Skip to content

Commit 9250c65

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes-sigs#2447 from richardcase/eks_encryption
fix: added missing kms permissions required for EKS encryption
2 parents 9dd9eaf + 6ef7f7a commit 9250c65

File tree

10 files changed

+484
-0
lines changed

10 files changed

+484
-0
lines changed

cmd/clusterawsadm/api/bootstrap/v1alpha1/defaults.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@ const (
3030
DefaultStackName = "cluster-api-provider-aws-sigs-k8s-io"
3131
// DefaultPartitionName is the default security partition for AWS ARNs.
3232
DefaultPartitionName = "aws"
33+
// DefaultKMSAliasPattern is the default KMS alias.
34+
DefaultKMSAliasPattern = "cluster-api-provider-aws-*"
3335
)
3436

3537
func addDefaultingFuncs(scheme *runtime.Scheme) error {
@@ -85,6 +87,9 @@ func SetDefaults_AWSIAMConfigurationSpec(obj *AWSIAMConfigurationSpec) { //nolin
8587
infrav1.SecretBackendSecretsManager,
8688
}
8789
}
90+
if len(obj.EKS.KMSAliasPrefix) == 0 {
91+
obj.EKS.KMSAliasPrefix = DefaultKMSAliasPattern
92+
}
8893
}
8994

9095
// SetDefaults_AWSIAMConfiguration is used by defaulter-gen.

cmd/clusterawsadm/api/bootstrap/v1alpha1/types.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,10 @@ type EKSConfig struct {
107107
// Fargate controls the configuration of the AWS IAM role for
108108
// used by EKS managed machine pools.
109109
Fargate *AWSIAMRoleSpec `json:"fargate,omitempty"`
110+
// KMSAliasPrefix is prefix to use to restrict permission to KMS keys to only those that have an alias
111+
// name that is prefixed by this.
112+
// Defaults to cluster-api-provider-aws-*
113+
KMSAliasPrefix string `json:"kmsAliasPrefix,omitempty"`
110114
}
111115

112116
// EventBridgeConfig represents configuration for enabling experimental feature to consume

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -379,6 +379,21 @@ func (t Template) ControllersPolicy() *infrav1.PolicyDocument {
379379
},
380380
Effect: infrav1.EffectAllow,
381381
},
382+
{
383+
Action: infrav1.Actions{
384+
"kms:CreateGrant",
385+
"kms:DescribeKey",
386+
},
387+
Resource: infrav1.Resources{
388+
"*",
389+
},
390+
Effect: infrav1.EffectAllow,
391+
Condition: infrav1.Conditions{
392+
"ForAnyValue:StringLike": map[string]string{
393+
"kms:ResourceAliases": fmt.Sprintf("alias/%s", t.Spec.EKS.KMSAliasPrefix),
394+
},
395+
},
396+
},
382397
}...)
383398
}
384399

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -330,6 +330,15 @@ Resources:
330330
Effect: Allow
331331
Resource:
332332
- '*'
333+
- Action:
334+
- kms:CreateGrant
335+
- kms:DescribeKey
336+
Condition:
337+
ForAnyValue:StringLike:
338+
kms:ResourceAliases: alias/cluster-api-provider-aws-*
339+
Effect: Allow
340+
Resource:
341+
- '*'
333342
Version: 2012-10-17
334343
Roles:
335344
- Ref: AWSIAMRoleControllers

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_enable.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -330,6 +330,15 @@ Resources:
330330
Effect: Allow
331331
Resource:
332332
- '*'
333+
- Action:
334+
- kms:CreateGrant
335+
- kms:DescribeKey
336+
Condition:
337+
ForAnyValue:StringLike:
338+
kms:ResourceAliases: alias/cluster-api-provider-aws-*
339+
Effect: Allow
340+
Resource:
341+
- '*'
333342
Version: 2012-10-17
334343
Roles:
335344
- Ref: AWSIAMRoleControllers

0 commit comments

Comments
 (0)