Created
April 30, 2018 03:04
-
-
Save krrrr38/0d5e9e96288ce5be2acaa0ace0ae9b81 to your computer and use it in GitHub Desktop.
kops iam roles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "kopsK8sEC2MasterPermsDescribeResources", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeRegions", | |
| "ec2:DescribeRouteTables", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeVolumes" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sEC2MasterPermsAllResources", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateTags", | |
| "ec2:CreateVolume", | |
| "ec2:ModifyInstanceAttribute" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sEC2MasterPermsTaggedResources", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:AttachVolume", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CreateRoute", | |
| "ec2:DeleteRoute", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DeleteVolume", | |
| "ec2:DetachVolume", | |
| "ec2:RevokeSecurityGroupIngress" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "ec2:ResourceTag/KubernetesCluster": "example.cluster.k8s.local" | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "kopsK8sASMasterPermsAllResources", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "autoscaling:DescribeAutoScalingGroups", | |
| "autoscaling:DescribeLaunchConfigurations", | |
| "autoscaling:DescribeTags", | |
| "autoscaling:GetAsgForInstance" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sASMasterPermsTaggedResources", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "autoscaling:SetDesiredCapacity", | |
| "autoscaling:TerminateInstanceInAutoScalingGroup", | |
| "autoscaling:UpdateAutoScalingGroup" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "autoscaling:ResourceTag/KubernetesCluster": "example.cluster.k8s.local" | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "kopsK8sELBMasterPermsRestrictive", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:AttachLoadBalancerToSubnets", | |
| "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", | |
| "elasticloadbalancing:CreateLoadBalancer", | |
| "elasticloadbalancing:CreateLoadBalancerPolicy", | |
| "elasticloadbalancing:CreateLoadBalancerListeners", | |
| "elasticloadbalancing:ConfigureHealthCheck", | |
| "elasticloadbalancing:DeleteLoadBalancer", | |
| "elasticloadbalancing:DeleteLoadBalancerListeners", | |
| "elasticloadbalancing:DescribeLoadBalancers", | |
| "elasticloadbalancing:DescribeLoadBalancerAttributes", | |
| "elasticloadbalancing:DetachLoadBalancerFromSubnets", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:ModifyLoadBalancerAttributes", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sNLBMasterPermsRestrictive", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:DescribeVpcs", | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:CreateListener", | |
| "elasticloadbalancing:CreateTargetGroup", | |
| "elasticloadbalancing:DeleteListener", | |
| "elasticloadbalancing:DeleteTargetGroup", | |
| "elasticloadbalancing:DescribeListeners", | |
| "elasticloadbalancing:DescribeLoadBalancerPolicies", | |
| "elasticloadbalancing:DescribeTargetGroups", | |
| "elasticloadbalancing:DescribeTargetHealth", | |
| "elasticloadbalancing:ModifyListener", | |
| "elasticloadbalancing:ModifyTargetGroup", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsMasterCertIAMPerms", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "iam:ListServerCertificates", | |
| "iam:GetServerCertificate" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sS3GetListBucket", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:GetBucketLocation", | |
| "s3:ListBucket" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sS3MasterBucketFullGet", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:Get*" | |
| ], | |
| "Resource": "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/*" | |
| }, | |
| { | |
| "Sid": "kopsK8sECR", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ecr:GetAuthorizationToken", | |
| "ecr:BatchCheckLayerAvailability", | |
| "ecr:GetDownloadUrlForLayer", | |
| "ecr:GetRepositoryPolicy", | |
| "ecr:DescribeRepositories", | |
| "ecr:ListImages", | |
| "ecr:BatchGetImage" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "kopsK8sEC2NodePerms", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeRegions" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sS3GetListBucket", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:GetBucketLocation", | |
| "s3:ListBucket" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sS3NodeBucketSelectiveGet", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:Get*" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/addons/*", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/cluster.spec", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/config", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/instancegroup/*", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/pki/issued/*", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/pki/private/kube-proxy/*", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/pki/private/kubelet/*", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/pki/ssh/*", | |
| "arn:aws:s3:::kops-state-store-ruyplnunyskatlccmfibygjbhshonkgt/example.cluster.k8s.local/secrets/dockerconfig" | |
| ] | |
| }, | |
| { | |
| "Sid": "kopsK8sECR", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ecr:GetAuthorizationToken", | |
| "ecr:BatchCheckLayerAvailability", | |
| "ecr:GetDownloadUrlForLayer", | |
| "ecr:GetRepositoryPolicy", | |
| "ecr:DescribeRepositories", | |
| "ecr:ListImages", | |
| "ecr:BatchGetImage" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment