give kindnet permissions in aws to disable the src dst check

Change-Id: I11436822e7c8549b294f1a2d23c0d169376cbf23
kubernetes · Jan 2, 2025 · b74c57b · b74c57b
1 parent 9e9e0a5
commit b74c57b
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/pkg/model/components/kindnet.go b/pkg/model/components/kindnet.go
@@ -41,7 +41,7 @@ func (b *KindnetOptionsBuilder) BuildOptions(o *kops.Cluster) error {
 	}
 
 	// Kindnet should masquerade well known ranges if kops is not doing it
-	if c.Masquerade == nil && clusterSpec.Networking.NonMasqueradeCIDR == "" {
+	if c.Masquerade == nil {
 		c.Masquerade = &kops.KindnetMasqueradeSpec{
 			Enabled: fi.PtrTo(true),
 		}

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -374,6 +374,10 @@ func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addCalicoSrcDstCheckPermissions(p)
 	}
 
+	if b.Cluster.Spec.Networking.Kindnet != nil {
+		addKindnetSrcDstCheckPermissions(p)
+	}
+
 	return p, nil
 }
 
@@ -438,6 +442,10 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addCalicoSrcDstCheckPermissions(p)
 	}
 
+	if b.Cluster.Spec.Networking.Kindnet != nil {
+		addKindnetSrcDstCheckPermissions(p)
+	}
+
 	return p, nil
 }
 
@@ -469,6 +477,10 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addKubeRouterSrcDstCheckPermissions(p)
 	}
 
+	if b.Cluster.Spec.Networking.Kindnet != nil {
+		addKindnetSrcDstCheckPermissions(p)
+	}
+
 	return p, nil
 }
 
@@ -777,6 +789,13 @@ func addKubeRouterSrcDstCheckPermissions(p *Policy) {
 	)
 }
 
+func addKindnetSrcDstCheckPermissions(p *Policy) {
+	p.unconditionalAction.Insert(
+		"ec2:DescribeInstances",
+		"ec2:ModifyNetworkInterfaceAttribute",
+	)
+}
+
 func (b *PolicyBuilder) addNodeupPermissions(p *Policy, enableHookSupport bool) {
 	addCertIAMPolicies(p)
 	addKMSGenerateRandomPolicies(p)

diff --git a/...cluster/privatekindnet/data/aws_iam_role_policy_masters.privatekindnet.example.com_policy b/...cluster/privatekindnet/data/aws_iam_role_policy_masters.privatekindnet.example.com_policy
@@ -185,6 +185,7 @@
         "ec2:DescribeVolumesModifications",
         "ec2:DescribeVpcs",
         "ec2:GetInstanceTypesFromInstanceRequirements",
+        "ec2:ModifyNetworkInterfaceAttribute",
         "elasticloadbalancing:DescribeListeners",
         "elasticloadbalancing:DescribeLoadBalancerAttributes",
         "elasticloadbalancing:DescribeLoadBalancerPolicies",

diff --git a/...e_cluster/privatekindnet/data/aws_iam_role_policy_nodes.privatekindnet.example.com_policy b/...e_cluster/privatekindnet/data/aws_iam_role_policy_nodes.privatekindnet.example.com_policy
@@ -18,6 +18,7 @@
         "ec2:DescribeInstanceTypes",
         "ec2:DescribeInstances",
         "ec2:DescribeRegions",
+        "ec2:ModifyNetworkInterfaceAttribute",
         "iam:GetServerCertificate",
         "iam:ListServerCertificates",
         "kms:GenerateRandom"