From 41a5579712b9676ee21ddc03f3ae26d990214b17 Mon Sep 17 00:00:00 2001 From: mjsterckx Date: Mon, 27 Feb 2023 19:58:54 +0000 Subject: [PATCH] docs: added documentation for minimal iam permissions --- .../docs/permissions/MINIMAL-PERMISSIONS.md | 121 +++++++++++ .../ec2-resource-agent-ecs-cluster.json | 54 +++++ .../ec2-resource-agent-eks-cluster.json | 46 +++++ .../permissions/ecs-iam-instance-profile.json | 30 +++ .../ecs-resource-agent-create-role.json | 39 ++++ .../ecs-resource-agent-no-create-role.json | 27 +++ .../docs/permissions/ecs-test-agent.json | 25 +++ .../docs/permissions/ecs-workload-agent.json | 28 +++ .../permissions/eks-node-instance-role.json | 46 +++++ .../eks-resource-agent-create-cluster.json | 188 ++++++++++++++++++ .../eks-resource-agent-existing-cluster.json | 27 +++ .../eks-resource-agent-no-create-role.json | 181 +++++++++++++++++ .../docs/permissions/eks-service-role.json | 14 ++ .../docs/permissions/eksctl-config.yaml | 34 ++++ .../docs/permissions/k8s-workload-agent.json | 15 ++ .../migration-test-agent-ecs-cluster.json | 22 ++ .../migration-test-agent-eks-cluster.json | 21 ++ .../docs/permissions/sonobuoy-test-agent.json | 15 ++ .../permissions/vmware-vm-resource-agent.json | 0 .../vsphere-k8s-cluster-resource-agent.json | 0 bottlerocket/samples/RUNBOOK.md | 2 + 21 files changed, 935 insertions(+) create mode 100644 bottlerocket/docs/permissions/MINIMAL-PERMISSIONS.md create mode 100644 bottlerocket/docs/permissions/ec2-resource-agent-ecs-cluster.json create mode 100644 bottlerocket/docs/permissions/ec2-resource-agent-eks-cluster.json create mode 100644 bottlerocket/docs/permissions/ecs-iam-instance-profile.json create mode 100644 bottlerocket/docs/permissions/ecs-resource-agent-create-role.json create mode 100644 bottlerocket/docs/permissions/ecs-resource-agent-no-create-role.json create mode 100644 bottlerocket/docs/permissions/ecs-test-agent.json create mode 100644 bottlerocket/docs/permissions/ecs-workload-agent.json create mode 100644 bottlerocket/docs/permissions/eks-node-instance-role.json create mode 100644 bottlerocket/docs/permissions/eks-resource-agent-create-cluster.json create mode 100644 bottlerocket/docs/permissions/eks-resource-agent-existing-cluster.json create mode 100644 bottlerocket/docs/permissions/eks-resource-agent-no-create-role.json create mode 100644 bottlerocket/docs/permissions/eks-service-role.json create mode 100644 bottlerocket/docs/permissions/eksctl-config.yaml create mode 100644 bottlerocket/docs/permissions/k8s-workload-agent.json create mode 100644 bottlerocket/docs/permissions/migration-test-agent-ecs-cluster.json create mode 100644 bottlerocket/docs/permissions/migration-test-agent-eks-cluster.json create mode 100644 bottlerocket/docs/permissions/sonobuoy-test-agent.json create mode 100644 bottlerocket/docs/permissions/vmware-vm-resource-agent.json create mode 100644 bottlerocket/docs/permissions/vsphere-k8s-cluster-resource-agent.json diff --git a/bottlerocket/docs/permissions/MINIMAL-PERMISSIONS.md b/bottlerocket/docs/permissions/MINIMAL-PERMISSIONS.md new file mode 100644 index 00000000..eeee1662 --- /dev/null +++ b/bottlerocket/docs/permissions/MINIMAL-PERMISSIONS.md @@ -0,0 +1,121 @@ +# Minimal IAM Permission Map + +This doc maps each manifest in [samples](../../samples) to the minimal IAM permissions needed to create and run the test and resources. + +The policies can be created using the [aws cli create-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html) command and attached to a role using [aws iam attach-role-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html). + +## Without iam:CreateRole Permission + +These policies do not include the `iam:CreateRole` permission. + +In order for the resources and tests to be created as desired, the ARN of an existing role should be provided instead. + +- For ECS clusters, this can be accomplished by adding a field `iamInstanceProfileName` to the ECS cluster config, the value of which is the ARN of a role with at least these permissions: [ecs-iam-instance-profile.json](./ecs-iam-instance-profile.json). + +- For EKS clusters, this can be accomplished by replacing the `clusterName`, `region`, and `version` fields with an `encodedConfig` field in the EKS cluster config. +This field's value should be a string representing a base64-encoded EKS cluster config, an example of which can be found [here](./eksctl-config.yaml). +This config should contain the ARNs of an existing service role and an existing node instance role with at least these permissions: [eks-service-role.json](./eks-service-role.json) and [eks-node-instance-role.json](./eks-node-instance-role.json). + +### ECS Test + +- ecs-test-agent: [ecs-test-agent.json](./ecs-test-agent.json) +- ecs-resource-agent: [ecs-resource-agent.json](./ecs-resource-agent-no-create-role.json) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-ecs-cluster.json) + +### ECS Migration Test + +- ecs-test-agent: [ecs-test-agent.json](./ecs-test-agent.json) +- migration-test-agent: [migration-test-agent.json](./migration-test-agent-ecs-cluster.json) +- ecs-resource-agent: [ecs-resource-agent.json](./ecs-resource-agent-no-create-role.json) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-ecs-cluster.json) + +### ECS Workload Test + +- ecs-workload-agent: [ecs-workload-agent.json](./ecs-workload-agent.json) +- ecs-resource-agent: [ecs-resource-agent.json](./ecs-resource-agent-no-create-role.json) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-ecs-cluster.json) + +### Sonobuoy Test + +- sonobuoy-test-agent: [sonobuoy-test-agent.json](./sonobuoy-test-agent.json) +- eks-resource-agent: [eks-resource-agent.json](./eks-resource-agent-no-create-role.json) (if cluster should be created) + [eks-resource-agent-existing-cluster.json](./eks-resource-agent-existing-cluster.json) (if cluster already exists) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-eks-cluster.json) + +### Sonobuoy Migration Test + +- sonobuoy-test-agent: [sonobuoy-test-agent.json](./sonobuoy-test-agent.json) +- migration-test-agent: [migration-test-agent.json](./migration-test-agent-eks-cluster.json) +- eks-resource-agent: [eks-resource-agent.json](./eks-resource-agent-no-create-role.json) (if cluster should be created) + [eks-resource-agent-existing-cluster.json](./eks-resource-agent-existing-cluster.json) (if cluster already exists) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-eks-cluster.json) + +### K8S Workload Test + +- k8s-workload-agent: [k8s-workload-agent.json](./k8s-workload-agent.json) +- eks-resource-agent: [eks-resource-agent.json](./eks-resource-agent-no-create-role.json) (if cluster should be created) + [eks-resource-agent-existing-cluster.json](./eks-resource-agent-existing-cluster.json) (if cluster already exists) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-eks-cluster.json) + +### Vmware Sonobuoy Test + +TODO + +### Vmware Migration Test + +TODO + +## With iam:CreateRole Permission + +Some of these policies include the `iam:CreateRole` permission. + +_Note_: This is considered dangerous because there is no limit to the permissions and policies that can be assigned to the role created this way, so this new role could end up with `Administrator` privileges. + +### ECS Test + +- ecs-test-agent: [ecs-test-agent.json](./ecs-test-agent.json) +- ecs-resource-agent: [ecs-resource-agent.json](./ecs-resource-agent-create-role.json) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-ecs-cluster.json) + +### ECS Migration Test + +- ecs-test-agent: [ecs-test-agent.json](./ecs-test-agent.json) +- migration-test-agent: [migration-test-agent.json](./migration-test-agent-ecs-cluster.json) +- ecs-resource-agent: [ecs-resource-agent.json](./ecs-resource-agent-create-role.json) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-ecs-cluster.json) + +### ECS Workload Test + +- ecs-workload-agent: [ecs-workload-agent.json](./ecs-workload-agent.json) +- ecs-resource-agent: [ecs-resource-agent.json](./ecs-resource-agent-create-role.json) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-ecs-cluster.json) + +### Sonobuoy