[WIP] Update IAM policy

Signed-off-by: Connor Catlett <[email protected]>
kubernetes-sigs · Nov 15, 2024 · 69d15b7 · 69d15b7
1 parent de6e80e
commit 69d15b7
Show file tree

Hide file tree

Showing 2 changed files with 162 additions and 50 deletions.
diff --git a/docs/example-iam-policy.json b/docs/example-iam-policy.json
@@ -4,49 +4,76 @@
     {
       "Effect": "Allow",
       "Action": [
-        "ec2:CreateSnapshot",
-        "ec2:AttachVolume",
-        "ec2:DetachVolume",
-        "ec2:ModifyVolume",
         "ec2:DescribeAvailabilityZones",
         "ec2:DescribeInstances",
         "ec2:DescribeSnapshots",
         "ec2:DescribeTags",
         "ec2:DescribeVolumes",
-        "ec2:DescribeVolumesModifications",
-        "ec2:EnableFastSnapshotRestores"
+        "ec2:DescribeVolumesModifications"
       ],
       "Resource": "*"
     },
     {
       "Effect": "Allow",
       "Action": [
-        "ec2:CreateTags"
+        "ec2:CreateSnapshot",
+        "ec2:ModifyVolume"
+      ],
+      "Resource": "arn:aws:ec2:*:*:volume/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:AttachVolume",
+        "ec2:DetachVolume"
       ],
       "Resource": [
-        "arn:*:ec2:*:*:volume/*",
-        "arn:*:ec2:*:*:snapshot/*"
+        "arn:aws:ec2:*:*:volume/*",
+        "arn:aws:ec2:*:*:instance/*"
       ]
     },
     {
       "Effect": "Allow",
       "Action": [
-        "ec2:DeleteTags"
+        "ec2:CreateVolume",
+        "ec2:EnableFastSnapshotRestores"
+      ],
+      "Resource": "arn:aws:ec2:*:*:snapshot/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
       ],
       "Resource": [
-        "arn:*:ec2:*:*:volume/*",
-        "arn:*:ec2:*:*:snapshot/*"
-      ]
+        "arn:aws:ec2:*:*:volume/*",
+        "arn:aws:ec2:*:*:snapshot/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "ec2:CreateAction": [
+            "CreateVolume",
+            "CreateSnapshot"
+          ]
+        }
+      }
     },
     {
       "Effect": "Allow",
       "Action": [
-        "ec2:CreateVolume"
+        "ec2:CreateTags",
+        "ec2:DeleteTags"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:*:volume/*",
+        "arn:aws:ec2:*:*:snapshot/*"
       ],
-      "Resource": "arn:*:ec2:*:*:volume/*",
       "Condition": {
-        "StringLike": {
-          "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
+        "StringNotLike": {
+          "aws:RequestTag/ebs.csi.aws.com/cluster": "*",
+          "aws:RequestTag/CSIVolumeName": "*",
+          "aws:RequestTag/CSIVolumeSnapshotName": "*",
+          "aws:RequestTag/kubernetes.io/created-for/pvc/name": "*"
         }
       }
     },
@@ -55,10 +82,10 @@
       "Action": [
         "ec2:CreateVolume"
       ],
-      "Resource": "arn:*:ec2:*:*:volume/*",
+      "Resource": "arn:aws:ec2:*:*:volume/*",
       "Condition": {
         "StringLike": {
-          "aws:RequestTag/CSIVolumeName": "*"
+          "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
         }
       }
     },
@@ -67,14 +94,19 @@
       "Action": [
         "ec2:CreateVolume"
       ],
-      "Resource": "arn:*:ec2:*:*:snapshot/*"
+      "Resource": "arn:aws:ec2:*:*:volume/*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/CSIVolumeName": "*"
+        }
+      }
     },
     {
       "Effect": "Allow",
       "Action": [
         "ec2:DeleteVolume"
       ],
-      "Resource": "*",
+      "Resource": "arn:aws:ec2:*:*:volume/*",
       "Condition": {
         "StringLike": {
           "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
@@ -86,7 +118,7 @@
       "Action": [
         "ec2:DeleteVolume"
       ],
-      "Resource": "*",
+      "Resource": "arn:aws:ec2:*:*:volume/*",
       "Condition": {
         "StringLike": {
           "ec2:ResourceTag/CSIVolumeName": "*"
@@ -98,19 +130,43 @@
       "Action": [
         "ec2:DeleteVolume"
       ],
-      "Resource": "*",
+      "Resource": "arn:aws:ec2:*:*:volume/*",
       "Condition": {
         "StringLike": {
           "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
         }
       }
     },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateSnapshot"
+      ],
+      "Resource": "arn:aws:ec2:*:*:snapshot/*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/CSIVolumeSnapshotName": "*"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateSnapshot"
+      ],
+      "Resource": "arn:aws:ec2:*:*:snapshot/*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
+        }
+      }
+    },
     {
       "Effect": "Allow",
       "Action": [
         "ec2:DeleteSnapshot"
       ],
-      "Resource": "*",
+      "Resource": "arn:aws:ec2:*:*:snapshot/*",
       "Condition": {
         "StringLike": {
           "ec2:ResourceTag/CSIVolumeSnapshotName": "*"
@@ -122,7 +178,7 @@
       "Action": [
         "ec2:DeleteSnapshot"
       ],
-      "Resource": "*",
+      "Resource": "arn:aws:ec2:*:*:snapshot/*",
       "Condition": {
         "StringLike": {
           "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"

