Use elbv2 tag condition for all elasticloadbalancing actions

rifelpet · rifelpet · commit c97d4e62a712 · 2026-04-20T15:13:43.000-05:00
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -1001,28 +1001,41 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2,
 		"ec2:AuthorizeSecurityGroupIngress", // aws.go
 		"ec2:DeleteSecurityGroup",           // aws.go
 		"ec2:RevokeSecurityGroupIngress",    // aws.go
-
-		"elasticloadbalancing:AddListenerCertificates",
-		"elasticloadbalancing:AddTags",
-		"elasticloadbalancing:DeleteListener",
-		"elasticloadbalancing:DeleteLoadBalancer",
-		"elasticloadbalancing:DeleteRule",
-		"elasticloadbalancing:DeleteTargetGroup",
-		"elasticloadbalancing:DeregisterTargets",
-		"elasticloadbalancing:ModifyCapacityReservation",
-		"elasticloadbalancing:ModifyListener",
-		"elasticloadbalancing:ModifyListenerAttributes",
-		"elasticloadbalancing:ModifyLoadBalancerAttributes",
-		"elasticloadbalancing:ModifyRule",
-		"elasticloadbalancing:ModifyTargetGroup",
-		"elasticloadbalancing:ModifyTargetGroupAttributes",
-		"elasticloadbalancing:RegisterTargets",
-		"elasticloadbalancing:RemoveListenerCertificates",
-		"elasticloadbalancing:RemoveTags",
-		"elasticloadbalancing:SetIpAddressType",
-		"elasticloadbalancing:SetSecurityGroups",
-		"elasticloadbalancing:SetSubnets",
 	)
+	// ELBv2 management actions: resources are tagged with elbv2.k8s.aws/cluster
+	// by the LBC tracking provider, not KubernetesCluster, so clusterTaggedAction
+	// (which uses aws:ResourceTag/KubernetesCluster) cannot be used here.
+	p.Statement = append(p.Statement, &Statement{
+		Effect: StatementEffectAllow,
+		Action: stringorset.Of(
+			"elasticloadbalancing:AddListenerCertificates",
+			"elasticloadbalancing:AddTags",
+			"elasticloadbalancing:DeleteListener",
+			"elasticloadbalancing:DeleteLoadBalancer",
+			"elasticloadbalancing:DeleteRule",
+			"elasticloadbalancing:DeleteTargetGroup",
+			"elasticloadbalancing:DeregisterTargets",
+			"elasticloadbalancing:ModifyCapacityReservation",
+			"elasticloadbalancing:ModifyListener",
+			"elasticloadbalancing:ModifyListenerAttributes",
+			"elasticloadbalancing:ModifyLoadBalancerAttributes",
+			"elasticloadbalancing:ModifyRule",
+			"elasticloadbalancing:ModifyTargetGroup",
+			"elasticloadbalancing:ModifyTargetGroupAttributes",
+			"elasticloadbalancing:RegisterTargets",
+			"elasticloadbalancing:RemoveListenerCertificates",
+			"elasticloadbalancing:RemoveTags",
+			"elasticloadbalancing:SetIpAddressType",
+			"elasticloadbalancing:SetSecurityGroups",
+			"elasticloadbalancing:SetSubnets",
+		),
+		Resource: stringorset.String("*"),
+		Condition: Condition{
+			"StringEquals": map[string]string{
+				"aws:ResourceTag/elbv2.k8s.aws/cluster": p.clusterName,
+			},
+		},
+	})
 	// LBC only includes the elbv2.k8s.aws/cluster tag in the create request.
 	// KubernetesCluster and other tags are applied separately via AddTags,
 	// So aws:RequestTag must reference the elbv2.k8s.aws/cluster tag.
