Add permission to Create/Delete ec2:ResourceTag/kubernetes.io/cluster…

…/* volumes so that CSI can Delete KCM-created volumes
kubernetes-sigs · Jun 16, 2021 · 59a0bb1 · 59a0bb1
1 parent 74da18e
commit 59a0bb1
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 3 deletions.
diff --git a/docs/example-iam-policy.json b/docs/example-iam-policy.json
@@ -69,6 +69,30 @@
         }
       }
     },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateVolume"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/kubernetes.io/cluster/*": "owned"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteVolume"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
+        }
+      }
+    },
     {
       "Effect": "Allow",
       "Action": [
@@ -89,7 +113,7 @@
       "Resource": "*",
       "Condition": {
         "StringLike": {
-          "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
+          "ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
         }
       }
     },
@@ -118,4 +142,4 @@
       }
     }
   ]
-}
+}
diff --git a/hack/kops-patch.yaml b/hack/kops-patch.yaml
@@ -70,6 +70,30 @@ spec:
             }
           }
         },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ec2:CreateVolume"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringLike": {
+              "aws:RequestTag/kubernetes.io/cluster/*": "owned"
+            }
+          }
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ec2:DeleteVolume"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringLike": {
+              "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
+            }
+          }
+        },
         {
           "Effect": "Allow",
           "Action": [
@@ -90,7 +114,7 @@ spec:
           "Resource": "*",
           "Condition": {
             "StringLike": {
-              "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
+              "ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
             }
           }
         },