Skip to content

Commit 7275322

Browse files
mdzrafmdzraf
committed
[DO NOT MERGE] Testing Minimal Policy
1 parent 33be568 commit 7275322

File tree

2 files changed

+170
-125
lines changed

2 files changed

+170
-125
lines changed

docs/example-iam-policy.json

Lines changed: 88 additions & 116 deletions
Original file line numberDiff line numberDiff line change
@@ -1,67 +1,89 @@
11
{
2-
"Version": "2012-10-17",
3-
"Statement": [
2+
"Version" : "2012-10-17",
3+
"Statement" : [
44
{
5-
"Effect": "Allow",
6-
"Action": [
5+
"Effect" : "Allow",
6+
"Action" : [
77
"ec2:DescribeAvailabilityZones",
88
"ec2:DescribeInstances",
99
"ec2:DescribeSnapshots",
10-
"ec2:DescribeTags",
1110
"ec2:DescribeVolumes",
1211
"ec2:DescribeVolumesModifications",
1312
"ec2:DescribeVolumeStatus"
1413
],
15-
"Resource": "*"
14+
"Resource" : "*"
1615
},
1716
{
18-
"Effect": "Allow",
19-
"Action": [
17+
"Effect" : "Allow",
18+
"Action" : [
2019
"ec2:CreateSnapshot",
2120
"ec2:ModifyVolume"
2221
],
23-
"Resource": "arn:aws:ec2:*:*:volume/*"
22+
"Resource" : "arn:aws:ec2:*:*:volume/*",
23+
"Condition" : {
24+
"StringLike" : {
25+
"ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
26+
}
27+
}
2428
},
2529
{
26-
"Effect": "Allow",
27-
"Action": [
30+
"Effect" : "Allow",
31+
"Action" : [
2832
"ec2:CopyVolumes"
2933
],
30-
"Resource": [
31-
"arn:aws:ec2:*:*:volume/vol-*"
32-
]
34+
"Resource" : "arn:aws:ec2:*:*:volume/vol-*",
35+
"Condition" : {
36+
"StringLike" : {
37+
"ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
38+
}
39+
}
3340
},
3441
{
35-
"Effect": "Allow",
36-
"Action": [
42+
"Effect" : "Allow",
43+
"Action" : [
3744
"ec2:AttachVolume",
3845
"ec2:DetachVolume"
3946
],
40-
"Resource": [
41-
"arn:aws:ec2:*:*:volume/*",
42-
"arn:aws:ec2:*:*:instance/*"
43-
]
47+
"Resource" : "arn:aws:ec2:*:*:volume/*",
48+
"Condition" : {
49+
"StringLike" : {
50+
"ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
51+
}
52+
}
4453
},
4554
{
46-
"Effect": "Allow",
47-
"Action": [
55+
"Effect" : "Allow",
56+
"Action" : [
57+
"ec2:AttachVolume",
58+
"ec2:DetachVolume"
59+
],
60+
"Resource" : "arn:aws:ec2:*:*:instance/*"
61+
},
62+
{
63+
"Effect" : "Allow",
64+
"Action" : [
4865
"ec2:CreateVolume",
4966
"ec2:EnableFastSnapshotRestores"
5067
],
51-
"Resource": "arn:aws:ec2:*:*:snapshot/*"
68+
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
69+
"Condition" : {
70+
"StringLike" : {
71+
"ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
72+
}
73+
}
5274
},
5375
{
54-
"Effect": "Allow",
55-
"Action": [
76+
"Effect" : "Allow",
77+
"Action" : [
5678
"ec2:CreateTags"
5779
],
58-
"Resource": [
80+
"Resource" : [
5981
"arn:aws:ec2:*:*:volume/*",
6082
"arn:aws:ec2:*:*:snapshot/*"
6183
],
62-
"Condition": {
63-
"StringEquals": {
64-
"ec2:CreateAction": [
84+
"Condition" : {
85+
"StringEquals" : {
86+
"ec2:CreateAction" : [
6587
"CreateVolume",
6688
"CreateSnapshot",
6789
"CopyVolumes"
@@ -70,122 +92,72 @@
7092
}
7193
},
7294
{
73-
"Effect": "Allow",
74-
"Action": [
95+
"Effect" : "Allow",
96+
"Action" : [
7597
"ec2:DeleteTags"
7698
],
77-
"Resource": [
99+
"Resource" : [
78100
"arn:aws:ec2:*:*:volume/*",
79101
"arn:aws:ec2:*:*:snapshot/*"
80-
]
81-
},
82-
{
83-
"Effect": "Allow",
84-
"Action": [
85-
"ec2:CreateVolume",
86-
"ec2:CopyVolumes"
87102
],
88-
"Resource": "arn:aws:ec2:*:*:volume/*",
89-
"Condition": {
90-
