Update eks permissions (kubernetes-sigs#493)

stg-0 · Feb 26, 2024 · 2922a78 · 2922a78
1 parent 21a26da
commit 2922a78
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 1 deletion.
diff --git a/docs/aws/Permissions/EKS/eks_Errros.md b/docs/aws/Permissions/EKS/eks_Errros.md
@@ -95,3 +95,4 @@ $> aws sts decode-authorization-message --encoded-message <encoded message from
 | ERROR "Reconciler error" err="failed to reconcile control plane for AWSManagedControlPlane cluster-eks-cl02/eks-cl02-control-plane: failed reconciling cluster version: failed to update EKS cluster: AccessDeniedException: User is not authorized to perform this action" controller="awsmanagedcontrolplane" controllerGroup="controlplane.cluster.x-k8s.io" controllerKind="AWSManagedControlPlane" AWSManagedControlPlane="cluster-eks-cl02/eks-cl02-control-plane" namespace="cluster-eks-cl02" name="eks-cl02-control-plane" reconcileID="27682de5-0bc5-4fb5-97b6-33ea18a3cf6d". | 83 |
 | ERROR "Reconciler error" err="failed to reconcile network for AWSManagedControlPlane cluster-eks-cl01/eks-cl01-control-plane: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::<account-id>:user/cloud-provisioner-eks is not authorized to perform: ec2:AssociateVpcCidrBlock on resource: arn:aws:ec2:eu-west-1:<account-id>:vpc/<vpc-id> because no identity-based policy allows the ec2:AssociateVpcCidrBlock action. | 84 |
 | ERROR failed to modify network interfaces on instance "i-09beac8d97ff9dcee": failed to modify interface "eni-0e1891db15e7b4b17" to have security groups [sg-0b0568ce15f34f4b3 sg-00ea9d4da6fb534a7]: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::963353511234:user/cloud-provisioner-eks is not authorized to perform: ec2:ModifyNetworkInterfaceAttribute on resource: arn:aws:ec2:eu-west-1:963353511234:security-group/sg-00ea9d4da6fb534a7 because no identity-based policy allows the ec2:ModifyNetworkInterfaceAttribute action. | 85 |
+| ERROR "error deleting network for AWSManagedControlPlane" err=<UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::963353511234:user/cloud-provisioner-eks is not authorized to perform: ec2:DisassociateVpcCidrBlock on resource: arn:aws:ec2:eu-west-1:963353511234:vpc/vpc-09d5be7178005aa6b because no identity-based policy allows the ec2:DisassociateVpcCidrBlock action. | 86 |
diff --git a/docs/aws/Permissions/EKS/eks_permission.adoc b/docs/aws/Permissions/EKS/eks_permission.adoc
@@ -158,6 +158,7 @@ kubectl --kubeconfig local_kubeconfig -n cluster-<cluster-name> delete cluster <
 | ec2:DeleteVpc | Attempting to delete VPC | Grants permission to delete the specified VPC. |  arn:aws:ec2:eu-west-1:<account-id>:vpc/* | cloud-provisioner
 | eks:DeleteCluster | Attempting to delete cluster | Grants permission to delete the specified cluster. |  arn:aws:eks:eu-west-1:<account-id>:cluster/* | cloud-provisioner
 | iam:DeleteOpenIDConnectProvider | Attempting to delete OpenID Connect provider | Grants permission to delete an IAM OpenID Connect (OIDC) provider resource object in IAM. |  arn:aws:iam::268367799918:oidc-provider/* | cloud-provisioner
+| ec2:DisassociateVpcCidrBlock | Attempting to disassociate CIDR block | Grants permission to disassociate a CIDR block from a VPC. | arn:aws:ec2:eu-west-1:<account-id>:vpc/* | cloud-provisioner
 |===
 
 === Retain (No additional permissions needed)

diff --git a/docs/aws/Permissions/EKS/eks_permission_ref.json b/docs/aws/Permissions/EKS/eks_permission_ref.json
@@ -56,6 +56,7 @@
                 "ec2:CreateNatGateway",
                 "ec2:CreateSecurityGroup",
                 "ec2:DescribeVpcAttribute",
+                "ec2:DisassociateVpcCidrBlock",
                 "ec2:ModifySubnetAttribute",
                 "ec2:ModifyVpcAttribute",
                 "ecr:BatchCheckLayerAvailability",

diff --git a/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json b/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json
@@ -54,6 +54,7 @@
               "ec2:CreateNatGateway",
               "ec2:CreateSecurityGroup",
               "ec2:DescribeVpcAttribute",
+              "ec2:DisassociateVpcCidrBlock",
               "ec2:ModifySubnetAttribute",
               "ec2:ModifyVpcAttribute",
               "ecr:BatchCheckLayerAvailability",

diff --git a/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json b/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json
@@ -44,7 +44,7 @@
           "Action": [
               "ec2:AllocateAddress",
               "ec2:AssociateRouteTable",
-	      "ec2:AssociateVpcCidrBlock",
+	          "ec2:AssociateVpcCidrBlock",
               "ec2:AttachInternetGateway",
               "ec2:CreateVpc",
               "ec2:CreateRoute",
@@ -54,6 +54,7 @@
               "ec2:CreateNatGateway",
               "ec2:CreateSecurityGroup",
               "ec2:DescribeVpcAttribute",
+              "ec2:DisassociateVpcCidrBlock",
               "ec2:ModifySubnetAttribute",
               "ec2:ModifyVpcAttribute",
               "ecr:BatchCheckLayerAvailability",