Test + +- sonobuoy-test-agent: [sonobuoy-test-agent.json](./sonobuoy-test-agent.json) +- eks-resource-agent: [eks-resource-agent.json](./eks-resource-agent-create-cluster.json) (if cluster should be created) + [eks-resource-agent-existing-cluster.json](./eks-resource-agent-existing-cluster.json) (if cluster already exists) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-eks-cluster.json) + +### Sonobuoy Migration Test + +- sonobuoy-test-agent: [sonobuoy-test-agent.json](./sonobuoy-test-agent.json) +- migration-test-agent: [migration-test-agent.json](./migration-test-agent-eks-cluster.json) +- eks-resource-agent: [eks-resource-agent.json](./eks-resource-agent-create-cluster.json) (if cluster should be created) + [eks-resource-agent-existing-cluster.json](./eks-resource-agent-existing-cluster.json) (if cluster already exists) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-eks-cluster.json) + +### K8S Workload Test + +- k8s-workload-agent: [k8s-workload-agent.json](./k8s-workload-agent.json) +- eks-resource-agent: [eks-resource-agent.json](./eks-resource-agent-create-cluster.json) (if cluster should be created) + [eks-resource-agent-existing-cluster.json](./eks-resource-agent-existing-cluster.json) (if cluster already exists) +- ec2-resource-agent: [ec2-resource-agent.json](./ec2-resource-agent-eks-cluster.json) + +### Vmware Sonobuoy Test + +TODO + +### Vmware Migration Test + +TODO diff --git a/bottlerocket/docs/permissions/ec2-resource-agent-ecs-cluster.json b/bottlerocket/docs/permissions/ec2-resource-agent-ecs-cluster.json new file mode 100644 index 00000000..d40288e0 --- /dev/null +++ b/bottlerocket/docs/permissions/ec2-resource-agent-ecs-cluster.json @@ -0,0 +1,54 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DescribeInstanceStatus" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:RunInstances", + "ec2:TerminateInstances" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:instance/${InstanceId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:subnet/${SubnetId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:volume/${VolumeId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}::image/${ImageId}" + }, + { + "Effect": "Allow", + "Action": [ + "ecs:DeregisterContainerInstance", + "ecs:ListContainerInstances" + ], + "Resource": "arn:aws:ecs:${Region}:${Account}:cluster/${ClusterName}" + } + ] +} diff --git a/bottlerocket/docs/permissions/ec2-resource-agent-eks-cluster.json b/bottlerocket/docs/permissions/ec2-resource-agent-eks-cluster.json new file mode 100644 index 00000000..3ebe068a --- /dev/null +++ b/bottlerocket/docs/permissions/ec2-resource-agent-eks-cluster.json @@ -0,0 +1,46 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DescribeInstanceStatus" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:RunInstances", + "ec2:TerminateInstances" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:instance/${InstanceId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:subnet/${SubnetId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:volume/${VolumeId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}::image/${ImageId}" + } + ] +} diff --git a/bottlerocket/docs/permissions/ecs-iam-instance-profile.json b/bottlerocket/docs/permissions/ecs-iam-instance-profile.json new file mode 100644 index 00000000..0d74a99c --- /dev/null +++ b/bottlerocket/docs/permissions/ecs-iam-instance-profile.json @@ -0,0 +1,30 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecs:DiscoverPollEndpoint", + "ssm:ListInstanceAssociations", + "ssm:UpdateInstanceInformation" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ], + "Resource": "arn:aws:ecr:${Region}:${Account}:repository/${RepositoryName}" + }, + { + "Effect": "Allow", + "Action": [ + "ecs:RegisterContainerInstance", + "ecs:SubmitTaskStateChange" + ], + "Resource": "arn:aws:ecs:${Region}:${Account}:cluster/${ClusterName}" + } + ] +} diff --git a/bottlerocket/docs/permissions/ecs-resource-agent-create-role.json