: Condition{ + "StringEquals": map[string]string{ + "ec2:ResourceTag/kubernetes.io/cluster/" + clusterName: "owned", + }, + }, + }, ) } From b6266ce5f0ca40cb6357e8d59503816660105773 Mon Sep 17 00:00:00 2001 From: Matthew Wong Date: Wed, 9 Jun 2021 13:53:07 -0700 Subject: [PATCH 2/2] Run hack/update-expected.sh --- .../iam/tests/iam_builder_master_strict.json | 21 ++++++++++ .../tests/iam_builder_master_strict_ecr.json | 21 ++++++++++ .../apiservernodes/cloudformation.json | 42 +++++++++++++++++++ ....kube-system.sa.minimal.example.com_policy | 21 ++++++++++ ..._policy_masters.minimal.example.com_policy | 21 ++++++++++ ...masters.bastionuserdata.example.com_policy | 21 ++++++++++ .../complex/cloudformation.json | 21 ++++++++++ ..._policy_masters.complex.example.com_policy | 21 ++++++++++ ...policy_masters.compress.example.com_policy | 21 ++++++++++ .../containerd-custom/cloudformation.json | 21 ++++++++++ .../containerd/cloudformation.json | 21 ++++++++++ .../docker-custom/cloudformation.json | 21 ++++++++++ ...licy_masters.existingsg.example.com_policy | 21 ++++++++++ .../externallb/cloudformation.json | 21 ++++++++++ ...licy_masters.externallb.example.com_policy | 21 ++++++++++ ...asters.externalpolicies.example.com_policy | 21 ++++++++++ ..._role_policy_masters.ha.example.com_policy | 21 ++++++++++ ..._policy_masters.minimal.example.com_policy | 21 ++++++++++ .../minimal-etcd/cloudformation.json | 21 ++++++++++ .../minimal-gp3/cloudformation.json | 21 ++++++++++ ..._policy_masters.minimal.example.com_policy | 21 ++++++++++ .../minimal-ipv6/cloudformation.json | 21 ++++++++++ ...cy_masters.minimal-ipv6.example.com_policy | 21 ++++++++++ ...cy_masters.minimal-json.example.com_policy | 21 ++++++++++ .../minimal/cloudformation.json | 21 ++++++++++ ..._policy_masters.minimal.example.com_policy | 21 ++++++++++ ...le_policy_masters.minimal.k8s.local_policy | 21 ++++++++++ .../mixed_instances/cloudformation.json | 21 ++++++++++ ..._masters.mixedinstances.example.com_policy | 21 ++++++++++ .../mixed_instances_spot/cloudformation.json | 21 ++++++++++ ..._masters.mixedinstances.example.com_policy | 21 ++++++++++ .../nth_sqs_resources/cloudformation.json | 21 ++++++++++ ...masters.nthsqsresources.example.com_policy | 21 ++++++++++ .../private-shared-ip/cloudformation.json | 21 ++++++++++ ...sters.private-shared-ip.example.com_policy | 21 ++++++++++ ...s.private-shared-subnet.example.com_policy | 21 ++++++++++ .../privatecalico/cloudformation.json | 21 ++++++++++ ...y_masters.privatecalico.example.com_policy | 21 ++++++++++ ...cy_masters.privatecanal.example.com_policy | 21 ++++++++++ .../privatecilium/cloudformation.json | 21 ++++++++++ ...y_masters.privatecilium.example.com_policy | 21 ++++++++++ .../privatecilium2/cloudformation.json | 21 ++++++++++ ...y_masters.privatecilium.example.com_policy | 21 ++++++++++ .../privateciliumadvanced/cloudformation.json | 21 ++++++++++ ...s.privateciliumadvanced.example.com_policy | 21 ++++++++++ ...icy_masters.privatedns1.example.com_policy | 21 ++++++++++ ...icy_masters.privatedns2.example.com_policy | 21 ++++++++++ ..._masters.privateflannel.example.com_policy | 21 ++++++++++ ...y_masters.privatekopeio.example.com_policy | 21 ++++++++++ ...cy_masters.privateweave.example.com_policy | 21 ++++++++++ ..._policy_masters.minimal.example.com_policy | 21 ++++++++++ ...cy_masters.sharedsubnet.example.com_policy | 21 ++++++++++ ...olicy_masters.sharedvpc.example.com_policy | 21 ++++++++++ ...olicy_masters.unmanaged.example.com_policy | 21 ++++++++++ ..._policy_masters.minimal.example.com_policy | 21 ++++++++++ 55 files changed, 1176 insertions(+) diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index bf7989c7d28a5..579d2b95a46ff 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/iam-builder-test.k8s.local": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index dc3545d9b8fdf..fc86068b3fe55 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/iam-builder-test.k8s.local": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index 1a691ff8df4d2..a06e473a18f0d 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1212,6 +1212,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:DescribeAutoScalingInstances", "Effect": "Allow", @@ -1296,6 +1317,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy index 0d20ef762b0c5..af6211ed11f6f 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "elasticloadbalancing:AddTags", diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index 7a2e4b678f2bf..2646478d1e17f 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index bdda18dff7e91..7ccde89c37f70 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/bastionuserdata.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 3c4c7bda1eff0..e67db40b71e90 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1614,6 +1614,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/complex.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index f0d898c0b0da4..995063ce3230d 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/complex.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index 13514b23f6b32..5965e02d36cc1 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/compress.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 330d424d29990..1b730f84f0df8 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -997,6 +997,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/containerd.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 330d424d29990..1b730f84f0df8 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -997,6 +997,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/containerd.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 0359ad2fed864..eb6d8bedf82a6 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -997,6 +997,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/docker.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index b6a46c1f73426..dc44a5d210bf5 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/existingsg.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index 78fe4365688ac..c7ad765181758 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1013,6 +1013,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/externallb.