diff --git a/hack/e2e/kops/patch-cluster.yaml b/hack/e2e/kops/patch-cluster.yaml
@@ -30,49 +30,76 @@ spec:
         {
           "Effect": "Allow",
           "Action": [
-            "ec2:CreateSnapshot",
-            "ec2:AttachVolume",
-            "ec2:DetachVolume",
-            "ec2:ModifyVolume",
             "ec2:DescribeAvailabilityZones",
             "ec2:DescribeInstances",
             "ec2:DescribeSnapshots",
             "ec2:DescribeTags",
             "ec2:DescribeVolumes",
-            "ec2:DescribeVolumesModifications",
-            "ec2:EnableFastSnapshotRestores"
+            "ec2:DescribeVolumesModifications"
           ],
           "Resource": "*"
         },
         {
           "Effect": "Allow",
           "Action": [
-            "ec2:CreateTags"
+            "ec2:CreateSnapshot",
+            "ec2:ModifyVolume"
+          ],
+          "Resource": "arn:aws:ec2:*:*:volume/*"
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ec2:AttachVolume",
+            "ec2:DetachVolume"
           ],
           "Resource": [
-            "arn:*:ec2:*:*:volume/*",
-            "arn:*:ec2:*:*:snapshot/*"
+            "arn:aws:ec2:*:*:volume/*",
+            "arn:aws:ec2:*:*:instance/*"
           ]
         },
         {
           "Effect": "Allow",
           "Action": [
-            "ec2:DeleteTags"
+            "ec2:CreateVolume",
+            "ec2:EnableFastSnapshotRestores"
+          ],
+          "Resource": "arn:aws:ec2:*:*:snapshot/*"
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ec2:CreateTags"
           ],
           "Resource": [
-            "arn:*:ec2:*:*:volume/*",
-            "arn:*:ec2:*:*:snapshot/*"
-          ]
+            "arn:aws:ec2:*:*:volume/*",
+            "arn:aws:ec2:*:*:snapshot/*"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "ec2:CreateAction": [
+                "CreateVolume",
+                "CreateSnapshot"
+              ]
+            }
+          }
         },
         {
           "Effect": "Allow",
           "Action": [
-            "ec2:CreateVolume"
+            "ec2:CreateTags",
+            "ec2:DeleteTags"
+          ],
+          "Resource": [
+            "arn:aws:ec2:*:*:volume/*",
+            "arn:aws:ec2:*:*:snapshot/*"
           ],
-          "Resource": "arn:*:ec2:*:*:volume/*",
           "Condition": {
-            "StringLike": {
-              "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
+            "StringNotLike": {
+              "aws:RequestTag/ebs.csi.aws.com/cluster": "*",
+              "aws:RequestTag/CSIVolumeName": "*",
+              "aws:RequestTag/CSIVolumeSnapshotName": "*",
+              "aws:RequestTag/kubernetes.io/created-for/pvc/name": "*"
             }
           }
         },
@@ -81,10 +108,10 @@ spec:
           "Action": [
             "ec2:CreateVolume"
           ],
-          "Resource": "arn:*:ec2:*:*:volume/*",
+          "Resource": "arn:aws:ec2:*:*:volume/*",
           "Condition": {
             "StringLike": {
-              "aws:RequestTag/CSIVolumeName": "*"
+              "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
             }
           }
         },
@@ -93,14 +120,19 @@ spec:
           "Action": [
             "ec2:CreateVolume"
           ],
-          "Resource": "arn:*:ec2:*:*:snapshot/*"
+          "Resource": "arn:aws:ec2:*:*:volume/*",
+          "Condition": {
+            "StringLike": {
+              "aws:RequestTag/CSIVolumeName": "*"
+            }
+          }
         },
         {
           "Effect": "Allow",
           "Action": [
             "ec2:DeleteVolume"
           ],
-          "Resource": "*",
+          "Resource": "arn:aws:ec2:*:*:volume/*",
           "Condition": {
             "StringLike": {
               "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
@@ -112,7 +144,7 @@ spec:
           "Action": [
             "ec2:DeleteVolume"
           ],
-          "Resource": "*",
+          "Resource": "arn:aws:ec2:*:*:volume/*",
           "Condition": {
             "StringLike": {
               "ec2:ResourceTag/CSIVolumeName": "*"
@@ -124,19 +156,43 @@ spec:
           "Action": [
             "ec2:DeleteVolume"
           ],
-          "Resource": "*",
+          "Resource": "arn:aws:ec2:*:*:volume/*",
           "Condition": {
             "StringLike": {
               "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
             }
           }
         },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ec2:CreateSnapshot"
+          ],
+          "Resource": "arn:aws:ec2:*:*:snapshot/*",
+          "Condition": {
+            "StringLike": {
+              "aws:RequestTag/CSIVolumeSnapshotName": "*"
+            }
+          }
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ec2:CreateSnapshot"
+          ],
+          "Resource": "arn:aws:ec2:*:*:snapshot/*",
+          "Condition": {
+            "StringLike": {
+              "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
+            }
+          }
+        },
         {
           "Effect": "Allow",
           "Action": [
             "ec2:DeleteSnapshot"
           ],
-          "Resource": "*",
+          "Resource": "arn:aws:ec2:*:*:snapshot/*",
           "Condition": {
             "StringLike": {
               "ec2:ResourceTag/CSIVolumeSnapshotName": "*"
@@ -148,7 +204,7 @@ spec:
           "Action": [
             "ec2:DeleteSnapshot"
           ],
-          "Resource": "*",
+          "Resource": "arn:aws:ec2:*:*:snapshot/*",
           "Condition": {
             "StringLike": {
               "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"