b/bottlerocket/docs/permissions/ecs-resource-agent-create-role.json new file mode 100644 index 00000000..3c23262f --- /dev/null +++ b/bottlerocket/docs/permissions/ecs-resource-agent-create-role.json @@ -0,0 +1,39 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ecs:CreateCluster" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ecs:DeleteCluster", + "ecs:ListContainerInstances" + ], + "Resource": "arn:aws:ecs:${Region}:${Account}:cluster/${ClusterName}" + }, + { + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile" + ], + "Resource": "arn:aws:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}" + }, + { + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole" + ], + "Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}" + } + ] +} diff --git a/bottlerocket/docs/permissions/ecs-resource-agent-no-create-role.json b/bottlerocket/docs/permissions/ecs-resource-agent-no-create-role.json new file mode 100644 index 00000000..42269591 --- /dev/null +++ b/bottlerocket/docs/permissions/ecs-resource-agent-no-create-role.json @@ -0,0 +1,27 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ecs:CreateCluster" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ecs:DeleteCluster", + "ecs:ListContainerInstances" + ], + "Resource": "arn:aws:ecs:${Region}:${Account}:cluster/${ClusterName}" + }, + { + "Effect": "Allow", + "Action": "iam:GetInstanceProfile", + "Resource": "arn:aws:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}" + } + ] +} diff --git a/bottlerocket/docs/permissions/ecs-test-agent.json b/bottlerocket/docs/permissions/ecs-test-agent.json new file mode 100644 index 00000000..78f96682 --- /dev/null +++ b/bottlerocket/docs/permissions/ecs-test-agent.json @@ -0,0 +1,25 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "ecs:DescribeTaskDefinition", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ecs:DescribeClusters", + "Resource": "arn:aws:ecs:${Region}:${Account}:cluster/${ClusterName}" + }, + { + "Effect": "Allow", + "Action": "ecs:RunTask", + "Resource": "arn:aws:ecs:${Region}:${Account}:task-definition/${TaskDefinitionFamilyName}:${TaskDefinitionRevisionNumber}" + }, + { + "Effect": "Allow", + "Action": "ecs:DescribeTasks", + "Resource": "arn:aws:ecs:${Region}:${Account}:task/${ClusterName}/${TaskId}" + } + ] +} diff --git a/bottlerocket/docs/permissions/ecs-workload-agent.json b/bottlerocket/docs/permissions/ecs-workload-agent.json new file mode 100644 index 00000000..b70a13c6 --- /dev/null +++ b/bottlerocket/docs/permissions/ecs-workload-agent.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecs:DescribeTaskDefinition", + "ecs:ListTaskDefinitions" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ecs:DescribeClusters", + "Resource": "arn:aws:ecs:${Region}:${Account}:cluster/${ClusterName}" + }, + { + "Effect": "Allow", + "Action": "ecs:RunTask", + "Resource": "arn:aws:ecs:${Region}:${Account}:task-definition/${TaskDefinitionFamilyName}:${TaskDefinitionRevisionNumber}" + }, + { + "Effect": "Allow", + "Action": "ecs:DescribeTasks", + "Resource": "arn:aws:ecs:${Region}:${Account}:task/${ClusterName}/${TaskId}" + } + ] +} diff --git a/bottlerocket/docs/permissions/eks-node-instance-role.json b/bottlerocket/docs/permissions/eks-node-instance-role.json new file mode 100644 index 00000000..197bbf57 --- /dev/null +++ b/bottlerocket/docs/permissions/eks-node-instance-role.json @@ -0,0 +1,46 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ecr:GetAuthorizationToken", + "ssm:ListInstanceAssociations", + "ssm:UpdateInstanceInformation", + "sts:GetCallerIdentity" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ec2:AttachNetworkInterface", + "Resource": "arn:aws:ec2:${Region}:${Account}:instance/${InstanceId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AssignPrivateIpAddresses", + "ec2:AttachNetworkInterface", + "ec2:CreateNetworkInterface", + "ec2:ModifyNetworkInterfaceAttribute" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}" + }, + { + "Effect": "Allow", + "Action": "ec2:CreateNetworkInterface", + "Resource": "arn:aws:ec2:${Region}:${Account}:subnet/${SubnetId}" + }, + { + "Effect": "Allow", + "Action": [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ], + "Resource": "arn:aws:ecr:${Region}:${Account}:repository/${RepositoryName}" + } + ] +} diff --git a/bottlerocket/docs/permissions/eks-resource-agent-create-cluster.json b/bottlerocket/docs/permissions/eks-resource-agent-create-cluster.json new file mode 100644 index 00000000..0f06db73 --- /dev/null +++ b/bottlerocket/docs/permissions/eks-resource-agent-create-cluster.json @@ -0,0 +1,188 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudformation:ListStacks", + "ec2:CreateTags", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInternetGateways", + "ec2:DescribeKeyPairs", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeNatGateways", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DisassociateRouteTable", + "ec2:ReleaseAddress", + "eks:CreateCluster", + "sts:GetCallerIdentity" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cloudformation:CreateStack", + "cloudformation:DeleteStack", + "cloudformation:DescribeStacks" + ], + "Resource": "arn:aws:cloudformation:${Region}:${Account}:stack/${StackName}/${Id}" + }, + { + "Effect": "Allow", + "Action": "ec2:AllocateAddress", + "Resource": "arn:aws:ec2:${Region}:${Account}:elastic-ip/${AllocationId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:instance/${InstanceId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachInternetGateway", + "ec2:CreateInternetGateway", + "ec2:DeleteInternetGateway", + "ec2:DetachInternetGateway" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateNatGateway", + "ec2:DeleteNatGateway" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:natgateway/${NatGatewayId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AssociateRouteTable", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:route-table/${RouteTableId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateNatGateway", + "ec2:CreateSubnet", + "ec2:DeleteSubnet", + "ec2:ModifySubnetAttribute", + "ec2:RunInstances" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:subnet/${SubnetId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:volume/${VolumeId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachInternetGateway", + "ec2:CreateRouteTable", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:DeleteVpc", + "ec2:DetachInternetGateway", + "ec2:ModifyVpcAttribute" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:vpc/${VpcId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}::image/${ImageId}" + }, + { + "Effect": "Allow", + "Action": "eks:DeleteAddon", + "Resource": "arn:aws:eks:${Region}:${Account}:addon/${ClusterName}/${AddonName}/${UUID}" + }, + { + "Effect": "Allow", + "Action": [ + "eks:DeleteCluster", + "eks:DescribeCluster", + "eks:ListFargateProfiles" + ], + "Resource": "arn:aws:eks:${Region}:${Account}:cluster/${ClusterName}" + }, + { + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:GetInstanceProfile", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": "arn:aws:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}" + }, + { + "Effect": "Allow", + "Action": "iam:GetOpenIDConnectProvider", + "Resource": "arn:aws:iam::${Account}:oidc-provider/${OidcProviderName}" + }, + { + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListInstanceProfilesForRole", + "iam:PutRolePolicy", + "sts:AssumeRole" + ], + "Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}" + }, + { + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}" + } + ] +} diff --git a/bottlerocket/docs/permissions/eks-resource-agent-existing-cluster.json b/bottlerocket/docs/permissions/eks-resource-agent-existing-cluster.json new file mode 100644 index 00000000..a9d7bff5 --- /dev/null +++ b/bottlerocket/docs/permissions/eks-resource-agent-existing-cluster.json @@ -0,0 +1,27 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "sts:GetCallerIdentity" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "eks:DescribeCluster", + "Resource": "arn:aws:eks:${Region}:${Account}:cluster/${ClusterName}" + }, + { + "Effect": "Allow", + "Action": [ + "iam:ListInstanceProfilesForRole", + "sts:AssumeRole" + ], + "Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}" + } + ] +} diff --git a/bottlerocket/docs/permissions/eks-resource-agent-no-create-role.json b/bottlerocket/docs/permissions/eks-resource-agent-no-create-role.json new file mode 100644 index 00000000..4e40307c --- /dev/null +++ b/bottlerocket/docs/permissions/eks-resource-agent-no-create-role.json @@ -0,0 +1,181 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudformation:ListStacks", + "ec2:CreateTags", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInternetGateways", + "ec2:DescribeKeyPairs", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeNatGateways", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DisassociateRouteTable", + "ec2:ReleaseAddress", + "eks:CreateCluster", + "eks:DescribeAddonVersions", + "sts:GetCallerIdentity" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cloudformation:CreateStack", + "cloudformation:DeleteStack", + "cloudformation:DescribeStacks" + ], + "Resource": "arn:aws:cloudformation:${Region}:${Account}:stack/${StackName}/${Id}" + }, + { + "Effect": "Allow", + "Action": "ec2:AllocateAddress", + "Resource": "arn:aws:ec2:${Region}:${Account}:elastic-ip/${AllocationId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:instance/${InstanceId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachInternetGateway", + "ec2:CreateInternetGateway", + "ec2:DeleteInternetGateway", + "ec2:DetachInternetGateway" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateNatGateway", + "ec2:DeleteNatGateway" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:natgateway/${NatGatewayId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AssociateRouteTable", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:route-table/${RouteTableId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateNatGateway", + "ec2:CreateSubnet", + "ec2:DeleteSubnet", + "ec2:ModifySubnetAttribute", + "ec2:RunInstances" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:subnet/${SubnetId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}:${Account}:volume/${VolumeId}" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachInternetGateway", + "ec2:CreateRouteTable", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:DeleteVpc", + "ec2:DetachInternetGateway", + "ec2:ModifyVpcAttribute" + ], + "Resource": "arn:aws:ec2:${Region}:${Account}:vpc/${VpcId}" + }, + { + "Effect": "Allow", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:${Region}::image/${ImageId}" + }, + { + "Effect": "Allow", + "Action": [ + "eks:DeleteAddon", + "eks:DescribeAddon" + ], + "Resource": "arn:aws:eks:${Region}:${Account}:addon/${ClusterName}/${AddonName}/${UUID}" + }, + { + "Effect": "Allow", + "Action": [ + "eks:CreateAddon", + "eks:DeleteCluster", + "eks:DescribeCluster", + "eks:ListFargateProfiles" + ], + "Resource": "arn:aws:eks:${Region}:${Account}:cluster/${ClusterName}" + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", + "iam:GetOpenIDConnectProvider" + ], + "Resource": "arn:aws:iam::${Account}:oidc-provider/${OidcProviderName}" + }, + { + "Effect": "Allow", + "Action": [ + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:GetRole", + "iam:ListInstanceProfilesForRole", + "sts:AssumeRole" + ], + "Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}" + }, + { + "Effect": "Allow", + "Action": "ssm:GetParameter", + "Resource": "arn:aws:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}" + } + ] +} diff --git a/bottlerocket/docs/permissions/eks-service-role.json b/bottlerocket/docs/permissions/eks-service-role.json new file mode 100644 index 00000000..aeacdec6 --- /dev/null +++ b/bottlerocket/docs/permissions/eks-service-role.