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index 1e53d6581fc07..b5ffb0f3eb015 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/externallb.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index e8f0ffe56241e..31696f931b29f 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/externalpolicies.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index d70ef0dd88dfc..fc9b676988295 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/ha.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 7a2e4b678f2bf..2646478d1e17f 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index ad2a7677598db..33f5f67a4d804 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -997,6 +997,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal-etcd.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index fb85faa7f19e1..e92e2b7ba588b 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -993,6 +993,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index 7a2e4b678f2bf..2646478d1e17f 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index b496621c7d1f0..531c397286478 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1174,6 +1174,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal-ipv6.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 04a67758d4c5f..adb9ef0379209 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal-ipv6.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index 3387fc2440217..319673979f1c5 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal-json.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index ffd4a694cc97d..68d959628bb0d 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -997,6 +997,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index 7a2e4b678f2bf..2646478d1e17f 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index b394896477070..56f476ec1d3d0 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.k8s.local": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index 40f2b3f6b49ec..442377e765420 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1710,6 +1710,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 278dc30dc4f01..e8ddf054488d2 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index b9aa65bb43698..0061cb2af50a3 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1711,6 +1711,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 278dc30dc4f01..e8ddf054488d2 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index 7ab8f8287db5c..f75b76defb304 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1107,6 +1107,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/nthsqsresources.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index 7d12594d03691..84c58aa6f510d 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/nthsqsresources.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index 52aaeb7d655ac..ecb39f663f5b1 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1514,6 +1514,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/private-shared-ip.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index 1540b862f0558..e5d5b1b0e59d5 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/private-shared-ip.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index b390112e5382a..0ac3400d3c20e 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/private-shared-subnet.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index 4fd4deb49c059..313f11ff6c7a7 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1670,6 +1670,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatecalico.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index a1fe9b4ceffda..c4f38aa6481d4 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatecalico.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index 1bc0c7c5f2204..d12989a0ba280 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatecanal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 9fba93ade018b..1e1128fd08a5c 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1656,6 +1656,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 12dee21d05f2e..9a4577e8de206 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index 9fba93ade018b..1e1128fd08a5c 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1656,6 +1656,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 12dee21d05f2e..9a4577e8de206 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index c58c6336d7add..be57ba3349024 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1689,6 +1689,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privateciliumadvanced.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index ef944f0a2d167..ed1d3fc73b692 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privateciliumadvanced.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index a020452b45f1f..056650f2f6d99 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatedns1.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index faac6dc2529d3..68f10706b6e25 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatedns2.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index cc9ec7daa7124..161f707039f11 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privateflannel.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 5fd9cc06ab1ba..28db38ada8ea0 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privatekopeio.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 99ea7c9928fee..eba0d9ff1368c 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/privateweave.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index 7a2e4b678f2bf..2646478d1e17f 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index 373fedf91c2fc..3e0328074ad79 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/sharedsubnet.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index d501a444156a7..6a3edc323e027 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/sharedvpc.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index 1c02591982a2e..3ad7e0d0485e1 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/unmanaged.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index 7a2e4b678f2bf..2646478d1e17f 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -51,6 +51,27 @@ "*" ] }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": {