Skip to content

Commit 3c67369

Browse files
M00nF1shM00nF1sh
authored
fix the iam permissions (#1498)
1 parent 9ed22ce commit 3c67369

File tree

3 files changed

+60
-64
lines changed

3 files changed

+60
-64
lines changed

docs/guide/upgrade/migrate_v1_v2.md

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ This document contains the information necessary to migrate from an existing ins
88
If you have AWSALBIngressController(<1.1.3) installed, you need to upgrade to version>=v1.1.3(e.g. v1.1.9) first.
99

1010

11-
1211
## Backwards compatibility
1312
The AWSLoadBalancerController(v2.0.0) is backwards-compatible with AWSALBIngressController(>=v1.1.3).
1413

@@ -29,7 +28,7 @@ foo@bar:~$ kubectl describe deployment -n kube-system alb-ingress-controller |
2928
Existing Ingress resources do not need to be deleted.
3029

3130
3. Install new AWSLoadBalancerController
32-
33-
Install AWSLoadBalancerController(v2.0.0) by following the [installation instructions](../controller/installation.md)
31+
1. Install AWSLoadBalancerController(v2.0.0) by following the [installation instructions](../controller/installation.md)
32+
2. Grant [additional IAM policy](../../install/iam_policy_v1_to_v2_additional.json) needed for migration to the controller.
3433

3534
4. Verify all Ingresses works as expected.

