Merge pull request #9207 from hakman/automated-cherry-pick-of-#9205-u…

…pstream-release-1.16 Automated cherry pick of #9205: Allow listing versions for objects in the S3 bucket
kubernetes · May 29, 2020 · 3c5e892 · 3c5e892
2 parents 348cc87 + 5bf6bb4
commit 3c5e892
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 7 deletions.
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -324,7 +324,12 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
 
 			p.Statement = append(p.Statement, &Statement{
 				Effect: StatementEffectAllow,
-				Action: stringorslice.Of("s3:GetBucketLocation", "s3:GetEncryptionConfiguration", "s3:ListBucket"),
+				Action: stringorslice.Of(
+					"s3:GetBucketLocation",
+					"s3:GetEncryptionConfiguration",
+					"s3:ListBucket",
+					"s3:ListBucketVersions",
+				),
 				Resource: stringorslice.Slice([]string{
 					strings.Join([]string{b.IAMPrefix(), ":s3:::", s3Path.Bucket()}, ""),
 				}),

diff --git a/pkg/model/iam/tests/iam_builder_master_legacy.json b/pkg/model/iam/tests/iam_builder_master_legacy.json
@@ -50,7 +50,8 @@
       "Action": [
         "s3:GetBucketLocation",
         "s3:GetEncryptionConfiguration",
-        "s3:ListBucket"
+        "s3:ListBucket",
+        "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::kops-tests"

diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json
@@ -142,7 +142,8 @@
       "Action": [
         "s3:GetBucketLocation",
         "s3:GetEncryptionConfiguration",
-        "s3:ListBucket"
+        "s3:ListBucket",
+        "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::kops-tests"

diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json
@@ -142,7 +142,8 @@
       "Action": [
         "s3:GetBucketLocation",
         "s3:GetEncryptionConfiguration",
-        "s3:ListBucket"
+        "s3:ListBucket",
+        "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::kops-tests"

diff --git a/pkg/model/iam/tests/iam_builder_node_legacy.json b/pkg/model/iam/tests/iam_builder_node_legacy.json
@@ -16,7 +16,8 @@
       "Action": [
         "s3:GetBucketLocation",
         "s3:GetEncryptionConfiguration",
-        "s3:ListBucket"
+        "s3:ListBucket",
+        "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::kops-tests"

diff --git a/pkg/model/iam/tests/iam_builder_node_strict.json b/pkg/model/iam/tests/iam_builder_node_strict.json
@@ -16,7 +16,8 @@
       "Action": [
         "s3:GetBucketLocation",
         "s3:GetEncryptionConfiguration",
-        "s3:ListBucket"
+        "s3:ListBucket",
+        "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::kops-tests"

diff --git a/pkg/model/iam/tests/iam_builder_node_strict_ecr.json b/pkg/model/iam/tests/iam_builder_node_strict_ecr.json
@@ -16,7 +16,8 @@
       "Action": [
         "s3:GetBucketLocation",
         "s3:GetEncryptionConfiguration",
-        "s3:ListBucket"
+        "s3:ListBucket",
+        "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::kops-tests"