From 50b3e64d70eff1e69fc4da925f3ed952251ceb39 Mon Sep 17 00:00:00 2001 From: Brian Watson Date: Wed, 17 Dec 2025 10:10:22 -0500 Subject: [PATCH 1/5] docs: updating velero snapshotting docs with cluster tag --- .../backup-and-restore/velero-cloud.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/docs/reference/configuration/backup-and-restore/velero-cloud.md b/docs/reference/configuration/backup-and-restore/velero-cloud.md index 32af737cf6..4b46c2253e 100644 --- a/docs/reference/configuration/backup-and-restore/velero-cloud.md +++ b/docs/reference/configuration/backup-and-restore/velero-cloud.md @@ -51,14 +51,15 @@ data "aws_iam_policy_document" "velero_policy" { resources = ["*"] } + # Replace in statements below with your EKS cluster name statement { effect = "Allow" actions = ["ec2:CreateVolume"] resources = ["*"] condition { test = "StringEquals" - variable = "aws:RequestTag/ebs.csi.aws.com/cluster" - values = ["true"] + variable = "aws:RequestTag/kubernetes.io/cluster/" + values = ["owned"] } } @@ -68,8 +69,8 @@ data "aws_iam_policy_document" "velero_policy" { resources = ["*"] condition { test = "StringEquals" - variable = "aws:RequestTag/ebs.csi.aws.com/cluster" - values = ["true"] + variable = "aws:RequestTag/kubernetes.io/cluster/" + values = ["owned"] } } @@ -79,8 +80,8 @@ data "aws_iam_policy_document" "velero_policy" { resources = ["*"] condition { test = "StringEquals" - variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" - values = ["true"] + variable = "ec2:ResourceTag/kubernetes.io/cluster/" + values = ["owned"] } } @@ -90,8 +91,8 @@ data "aws_iam_policy_document" "velero_policy" { resources = ["*"] condition { test = "StringEquals" - variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" - values = ["true"] + variable = "ec2:ResourceTag/kubernetes.io/cluster/" + values = ["owned"] } } @@ -101,13 +102,13 @@ data "aws_iam_policy_document" "velero_policy" { resources = ["*"] condition { test = "ForAllValues:StringEquals" - variable = "aws:RequestTag/ebs.csi.aws.com/cluster" - values = ["true"] + variable = "aws:RequestTag/kubernetes.io/cluster/" + values = ["owned"] } condition { test = "ForAllValues:StringEqualsIfExists" - variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" - values = ["true"] + variable = "ec2:ResourceTag/kubernetes.io/cluster/" + values = ["owned"] } } } From cef877bf4b2844844fd6edf20c7139b2cb3c316d Mon Sep 17 00:00:00 2001 From: Brian Watson Date: Thu, 18 Dec 2025 08:32:44 -0500 Subject: [PATCH 2/5] docs: simpler CreateTags statement --- .../configuration/backup-and-restore/velero-cloud.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/docs/reference/configuration/backup-and-restore/velero-cloud.md b/docs/reference/configuration/backup-and-restore/velero-cloud.md index 4b46c2253e..c097cb5c62 100644 --- a/docs/reference/configuration/backup-and-restore/velero-cloud.md +++ b/docs/reference/configuration/backup-and-restore/velero-cloud.md @@ -101,15 +101,10 @@ data "aws_iam_policy_document" "velero_policy" { actions = ["ec2:CreateTags"] resources = ["*"] condition { - test = "ForAllValues:StringEquals" + test = "ForAnyValue:StringEquals" variable = "aws:RequestTag/kubernetes.io/cluster/" values = ["owned"] } - condition { - test = "ForAllValues:StringEqualsIfExists" - variable = "ec2:ResourceTag/kubernetes.io/cluster/" - values = ["owned"] - } } } ``` From db2fbc2d1099c6e0b0ecfc4eb19ccd33c1c3b5b5 Mon Sep 17 00:00:00 2001 From: Brian Watson Date: Thu, 18 Dec 2025 14:42:19 -0500 Subject: [PATCH 3/5] docs: adding back ResourceTag test --- .../configuration/backup-and-restore/velero-cloud.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/reference/configuration/backup-and-restore/velero-cloud.md b/docs/reference/configuration/backup-and-restore/velero-cloud.md index c097cb5c62..bbd4bde739 100644 --- a/docs/reference/configuration/backup-and-restore/velero-cloud.md +++ b/docs/reference/configuration/backup-and-restore/velero-cloud.md @@ -101,10 +101,15 @@ data "aws_iam_policy_document" "velero_policy" { actions = ["ec2:CreateTags"] resources = ["*"] condition { - test = "ForAnyValue:StringEquals" + test = "StringEquals" variable = "aws:RequestTag/kubernetes.io/cluster/" values = ["owned"] } + condition { + test = "StringEqualsIfExists" + variable = "ec2:ResourceTag/kubernetes.io/cluster/" + values = ["owned"] + } } } ``` From 487cdb51c718760f0babb86150a0c0d30773fd33 Mon Sep 17 00:00:00 2001 From: Brian Watson Date: Thu, 18 Dec 2025 15:03:29 -0500 Subject: [PATCH 4/5] chore: formatting --- .../backup-and-restore/velero-cloud.md | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/reference/configuration/backup-and-restore/velero-cloud.md b/docs/reference/configuration/backup-and-restore/velero-cloud.md index bbd4bde739..ea1ccb0604 100644 --- a/docs/reference/configuration/backup-and-restore/velero-cloud.md +++ b/docs/reference/configuration/backup-and-restore/velero-cloud.md @@ -46,69 +46,69 @@ data "aws_iam_policy_document" "velero_policy" { } statement { - effect = "Allow" - actions = ["ec2:DescribeVolumes", "ec2:DescribeSnapshots"] + effect = "Allow" + actions = ["ec2:DescribeVolumes", "ec2:DescribeSnapshots"] resources = ["*"] } # Replace in statements below with your EKS cluster name statement { - effect = "Allow" - actions = ["ec2:CreateVolume"] + effect = "Allow" + actions = ["ec2:CreateVolume"] resources = ["*"] condition { - test = "StringEquals" + test = "StringEquals" variable = "aws:RequestTag/kubernetes.io/cluster/" - values = ["owned"] + values = ["owned"] } } statement { - effect = "Allow" - actions = ["ec2:CreateSnapshot"] + effect = "Allow" + actions = ["ec2:CreateSnapshot"] resources = ["*"] condition { - test = "StringEquals" + test = "StringEquals" variable = "aws:RequestTag/kubernetes.io/cluster/" - values = ["owned"] + values = ["owned"] } } statement { - effect = "Allow" - actions = ["ec2:CreateSnapshot"] + effect = "Allow" + actions = ["ec2:CreateSnapshot"] resources = ["*"] condition { - test = "StringEquals" + test = "StringEquals" variable = "ec2:ResourceTag/kubernetes.io/cluster/" - values = ["owned"] + values = ["owned"] } } statement { - effect = "Allow" - actions = ["ec2:DeleteSnapshot"] + effect = "Allow" + actions = ["ec2:DeleteSnapshot"] resources = ["*"] condition { - test = "StringEquals" + test = "StringEquals" variable = "ec2:ResourceTag/kubernetes.io/cluster/" - values = ["owned"] + values = ["owned"] } } statement { - effect = "Allow" - actions = ["ec2:CreateTags"] + effect = "Allow" + actions = ["ec2:CreateTags"] resources = ["*"] condition { test = "StringEquals" variable = "aws:RequestTag/kubernetes.io/cluster/" - values = ["owned"] + values = ["owned"] } condition { - test = "StringEqualsIfExists" + test = "StringEqualsIfExists" variable = "ec2:ResourceTag/kubernetes.io/cluster/" - values = ["owned"] + values = ["owned"] } } } From 333ea627ff962dff5ff6b23aace167a5c1176af4 Mon Sep 17 00:00:00 2001 From: Brian Watson Date: Fri, 19 Dec 2025 09:12:01 -0500 Subject: [PATCH 5/5] test: updating infra test velero policy --- .github/test-infra/aws/eks/velero.tf | 36 ++++++++++++++-------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/test-infra/aws/eks/velero.tf b/.github/test-infra/aws/eks/velero.tf index fc93915c14..ac3d8b77dc 100644 --- a/.github/test-infra/aws/eks/velero.tf +++ b/.github/test-infra/aws/eks/velero.tf @@ -20,55 +20,55 @@ resource "aws_iam_policy" "velero_policy" { Resource = ["*"] }, { - Effect = "Allow", - Action = ["ec2:CreateVolume"], + Effect = "Allow", + Action = ["ec2:CreateVolume"], Resource = ["*"], Condition = { StringEquals = { - "aws:RequestTag/ebs.csi.aws.com/cluster" = "true" + "aws:RequestTag/kubernetes.io/cluster/${var.name}" = "owned" } } }, { - Effect = "Allow", - Action = ["ec2:CreateSnapshot"], + Effect = "Allow", + Action = ["ec2:CreateSnapshot"], Resource = ["*"], Condition = { StringEquals = { - "aws:RequestTag/ebs.csi.aws.com/cluster" = "true" + "aws:RequestTag/kubernetes.io/cluster/${var.name}" = "owned" } } }, { - Effect = "Allow", - Action = ["ec2:CreateSnapshot"], + Effect = "Allow", + Action = ["ec2:CreateSnapshot"], Resource = ["*"], Condition = { StringEquals = { - "ec2:ResourceTag/ebs.csi.aws.com/cluster" = "true" + "ec2:ResourceTag/kubernetes.io/cluster/${var.name}" = "owned" } } }, { - Effect = "Allow", - Action = ["ec2:DeleteSnapshot"], + Effect = "Allow", + Action = ["ec2:DeleteSnapshot"], Resource = ["*"], Condition = { StringEquals = { - "ec2:ResourceTag/ebs.csi.aws.com/cluster" = "true" + "ec2:ResourceTag/kubernetes.io/cluster/${var.name}" = "owned" } } }, { - Effect = "Allow", - Action = ["ec2:CreateTags"], + Effect = "Allow", + Action = ["ec2:CreateTags"], Resource = ["*"], Condition = { - "ForAllValues:StringEquals" = { - "aws:RequestTag/ebs.csi.aws.com/cluster" = "true" + "StringEquals" = { + "aws:RequestTag/kubernetes.io/cluster/${var.name}" = "owned" }, - "ForAllValues:StringEqualsIfExists" = { - "ec2:ResourceTag/ebs.csi.aws.com/cluster" = "true" + "StringEqualsIfExists" = { + "ec2:ResourceTag/kubernetes.io/cluster/${var.name}" = "owned" } } },