docs/install/iam_policy.json

Lines changed: 24 additions & 61 deletions
Original file line numberDiff line numberDiff line change
@@ -70,13 +70,13 @@
7070
"Action": [
7171
"ec2:CreateTags"
7272
],
73-
"Resource": "*",
73+
"Resource": "arn:aws:ec2:*:*:security-group/*",
7474
"Condition": {
7575
"StringEquals": {
7676
"ec2:CreateAction": "CreateSecurityGroup"
7777
},
7878
"Null": {
79-
"aws:RequestTag/ingress.k8s.aws/cluster": "false"
79+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
8080
}
8181
}
8282
},
@@ -86,11 +86,11 @@
8686
"ec2:CreateTags",
8787
"ec2:DeleteTags"
8888
],
89-
"Resource": "*",
89+
"Resource": "arn:aws:ec2:*:*:security-group/*",
9090
"Condition": {
9191
"Null": {
92-
"aws:RequestTag/ingress.k8s.aws/cluster": "true",
93-
"aws:ResourceTag/ingress.k8s.aws/cluster": "false"
92+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
93+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
9494
}
9595
}
9696
},
@@ -104,22 +104,20 @@
104104
"Resource": "*",
105105
"Condition": {
106106
"Null": {
107-
"aws:ResourceTag/ingress.k8s.aws/cluster": "false"
107+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
108108
}
109109
}
110110
},
111111
{
112112
"Effect": "Allow",
113113
"Action": [
114-
"elasticloadbalancing:CreateLoadBalancer"
114+
"elasticloadbalancing:CreateLoadBalancer",
115+
"elasticloadbalancing:CreateTargetGroup"
115116
],
116117
"Resource": "*",
117118
"Condition": {
118-
"ForAnyValue:StringEquals": {
119-
"aws:TagKeys": [
120-
"ingress.k8s.aws/cluster",
121-
"service.k8s.aws/cluster"
122-
]
119+
"Null": {
120+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
123121
}
124122
}
125123
},
@@ -129,8 +127,7 @@
129127
"elasticloadbalancing:CreateListener",
130128
"elasticloadbalancing:DeleteListener",
131129
"elasticloadbalancing:CreateRule",
132-
"elasticloadbalancing:DeleteRule",
133-
"elasticloadbalancing:CreateTargetGroup"
130+
"elasticloadbalancing:DeleteRule"
134131
],
135132
"Resource": "*"
136133
},
@@ -140,64 +137,35 @@
140137
"elasticloadbalancing:AddTags",
141138
"elasticloadbalancing:RemoveTags"
142139
],
143-
"Resource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*",
144-
"Condition": {
145-
"Null": {
146-
"aws:RequestTag/ingress.k8s.aws/cluster": "true",
147-
"aws:ResourceTag/ingress.k8s.aws/cluster": "false"
148-
}
149-
}
150-
},
151-
{
152-
"Effect": "Allow",
153-
"Action": [
154-
"elasticloadbalancing:AddTags",
155-
"elasticloadbalancing:RemoveTags"
140+
"Resource": [
141+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*",
142+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*"
156143
],
157-
"Resource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*",
158144
"Condition": {
159145
"Null": {
160-
"aws:RequestTag/service.k8s.aws/cluster": "true",
161-
"aws:ResourceTag/service.k8s.aws/cluster": "false"
146+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
147+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
162148
}
163149
}
164150
},
165-
{
166-
"Effect": "Allow",
167-
"Action": [
168-
"elasticloadbalancing:AddTags",
169-
"elasticloadbalancing:RemoveTags"
170-
],
171-
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*"
172-
},
173151
{
174152
"Effect": "Allow",
175153
"Action": [
176154
"elasticloadbalancing:ModifyLoadBalancerAttributes",
177155
"elasticloadbalancing:SetIpAddressType",
178156
"elasticloadbalancing:SetSecurityGroups",
179157
"elasticloadbalancing:SetSubnets",
180-
"elasticloadbalancing:DeleteLoadBalancer"
181-
],
182-
"Resource": "*",
183-
"Condition": {
184-
"Null": {
185-
"aws:ResourceTag/ingress.k8s.aws/cluster": "false"
186-
}
187-
}
188-
},
189-
{
190-
"Effect": "Allow",
191-
"Action": [
192-
"elasticloadbalancing:ModifyLoadBalancerAttributes",
193-
"elasticloadbalancing:SetIpAddressType",
194-
"elasticloadbalancing:SetSubnets",
195-
"elasticloadbalancing:DeleteLoadBalancer"
158+
"elasticloadbalancing:DeleteLoadBalancer",
159+
"elasticloadbalancing:ModifyTargetGroup",
160+
"elasticloadbalancing:ModifyTargetGroupAttributes",
161+
"elasticloadbalancing:RegisterTargets",
162+
"elasticloadbalancing:DeregisterTargets",
163+
"elasticloadbalancing:DeleteTargetGroup"
196164
],
197165
"Resource": "*",
198166
"Condition": {
199167
"Null": {
200-
"aws:ResourceTag/service.k8s.aws/cluster": "false"
168+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
201169
}
202170
}
203171
},
@@ -208,12 +176,7 @@
208176
"elasticloadbalancing:ModifyListener",
209177
"elasticloadbalancing:AddListenerCertificates",
210178
"elasticloadbalancing:RemoveListenerCertificates",
211-
"elasticloadbalancing:ModifyRule",
212-
"elasticloadbalancing:ModifyTargetGroup",
213-
"elasticloadbalancing:ModifyTargetGroupAttributes",
214-
"elasticloadbalancing:RegisterTargets",
215-
"elasticloadbalancing:DeregisterTargets",
216-
"elasticloadbalancing:DeleteTargetGroup"
179+
"elasticloadbalancing:ModifyRule"
217180
],
218181
"Resource": "*"
219182
}

docs/install/iam_policy_v1_to_v2_additional.json

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"ec2:CreateTags",
8+
"ec2:DeleteTags"
9+
],
10+
"Resource": "arn:aws:ec2:*:*:security-group/*",
11+
"Condition": {
12+
"Null": {
13+
"aws:ResourceTag/ingress.k8s.aws/cluster": "false"
14+
}
15+
}
16+
},
17+
{
18+
"Effect": "Allow",
19+
"Action": [
20+
"elasticloadbalancing:AddTags",
21+
"elasticloadbalancing:RemoveTags"
22+
],
23+
"Resource": [
24+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*",
25+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*"
26+
],
27+
"Condition": {
28+
"Null": {
29+
"aws:ResourceTag/ingress.k8s.aws/cluster": "false"
30+
}
31+
}
32+
}
33+
]
34+
}

0 commit comments

Comments
 (0)