Skip to content

Commit

Permalink
Merge pull request #16412 from orbit-online/tighten-cert-manager-aws-…
Browse files Browse the repository at this point in the history 
…permissions

aws/cert-manager: Tighten IAM permissions for cert-manager
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot committed Mar 19, 2024
2 parents db26ad5 + a902f9e commit 305e9b2
Showing 1 changed file with 16 additions and 4 deletions.
20 changes: 16 additions & 4 deletions pkg/model/components/addonmanifests/certmanager/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,11 +56,23 @@ func addCertManagerPermissions(b *iam.PolicyBuilder, p *iam.Policy) {
}

p.Statement = append(p.Statement, &iam.Statement{
Effect: iam.StatementEffectAllow,
Action: stringorset.Of("route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
),
Effect: iam.StatementEffectAllow,
Action: stringorset.Of("route53:ListResourceRecordSets"),
Resource: stringorset.Set(zoneResources),
})

p.Statement = append(p.Statement, &iam.Statement{
Effect: iam.StatementEffectAllow,
Action: stringorset.Of("route53:ChangeResourceRecordSets"),
Resource: stringorset.Set(zoneResources),
Condition: iam.Condition{
"ForAllValues:StringLike": map[string]interface{}{
"route53:ChangeResourceRecordSetsNormalizedRecordNames": []string{"_acme-challenge.*"},
},
"ForAllValues:StringEquals": map[string]interface{}{
"route53:ChangeResourceRecordSetsRecordTypes": []string{"TXT"},
},
},
})

p.Statement = append(p.Statement, &iam.Statement{
Expand Down

0 comments on commit 305e9b2

Please sign in to comment.