From 1fb77b281bf30458527bee85cffcdc557bf6cb6f Mon Sep 17 00:00:00 2001 From: Federico Bonfigli Date: Mon, 4 May 2026 10:45:22 +0200 Subject: [PATCH] feat(aws): add SetSecurityGroups permission for BYO security groups on NLB Adds SetSecurityGroups IAM permission required to support the new AWS CCM feature that adds support for BYO Security Groups on AWS Network Load Balancers. --- cmd/infra/aws/delegating_client.go | 3 +++ cmd/infra/aws/delegatingclientgenerator/main.go | 1 + cmd/infra/aws/iam.go | 5 ++++- docs/content/reference/aggregated-docs.md | 1 + docs/content/reference/infrastructure/aws.md | 1 + support/awsapi/elasticloadbalancingv2.go | 1 + 6 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/infra/aws/delegating_client.go b/cmd/infra/aws/delegating_client.go index 2ec5c174334..57a1715531e 100644 --- a/cmd/infra/aws/delegating_client.go +++ b/cmd/infra/aws/delegating_client.go @@ -547,6 +547,9 @@ func (c *elasticloadbalancingv2Client) ModifyTargetGroupAttributes(ctx context.C func (c *elasticloadbalancingv2Client) RegisterTargets(ctx context.Context, input *elasticloadbalancingv2.RegisterTargetsInput, optFns ...func(*elasticloadbalancingv2.Options)) (*elasticloadbalancingv2.RegisterTargetsOutput, error) { return c.cloudController.elasticloadbalancingv2Client.RegisterTargets(ctx, input, optFns...) } +func (c *elasticloadbalancingv2Client) SetSecurityGroups(ctx context.Context, input *elasticloadbalancingv2.SetSecurityGroupsInput, optFns ...func(*elasticloadbalancingv2.Options)) (*elasticloadbalancingv2.SetSecurityGroupsOutput, error) { + return c.cloudController.elasticloadbalancingv2Client.SetSecurityGroups(ctx, input, optFns...) +} // route53Client delegates to individual component clients for API calls we know those components will have privileges to make. type route53Client struct { diff --git a/cmd/infra/aws/delegatingclientgenerator/main.go b/cmd/infra/aws/delegatingclientgenerator/main.go index 457728cc8f4..3f82565dc82 100644 --- a/cmd/infra/aws/delegatingclientgenerator/main.go +++ b/cmd/infra/aws/delegatingclientgenerator/main.go @@ -308,6 +308,7 @@ func adjustAPIs(delegates aws.ServicesByDelegate) aws.ServicesByDelegate { "ModifyListener", "ModifyTargetGroup", "ModifyTargetGroupAttributes", + "SetSecurityGroups", ), "elasticloadbalancingv2": sets.New( "ApplySecurityGroupsToLoadBalancer", diff --git a/cmd/infra/aws/iam.go b/cmd/infra/aws/iam.go index 2100dfa0f4b..ecf71cdeee9 100644 --- a/cmd/infra/aws/iam.go +++ b/cmd/infra/aws/iam.go @@ -214,6 +214,7 @@ var ( "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "elasticloadbalancing:SetSecurityGroups", "iam:CreateServiceLinkedRole", "kms:DescribeKey" ], @@ -936,6 +937,7 @@ func (o *CreateIAMOptions) CreateOIDCResources(ctx context.Context, iamClient aw // The permissions are: // - elasticloadbalancing:DescribeTargetGroupAttributes // - elasticloadbalancing:ModifyTargetGroupAttributes + // - elasticloadbalancing:SetSecurityGroups // // https://issues.redhat.com/browse/OCPBUGS-65885 // @@ -946,7 +948,8 @@ func (o *CreateIAMOptions) CreateOIDCResources(ctx context.Context, iamClient aw "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:ModifyTargetGroupAttributes" + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:SetSecurityGroups" ], "Resource": "*" }` diff --git a/docs/content/reference/aggregated-docs.md b/docs/content/reference/aggregated-docs.md index 9ef5da72720..d1c890001ee 100644 --- a/docs/content/reference/aggregated-docs.md +++ b/docs/content/reference/aggregated-docs.md @@ -50798,6 +50798,7 @@ And these are samples for each one of the roles Hypershift uses: "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "elasticloadbalancing:SetSecurityGroups", "iam:CreateServiceLinkedRole", "kms:DescribeKey" ], diff --git a/docs/content/reference/infrastructure/aws.md b/docs/content/reference/infrastructure/aws.md index 012aab2ab11..2d7757095ca 100644 --- a/docs/content/reference/infrastructure/aws.md +++ b/docs/content/reference/infrastructure/aws.md @@ -508,6 +508,7 @@ And these are samples for each one of the roles Hypershift uses: "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "elasticloadbalancing:SetSecurityGroups", "iam:CreateServiceLinkedRole", "kms:DescribeKey" ], diff --git a/support/awsapi/elasticloadbalancingv2.go b/support/awsapi/elasticloadbalancingv2.go index 00a84585482..9ec96e76a57 100644 --- a/support/awsapi/elasticloadbalancingv2.go +++ b/support/awsapi/elasticloadbalancingv2.go @@ -36,6 +36,7 @@ type ELBV2API interface { ModifyTargetGroup(ctx context.Context, input *elasticloadbalancingv2.ModifyTargetGroupInput, optFns ...func(*elasticloadbalancingv2.Options)) (*elasticloadbalancingv2.ModifyTargetGroupOutput, error) ModifyTargetGroupAttributes(ctx context.Context, input *elasticloadbalancingv2.ModifyTargetGroupAttributesInput, optFns ...func(*elasticloadbalancingv2.Options)) (*elasticloadbalancingv2.ModifyTargetGroupAttributesOutput, error) RegisterTargets(ctx context.Context, input *elasticloadbalancingv2.RegisterTargetsInput, optFns ...func(*elasticloadbalancingv2.Options)) (*elasticloadbalancingv2.RegisterTargetsOutput, error) + SetSecurityGroups(ctx context.Context, input *elasticloadbalancingv2.SetSecurityGroupsInput, optFns ...func(*elasticloadbalancingv2.Options)) (*elasticloadbalancingv2.SetSecurityGroupsOutput, error) } // Ensure *elasticloadbalancingv2.Client implements ELBV2API