Created
April 18, 2017 20:02
-
-
Save chrislovecnm/4f5de81adcc0e37d290198190e981ed4 to your computer and use it in GitHub Desktop.
JSON for IAM kops master
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //All the resource "*" we can prune down to a | |
| //"Resource": "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME" | |
| //which is tied to a VPC | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| // This is used by the autoscaling components | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "autoscaling:CreateAutoScalingGroup", | |
| "autoscaling:CreateLaunchConfiguration", | |
| "autoscaling:DescribeAutoScalingGroups", | |
| "autoscaling:DescribeLaunchConfigurations", | |
| "autoscaling:DescribeScalingActivities", | |
| "autoscaling:UpdateAutoScalingGroup" | |
| ], | |
| "Resource": "*" | |
| }, | |
| // we may be able to prune this down a bit | |
| // These are used by Kubernetes to do things such as | |
| // 1. crud for persitent Volumes | |
| // 2. autoscaling | |
| // 3. create tags for elbs and volumes | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:AuthorizeSecurityGroupEgress", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateTags", | |
| "ec2:CreateVolume", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeAvailabilityZones", | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeInternetGateways", | |
| "ec2:DescribeRegions", | |
| "ec2:DescribeRouteTables", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeTags", | |
| "ec2:DescribeVpcs", | |
| // need to check on this one | |
| "ec2:ModifySubnetAttribute", | |
| "ec2:RevokeSecurityGroupEgress", | |
| ], | |
| "Resource": "*" | |
| }, | |
| // these are used by k8s to create internal ELBs for load balancing | |
| // microservices and other applications | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| // have not testing the * policies | |
| "elasticloadbalancing:Create*", | |
| "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", | |
| "elasticloadbalancing:AttachLoadBalancerToSubnets", | |
| "elasticloadbalancing:ConfigureHealthCheck", | |
| "elasticloadbalancing:Describe*", | |
| "elasticloadbalancing:Delete*", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:DetachLoadBalancerFromSubnets", | |
| "elasticloadbalancing:ModifyLoadBalancerAttributes", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" | |
| ], | |
| "Resource": "*" | |
| }, | |
| // these are used by k8s to update api level records for the masters | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "route53:ChangeResourceRecordSets", | |
| "route53:GetChange", | |
| "route53:GetHostedZone", | |
| "route53:ListHostedZones", | |
| "route53:ListResourceRecordSets" | |
| ], | |
| "Resource": "*" | |
| }, | |
| // This is needed if we are using iam ssl certs | |
| // on ELBs | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:ListServerCertificates", | |
| "iam:GetServerCertificate" | |
| ], | |
| "Resource": "*" | |
| } | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:PutObject", | |
| "s3:GetObject", | |
| "s3:DeleteObject" | |
| ], | |
| "Resource": "arn:aws:s3:::*" | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
e2e tests use this
{ "Action": [ "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets", "route53:GetHostedZone" ], "Effect": "Allow", "Resource": [ "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" ] }, { "Action": [ "route53:GetChange" ], "Effect": "Allow", "Resource": [ "arn:aws:route53:::change/*" ] }, { "Action": [ "route53:ListHostedZones" ], "Effect": "Allow", "Resource": [ "*" ] }