"StringLike": {
91-
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
103+
"Condition" : {
104+
"StringLike" : {
105+
"ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
92106
}
93107
}
94108
},
95109
{
96-
"Effect": "Allow",
97-
"Action": [
110+
"Effect" : "Allow",
111+
"Action" : [
98112
"ec2:CreateVolume",
99113
"ec2:CopyVolumes"
100114
],
101-
"Resource": "arn:aws:ec2:*:*:volume/*",
102-
"Condition": {
103-
"StringLike": {
104-
"aws:RequestTag/CSIVolumeName": "*"
115+
"Resource" : "arn:aws:ec2:*:*:volume/*",
116+
"Condition" : {
117+
"ForAnyValue:StringLike" : {
118+
"aws:RequestTag/ebs.csi.aws.com/cluster" : "true",
119+
"aws:RequestTag/CSIVolumeName" : "*"
105120
}
106121
}
107122
},
108123
{
109-
"Effect": "Allow",
110-
"Action": [
124+
"Effect" : "Allow",
125+
"Action" : [
111126
"ec2:DeleteVolume"
112127
],
113-
"Resource": "arn:aws:ec2:*:*:volume/*",
114-
"Condition": {
115-
"StringLike": {
116-
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
128+
"Resource" : "arn:aws:ec2:*:*:volume/*",
129+
"Condition" : {
130+
"ForAnyValue:StringLike" : {
131+
"ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true",
132+
"ec2:ResourceTag/CSIVolumeName" : "*",
133+
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*"
117134
}
118135
}
119136
},
120137
{
121-
"Effect": "Allow",
122-
"Action": [
123-
"ec2:DeleteVolume"
124-
],
125-
"Resource": "arn:aws:ec2:*:*:volume/*",
126-
"Condition": {
127-
"StringLike": {
128-
"ec2:ResourceTag/CSIVolumeName": "*"
129-
}
130-
}
131-
},
132-
{
133-
"Effect": "Allow",
134-
"Action": [
135-
"ec2:DeleteVolume"
136-
],
137-
"Resource": "arn:aws:ec2:*:*:volume/*",
138-
"Condition": {
139-
"StringLike": {
140-
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
141-
}
142-
}
143-
},
144-
{
145-
"Effect": "Allow",
146-
"Action": [
147-
"ec2:CreateSnapshot"
148-
],
149-
"Resource": "arn:aws:ec2:*:*:snapshot/*",
150-
"Condition": {
151-
"StringLike": {
152-
"aws:RequestTag/CSIVolumeSnapshotName": "*"
153-
}
154-
}
155-
},
156-
{
157-
"Effect": "Allow",
158-
"Action": [
138+
"Effect" : "Allow",
139+
"Action" : [
159140
"ec2:CreateSnapshot"
160141
],
161-
"Resource": "arn:aws:ec2:*:*:snapshot/*",
162-
"Condition": {
163-
"StringLike": {
164-
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
165-
}
166-
}
167-
},
168-
{
169-
"Effect": "Allow",
170-
"Action": [
171-
"ec2:DeleteSnapshot"
172-
],
173-
"Resource": "arn:aws:ec2:*:*:snapshot/*",
174-
"Condition": {
175-
"StringLike": {
176-
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
142+
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
143+
"Condition" : {
144+
"ForAnyValue:StringLike" : {
145+
"aws:RequestTag/CSIVolumeSnapshotName" : "*",
146+
"aws:RequestTag/ebs.csi.aws.com/cluster" : "true"
177147
}
178148
}
179149
},
180150
{
181-
"Effect": "Allow",
182-
"Action": [
183-
"ec2:DeleteSnapshot"
151+
"Effect" : "Allow",
152+
"Action" : [
153+
"ec2:DeleteSnapshot",
154+
"ec2:LockSnapshot"
184155
],
185-
"Resource": "arn:aws:ec2:*:*:snapshot/*",
186-
"Condition": {
187-
"StringLike": {
188-
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
156+
"Resource" : "arn:aws:ec2:*:*:snapshot/*",
157+
"Condition" : {
158+
"ForAnyValue:StringLike" : {
159+
"ec2:ResourceTag/CSIVolumeSnapshotName" : "*",
160+
"ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
189161
}
190162
}
191163
}

