@@ -1023,12 +1023,24 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2,
10231023 "elasticloadbalancing:SetSecurityGroups" ,
10241024 "elasticloadbalancing:SetSubnets" ,
10251025 )
1026- p .clusterTaggedCreateAction .Insert (
1027- "elasticloadbalancing:CreateListener" ,
1028- "elasticloadbalancing:CreateLoadBalancer" ,
1029- "elasticloadbalancing:CreateRule" ,
1030- "elasticloadbalancing:CreateTargetGroup" ,
1031- )
1026+ // LBC only includes the elbv2.k8s.aws/cluster tag in the create request.
1027+ // KubernetesCluster and other tags are applied separately via AddTags,
1028+ // So aws:RequestTag must reference the elbv2.k8s.aws/cluster tag.
1029+ p .Statement = append (p .Statement , & Statement {
1030+ Effect : StatementEffectAllow ,
1031+ Action : stringorset .Of (
1032+ "elasticloadbalancing:CreateListener" ,
1033+ "elasticloadbalancing:CreateLoadBalancer" ,
1034+ "elasticloadbalancing:CreateRule" ,
1035+ "elasticloadbalancing:CreateTargetGroup" ,
1036+ ),
1037+ Resource : stringorset .String ("*" ),
1038+ Condition : Condition {
1039+ "StringEquals" : map [string ]string {
1040+ "aws:RequestTag/elbv2.k8s.aws/cluster" : p .clusterName ,
1041+ },
1042+ },
1043+ })
10321044 p .unconditionalAction .Insert (
10331045 "elasticloadbalancing:SetRulePriorities" ,
10341046 )
0 commit comments