From fa8c79a396ae3f84123df71aa1a696beedb8003a Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Mon, 24 Jul 2017 13:53:53 +0100 Subject: [PATCH 1/2] Limit IAM policy scope for compute nodes --- .../providers/aws/cloudformation_templates.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/pkg/cloudprovider/providers/aws/cloudformation_templates.go b/pkg/cloudprovider/providers/aws/cloudformation_templates.go index c251a3d..fe450a9 100644 --- a/pkg/cloudprovider/providers/aws/cloudformation_templates.go +++ b/pkg/cloudprovider/providers/aws/cloudformation_templates.go @@ -660,13 +660,19 @@ Resources: - !Ref InstanceRole PolicyDocument: Statement: - - Resource: "*" + - Resource: + - Fn::Sub: "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*" Effect: Allow Action: - ec2:CreateTags - - ec2:DescribeInstances - - ec2:DescribeTags - - ec2:DescribeVpcs + Condition: + StringEquals: + 'ec2:ResourceTag/cluster-name': "{{ .ComputePool.ClusterName }}" + 'aws:RequestTag/KubeletToken': "Success" + - Resource: "*" + Effect: Allow + Action: + - "ec2:Describe*" - Resource: - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*" Effect: Allow From 0f5760f97034c8e7132ffa5379ea3d41021b4b75 Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Mon, 24 Jul 2017 18:02:44 +0100 Subject: [PATCH 2/2] Limit IAM instance policy for master nodes --- .../providers/aws/cloudformation_templates.go | 43 +++++++++---------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/pkg/cloudprovider/providers/aws/cloudformation_templates.go b/pkg/cloudprovider/providers/aws/cloudformation_templates.go index fe450a9..683a69e 100644 --- a/pkg/cloudprovider/providers/aws/cloudformation_templates.go +++ b/pkg/cloudprovider/providers/aws/cloudformation_templates.go @@ -390,25 +390,6 @@ Resources: Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups - - ec2:CreateTags - - ec2:DescribeTags - - ec2:DescribeInstances - - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}" - Effect: Allow - Action: - - "s3:List*" - - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}/*" - Effect: Allow - Action: - - "s3:Get*" - - Resource: - - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*" - Effect: Allow - Action: - - cloudformation:DescribeStacks - - Resource: "*" - Effect: Allow - Action: - ec2:AttachNetworkInterface - ec2:AttachVolume - ec2:AuthorizeSecurityGroupEgress @@ -435,15 +416,33 @@ Resources: - ec2:ModifyNetworkInterfaceAttribute - ec2:RevokeSecurityGroupEgress - ec2:RevokeSecurityGroupIngress - - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:Create* + - elasticloadbalancing:Describe* + - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}" + Effect: Allow + Action: + - "s3:List*" + - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}/*" + Effect: Allow + Action: + - "s3:Get*" + - Resource: + - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*" + Effect: Allow + Action: + - cloudformation:DescribeStacks + - Resource: "*" + Effect: Allow + Action: + - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:Delete* - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - - elasticloadbalancing:DescribeLoadBalancerAttributes - - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer + Condition: + StringEquals: + 'elasticloadbalancing:ResourceTag/cluster-name': "{{ .MasterPool.ClusterName }}" {{ $masterPool := .MasterPool -}} {{ $userData := .UserData -}}