Merge pull request #687 from zalando-incubator/doc/acm-tagging

doc: add requirements for acm tagging
zalando-incubator · Mar 6, 2024 · 27774fa · 27774fa
2 parents 620c43c + 2989410
commit 27774fa
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,8 @@ This information is used to manage AWS resources for each ingress objects of the
 - Support for AWS WAF and WAFv2
 - Support for AWS CNI pod direct access
 - Support for Kubernetes CRD [RouteGroup](https://opensource.zalando.com/skipper/kubernetes/routegroups/)
+- Support for zone aware traffic (enable and disable cross zone traffic `--nlb-cross-zone`)
+- Support for explicitly enable certificates by using certificate Tags `--cert-filter-tag=key=value`
 
 ## Upgrade
 

diff --git a/deploy/kops.md b/deploy/kops.md
@@ -57,6 +57,7 @@ kube-ingress-aws-controller, which we will use:
   "Effect": "Allow",
   "Action": [
     "acm:ListCertificates",
+    "acm:ListTagsForCertificate",
     "acm:GetCertificate",
     "acm:DescribeCertificate",
     "autoscaling:DescribeAutoScalingGroups",
@@ -77,6 +78,7 @@ kube-ingress-aws-controller, which we will use:
     "ec2:DescribeInternetGateways",
     "iam:GetServerCertificate",
     "iam:ListServerCertificates",
+    "iam:ListServerCertificateTags",
     "iam:CreateServiceLinkedRole"
   ],
   "Resource": [
@@ -101,6 +103,7 @@ and add this to your node policy:
           "Effect": "Allow",
           "Action": [
             "acm:ListCertificates",
+            "acm:ListTagsForCertificate",
             "acm:GetCertificate",
             "acm:DescribeCertificate",
             "autoscaling:DescribeAutoScalingGroups",
@@ -121,6 +124,7 @@ and add this to your node policy:
             "ec2:DescribeVpcs",
             "iam:GetServerCertificate",
             "iam:CreateServiceLinkedRole",
+            "iam:ListServerCertificateTags",
             "iam:ListServerCertificates"
           ],
           "Resource": ["*"]

diff --git a/deploy/requirements.md b/deploy/requirements.md
@@ -256,6 +256,11 @@ Please also note that the worker nodes will need the right permission to describ
         "Resource": "*",
         "Effect": "Allow"
     },
+    {
+        "Action": "acm:ListTagsForCertificate",
+        "Resource": "*",
+        "Effect": "Allow"
+    },
     {
         "Action": "acm:DescribeCertificate",
         "Resource": "*",
@@ -266,6 +271,11 @@ Please also note that the worker nodes will need the right permission to describ
         "Resource": "*",
         "Effect": "Allow"
     },
+    {
+        "Action": "iam:ListServerCertificateTags",
+        "Resource": "*",
+        "Effect": "Allow"
+    },
     {
         "Action": "iam:GetServerCertificate",
         "Resource": "*",