hack/e2e/eksctl/cluster.yaml

Lines changed: 82 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -26,37 +26,110 @@ iam:
2626
- metadata:
2727
name: ebs-csi-controller-sa
2828
namespace: kube-system
29-
wellKnownPolicies:
30-
ebsCSIController: true
3129
attachPolicy:
32-
Version: '2012-10-17'
30+
Version: "2012-10-17"
3331
Statement:
3432
- Effect: Allow
3533
Action:
36-
- ec2:CopyVolumes
37-
Resource: "arn:aws:ec2:*:*:volume/vol-*"
34+
- ec2:DescribeAvailabilityZones
35+
- ec2:DescribeInstances
36+
- ec2:DescribeSnapshots
37+
- ec2:DescribeVolumes
38+
- ec2:DescribeVolumesModifications
39+
- ec2:DescribeVolumeStatus
40+
Resource: "*"
3841
- Effect: Allow
3942
Action:
40-
- ec2:CopyVolumes
43+
- ec2:CreateSnapshot
44+
- ec2:ModifyVolume
4145
Resource: "arn:aws:ec2:*:*:volume/*"
4246
Condition:
4347
StringLike:
44-
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
48+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
4549
- Effect: Allow
4650
Action:
4751
- ec2:CopyVolumes
52+
Resource: "arn:aws:ec2:*:*:volume/vol-*"
53+
Condition:
54+
StringLike:
55+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
56+
- Effect: Allow
57+
Action:
58+
- ec2:AttachVolume
59+
- ec2:DetachVolume
4860
Resource: "arn:aws:ec2:*:*:volume/*"
4961
Condition:
5062
StringLike:
51-
"aws:RequestTag/CSIVolumeName": "*"
63+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
64+
- Effect: Allow
65+
Action:
66+
- ec2:AttachVolume
67+
- ec2:DetachVolume
68+
Resource: "arn:aws:ec2:*:*:instance/*"
69+
- Effect: Allow
70+
Action:
71+
- ec2:CreateVolume
72+
- ec2:EnableFastSnapshotRestores
73+
Resource: "arn:aws:ec2:*:*:snapshot/*"
74+
Condition:
75+
StringLike:
76+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
5277
- Effect: Allow
5378
Action:
5479
- ec2:CreateTags
5580
Resource:
5681
- "arn:aws:ec2:*:*:volume/*"
82+
- "arn:aws:ec2:*:*:snapshot/*"
5783
Condition:
5884
StringEquals:
59-
"ec2:CreateAction": "CopyVolumes"
85+
"ec2:CreateAction":
86+
- CreateVolume
87+
- CreateSnapshot
88+
- CopyVolumes
89+
- Effect: Allow
90+
Action:
91+
- ec2:DeleteTags
92+
Resource:
93+
- "arn:aws:ec2:*:*:volume/*"
94+
- "arn:aws:ec2:*:*:snapshot/*"
95+
Condition:
96+
StringLike:
97+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
98+
- Effect: Allow
99+
Action:
100+
- ec2:CreateVolume
101+
- ec2:CopyVolumes
102+
Resource: "arn:aws:ec2:*:*:volume/*"
103+
Condition:
104+
ForAnyValue:StringLike:
105+
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
106+
"aws:RequestTag/CSIVolumeName": "*"
107+
- Effect: Allow
108+
Action:
109+
- ec2:DeleteVolume
110+
Resource: "arn:aws:ec2:*:*:volume/*"
111+
Condition:
112+
ForAnyValue:StringLike:
113+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
114+
"ec2:ResourceTag/CSIVolumeName": "*"
115+
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
116+
- Effect: Allow
117+
Action:
118+
- ec2:CreateSnapshot
119+
Resource: "arn:aws:ec2:*:*:snapshot/*"
120+
Condition:
121+
ForAnyValue:StringLike:
122+
"aws:RequestTag/CSIVolumeSnapshotName": "*"
123+
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
124+
- Effect: Allow
125+
Action:
126+
- ec2:DeleteSnapshot
127+
- ec2:LockSnapshot
128+
Resource: "arn:aws:ec2:*:*:snapshot/*"
129+
Condition:
130+
ForAnyValue:StringLike:
131+
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
132+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
60133
managedNodeGroups:
61134
- name: ng-linux
62135
amiFamily: {{ .Env.AMI_FAMILY }}

0 commit comments

Comments
 (0)