[EOS-12292] KEOS permission requirement for ECR OCI helm repos (kuber…

…netes-sigs#474) * [EOS-12292] KEOS permission requirement for ECR OCI helm repos * Re-order perm ecr:ListImages --------- Co-authored-by: iamjanr <[email protected]>
stg-0 · Feb 21, 2024 · 71171b9 · 71171b9
1 parent f9a24f6
commit 71171b9
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 6 deletions.
diff --git a/docs/aws/Permissions/AWS/aws_permission.adoc b/docs/aws/Permissions/AWS/aws_permission.adoc
@@ -254,6 +254,11 @@ aws-cl01   false   Updating worker nodes   aws-cl01   Keoscluster
 ==== Modify max_size / min_size worker_nodes (No additional permissions needed)
 ==== Upgrade kubernetes version (No additional permissions needed)
 ==== Keos Deployment (No additional permissions needed)
+[options="header"]
+| Permission | Necessary for | Description | Resource | Application
+|===
+| ecr:ListImages | Helm charts version lookup | ListImages | arn:aws:ec2:*:*:vpc/* | keos  
+|===
 ==== Custom Network Deployment
 
 [options="header"]
@@ -262,4 +267,4 @@ aws-cl01   false   Updating worker nodes   aws-cl01   Keoscluster
 | elasticloadbalancing:ConfigureHealthCheck | Attempting to configure health check | Grants permission to specify a health check configuration for the instances. |  arn:aws:elasticloadbalancing:eu-west-1:<account-id>:loadbalancer/* | cloud-provisioner
 | ec2:DescribeInstanceTypes | Attempting to describe instance types | Grants permission to describe one or more of the available instance types. |  * | cloud-provisioner
 | elasticloadbalancing:AttachLoadBalancerToSubnets | Attempting to attach load balancer to subnets | Grants permission to add one or more subnets to the set of configured subnets for the specified load balancer. |  arn:aws:elasticloadbalancing:eu-west-1:<account-id>:loadbalancer/* | cloud-provisioner
-|===
+|===
diff --git a/docs/aws/Permissions/AWS/aws_permission_ref.json b/docs/aws/Permissions/AWS/aws_permission_ref.json
@@ -55,6 +55,7 @@
                 "ec2:ReleaseAddress",
                 "ecr:BatchCheckLayerAvailability",
                 "ecr:BatchGetImage",
+		"ecr:ListImages",
                 "ecr:GetDownloadUrlForLayer",
                 "secretsmanager:CreateSecret",
                 "secretsmanager:DeleteSecret",
@@ -106,4 +107,4 @@
             "Resource": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*"
         }
     ]
-}
+}
diff --git a/docs/aws/Permissions/EKS/eks_permission.adoc b/docs/aws/Permissions/EKS/eks_permission.adoc
@@ -274,6 +274,11 @@ kubectl --kubeconfig /home/jnovoa/.kube/configs/remote_kubeconfig -n cluster-<cl
 aws eks update-addon --cluster-name <cluster-name> --addon-name vpc-cni --addon-version v1.13.4-eksbuild.1 --resolve-conflicts OVERWRITE
 ----
 ==== Keos Deployment (No additional permissions needed)
+[options="header"]
+| Permission | Necessary for | Description | Resource | Application
+|===
+| ecr:ListImages | Helm charts version lookup | ListImages | arn:aws:ec2:*:*:vpc/* | keos  
+|===
 ==== Custom Network Deployment (Pdte)
 [options="header"]
 | Permission | Necessary for | Description | Resource | Application

diff --git a/stratio-docs/en/modules/ROOT/assets/attachments/stratio-aws-unmanaged-policy.json b/stratio-docs/en/modules/ROOT/assets/attachments/stratio-aws-unmanaged-policy.json
@@ -53,6 +53,7 @@
                 "ec2:ReleaseAddress",
                 "ecr:BatchCheckLayerAvailability",
                 "ecr:BatchGetImage",
+                "ecr:ListImages",
                 "ecr:GetDownloadUrlForLayer",
                 "secretsmanager:CreateSecret",
                 "secretsmanager:DeleteSecret",
@@ -101,4 +102,4 @@
             "Resource": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*"
         }
     ]
-}
+}
diff --git a/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json b/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json
@@ -56,6 +56,7 @@
               "ec2:ModifyVpcAttribute",
               "ecr:BatchCheckLayerAvailability",
               "ecr:BatchGetImage",
+              "ecr:ListImages",
               "ecr:GetDownloadUrlForLayer",
               "eks:DescribeCluster",
               "eks:CreateAddon",
@@ -117,4 +118,4 @@
           ]
       }
   ]
-}
+}
diff --git a/stratio-docs/es/modules/ROOT/assets/attachments/stratio-aws-unmanaged-policy.json b/stratio-docs/es/modules/ROOT/assets/attachments/stratio-aws-unmanaged-policy.json
@@ -53,6 +53,7 @@
                 "ec2:ReleaseAddress",
                 "ecr:BatchCheckLayerAvailability",
                 "ecr:BatchGetImage",
+                "ecr:ListImages",
                 "ecr:GetDownloadUrlForLayer",
                 "secretsmanager:CreateSecret",
                 "secretsmanager:DeleteSecret",
@@ -101,4 +102,4 @@
             "Resource": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*"
         }
     ]
-}
+}
diff --git a/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json b/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json
@@ -56,6 +56,7 @@
               "ec2:ModifyVpcAttribute",
               "ecr:BatchCheckLayerAvailability",
               "ecr:BatchGetImage",
+              "ecr:ListImages",
               "ecr:GetDownloadUrlForLayer",
               "eks:DescribeCluster",
               "eks:CreateAddon",
@@ -117,4 +118,4 @@
           ]
       }
   ]
-}
+}