Merge pull request #4577 from vincepri/s3-endpoint

When using an s3 bucket, add a vpc endpoint

Author: k8s-ci-robot

api/v1beta2/conditions_consts.go

@@ -87,6 +87,14 @@ const (
 	RouteTableReconciliationFailedReason = "RouteTableReconciliationFailed"
 )
 
+const (
+	// VpcEndpointsReadyCondition reports successful reconciliation of vpc endpoints.
+	// Only applicable to managed clusters.
+	VpcEndpointsReadyCondition clusterv1.ConditionType = "VpcEndpointsReadyCondition"
+	// VpcEndpointsReconciliationFailedReason used when any errors occur during reconciliation of vpc endpoints.
+	VpcEndpointsReconciliationFailedReason = "VpcEndpointsReconciliationFailed"
+)
+
 const (
 	// SecondaryCidrsReadyCondition reports successful reconciliation of secondary CIDR blocks.
 	// Only applicable to managed clusters.

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -102,7 +102,9 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:CreateSubnet",
 				"ec2:CreateTags",
 				"ec2:CreateVpc",
+				"ec2:CreateVpcEndpoint",
 				"ec2:ModifyVpcAttribute",
+				"ec2:ModifyVpcEndpoint",
 				"ec2:DeleteInternetGateway",
 				"ec2:DeleteEgressOnlyInternetGateway",
 				"ec2:DeleteNatGateway",
@@ -112,6 +114,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:DeleteSubnet",
 				"ec2:DeleteTags",
 				"ec2:DeleteVpc",
+				"ec2:DeleteVpcEndpoints",
 				"ec2:DescribeAccountAttributes",
 				"ec2:DescribeAddresses",
 				"ec2:DescribeAvailabilityZones",
@@ -129,6 +132,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:DescribeSubnets",
 				"ec2:DescribeVpcs",
 				"ec2:DescribeVpcAttribute",
+				"ec2:DescribeVpcEndpoints",
 				"ec2:DescribeVolumes",
 				"ec2:DescribeTags",
 				"ec2:DetachInternetGateway",

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml

@@ -167,7 +167,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -177,6 +179,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -194,6 +197,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml

@@ -167,7 +167,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -177,6 +179,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -194,6 +197,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml

@@ -167,7 +167,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -177,6 +179,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -194,6 +197,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml

@@ -167,7 +167,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -177,6 +179,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -194,6 +197,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml

@@ -161,7 +161,9 @@ Resources:
           - ec2:CreateSubnet
           - ec2:CreateTags
           - ec2:CreateVpc
+          - ec2:CreateVpcEndpoint
           - ec2:ModifyVpcAttribute
+          - ec2:ModifyVpcEndpoint
           - ec2:DeleteInternetGateway
           - ec2:DeleteEgressOnlyInternetGateway
           - ec2:DeleteNatGateway
@@ -171,6 +173,7 @@ Resources:
           - ec2:DeleteSubnet
           - ec2:DeleteTags
           - ec2:DeleteVpc
+          - ec2:DeleteVpcEndpoints
           - ec2:DescribeAccountAttributes
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
@@ -188,6 +191,7 @@ Resources:
           - ec2:DescribeSubnets
           - ec2:DescribeVpcs
           - ec2:DescribeVpcAttribute
+          - ec2:DescribeVpcEndpoints
           - ec2:DescribeVolumes
           - ec2:DescribeTags
           - ec2:DetachInternetGateway