From f0c7b3efc61eac586c423b5cc742850718c7e208 Mon Sep 17 00:00:00 2001 From: Federico Bonfigli Date: Wed, 22 Apr 2026 11:39:31 +0200 Subject: [PATCH 1/2] Add SetSecurityGroups IAM permission to master nodes Adds the elasticloadbalancing:SetSecurityGroups IAM permission to master nodes, which is required for the BYO Security Groups feature for AWS Network Load Balancers on AWS CCM. --- pkg/infrastructure/aws/clusterapi/iam.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/infrastructure/aws/clusterapi/iam.go b/pkg/infrastructure/aws/clusterapi/iam.go index f5b2617f03e..c5ac6aaeaa0 100644 --- a/pkg/infrastructure/aws/clusterapi/iam.go +++ b/pkg/infrastructure/aws/clusterapi/iam.go @@ -71,6 +71,7 @@ var ( "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "elasticloadbalancing:SetSecurityGroups", "kms:DescribeKey", }, Resource: iamv1.Resources{ From 1a7476bf352c97227fc52fed35ca82181c068d52 Mon Sep 17 00:00:00 2001 From: Federico Bonfigli Date: Wed, 29 Apr 2026 15:54:18 +0200 Subject: [PATCH 2/2] Add SetSecurityGroups IAM permission to UPI cloudformation template Adds the elasticloadbalancing:SetSecurityGroups permissions to the UPI cloudformation template, required for the AWS CCM BYO Security Group feature for AWS Network Load Balancers. --- upi/aws/cloudformation/03_cluster_security.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/upi/aws/cloudformation/03_cluster_security.yaml b/upi/aws/cloudformation/03_cluster_security.yaml index ece4aeb2dbf..d7e0876134d 100644 --- a/upi/aws/cloudformation/03_cluster_security.yaml +++ b/upi/aws/cloudformation/03_cluster_security.yaml @@ -542,6 +542,7 @@ Resources: - "elasticloadbalancing:RegisterTargets" - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + - "elasticloadbalancing:SetSecurityGroups" - "kms:DescribeKey" Resource: "*"