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces" + ], + "Resource": "*" + } + ] +} diff --git a/bottlerocket/docs/permissions/eksctl-config.yaml b/bottlerocket/docs/permissions/eksctl-config.yaml new file mode 100644 index 00000000..ccfb89f4 --- /dev/null +++ b/bottlerocket/docs/permissions/eksctl-config.yaml @@ -0,0 +1,34 @@ +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: "{{cluster-name}}" + version: "{{version}}" + region: "{{region}}" +kubernetesNetworkConfig: + ipFamily: IPv4 +vpc: + clusterEndpoints: + publicAccess: true + privateAccess: true +iam: + withOIDC: true + serviceRoleARN: arn:aws:iam:::role/eksctl-x86-64-aws-k8s-124-test-cluster-ServiceRole-... +iamIdentityMappings: + - arn: arn:aws:iam:::role/testsysAdministratorRole + groups: + - system:masters + username: admin + noDuplicateARNs: true +addons: + - name: vpc-cni + version: latest + - name: coredns + version: latest + - name: kube-proxy + version: latest +nodeGroups: + - name: empty + desiredCapacity: 0 + iam: + instanceRoleARN: "arn:aws:iam:::role/eksctl-x86-64-aws-k8s-124-test-cl-NodeInstanceRole-..." + instanceProfileARN: "arn:aws:iam:::instance-profile/eksctl-x86-64-aws-k8s-124-test-cluster-nodegroup-ng-4a91f189-NodeInstanceProfile-..." diff --git a/bottlerocket/docs/permissions/k8s-workload-agent.json b/bottlerocket/docs/permissions/k8s-workload-agent.json new file mode 100644 index 00000000..46350d66 --- /dev/null +++ b/bottlerocket/docs/permissions/k8s-workload-agent.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:GetCallerIdentity", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}" + } + ] +} diff --git a/bottlerocket/docs/permissions/migration-test-agent-ecs-cluster.json b/bottlerocket/docs/permissions/migration-test-agent-ecs-cluster.json new file mode 100644 index 00000000..6f862537 --- /dev/null +++ b/bottlerocket/docs/permissions/migration-test-agent-ecs-cluster.json @@ -0,0 +1,22 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssm:DescribeInstanceInformation", + "ssm:ListCommandInvocations" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:CreateDocument", + "ssm:DescribeDocument", + "ssm:SendCommand" + ], + "Resource": "arn:aws:ssm:${Region}:${Account}:document/${DocumentName}" + } + ] +} diff --git a/bottlerocket/docs/permissions/migration-test-agent-eks-cluster.json b/bottlerocket/docs/permissions/migration-test-agent-eks-cluster.json new file mode 100644 index 00000000..01f19de4 --- /dev/null +++ b/bottlerocket/docs/permissions/migration-test-agent-eks-cluster.json @@ -0,0 +1,21 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssm:DescribeInstanceInformation", + "ssm:ListCommandInvocations" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:DescribeDocument", + "ssm:SendCommand" + ], + "Resource": "arn:aws:ssm:${Region}:${Account}:document/${DocumentName}" + } + ] +} diff --git a/bottlerocket/docs/permissions/sonobuoy-test-agent.json b/bottlerocket/docs/permissions/sonobuoy-test-agent.json new file mode 100644 index 00000000..46350d66 --- /dev/null +++ b/bottlerocket/docs/permissions/sonobuoy-test-agent.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:GetCallerIdentity", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}" + } + ] +} diff --git a/bottlerocket/docs/permissions/vmware-vm-resource-agent.json b/bottlerocket/docs/permissions/vmware-vm-resource-agent.json new file mode 100644 index 00000000..e69de29b diff --git a/bottlerocket/docs/permissions/vsphere-k8s-cluster-resource-agent.json b/bottlerocket/docs/permissions/vsphere-k8s-cluster-resource-agent.json new file mode 100644 index 00000000..e69de29b diff --git a/bottlerocket/samples/RUNBOOK.md b/bottlerocket/samples/RUNBOOK.md index 06742847..bd6a25e9 100644 --- a/bottlerocket/samples/RUNBOOK.md +++ b/bottlerocket/samples/RUNBOOK.md @@ -18,6 +18,8 @@ A list of the customizable variables can be found at the top of [Makefile.toml]( _Note_: `ASSUME_ROLE` can be assigned the ARN of an AWS IAM role that should be used for all AWS calls. +_Note_: For the minimal IAM permissions needed to create and run these tests, see [MINIMAL-PERMISSIONS.md](../docs/permissions/MINIMAL-PERMISSIONS.md). + ## Generating a test file A test file can be generated by executing a `cargo make create ` command.