xpk/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-eks.git synced 2025-09-09 19:32:58 +08:00
Code Activity

chore: update controller IAM role permissions to support karpenter v1

Browse Source
This commit is contained in:
Andy Townsend
2024-08-15 15:10:42 +01:00
parent 1360e3de68
commit 03a9a08ce0
1 changed files with 60 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/karpenter/main.tf
+60 -7
View File
@@ -85,7 +85,7 @@ data "aws_iam_policy_document" "controller" {
count = local.create_iam_role ? 1 : 0 count = local.create_iam_role ? 1 : 0
statement { statement {
sid = "AllowScopedEC2InstanceActions" sid = "AllowScopedEC2InstanceAccessActions"
resources = [ resources = [
"arn:${local.partition}:ec2:*::image/*", "arn:${local.partition}:ec2:*::image/*",
"arn:${local.partition}:ec2:*::snapshot/*", "arn:${local.partition}:ec2:*::snapshot/*",
@@ -101,6 +101,29 @@ data "aws_iam_policy_document" "controller" {
] ]
} }
statement {
sid = "AllowScopedEC2LaunchTemplateAccessActions"
resources = [
"arn:${local.partition}:ec2:*:*:launch-template/*"
]
actions = [
"ec2:RunInstances",
"ec2:CreateFleet"
]
condition {
test = "StringEquals"
variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_name}"
values = ["owned"]
}
condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/nodepool"
values = ["*"]
}
}
statement { statement {
sid = "AllowScopedEC2InstanceActionsWithTags" sid = "AllowScopedEC2InstanceActionsWithTags"
resources = [ resources = [
@@ -123,6 +146,12 @@ data "aws_iam_policy_document" "controller" {
values = ["owned"] values = ["owned"]
} }
condition {
test = "StringEquals"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_name]
}
condition { condition {
test = "StringLike" test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/nodepool" variable = "aws:RequestTag/karpenter.sh/nodepool"
@@ -148,6 +177,12 @@ data "aws_iam_policy_document" "controller" {
values = ["owned"] values = ["owned"]
} }
condition {
test = "StringEquals"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_name]
}
condition { condition {
test = "StringEquals" test = "StringEquals"
variable = "ec2:CreateAction" variable = "ec2:CreateAction"
@@ -182,10 +217,17 @@ data "aws_iam_policy_document" "controller" {
values = ["*"] values = ["*"]
} }
condition {
test = "StringEqualsIfExists"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_name]
}
condition { condition {
test = "ForAllValues:StringEquals" test = "ForAllValues:StringEquals"
variable = "aws:TagKeys" variable = "aws:TagKeys"
values = [ values = [
"eks:eks-cluster-name",
"karpenter.sh/nodeclaim", "karpenter.sh/nodeclaim",
"Name", "Name",
] ]
@@ -259,7 +301,6 @@ data "aws_iam_policy_document" "controller" {
resources = [try(aws_sqs_queue.this[0].arn, null)] resources = [try(aws_sqs_queue.this[0].arn, null)]
actions = [ actions = [
"sqs:DeleteMessage", "sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl", "sqs:GetQueueUrl",
"sqs:ReceiveMessage" "sqs:ReceiveMessage"
] ]
@@ -280,7 +321,7 @@ data "aws_iam_policy_document" "controller" {
statement { statement {
sid = "AllowScopedInstanceProfileCreationActions" sid = "AllowScopedInstanceProfileCreationActions"
resources = ["*"] resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
actions = ["iam:CreateInstanceProfile"] actions = ["iam:CreateInstanceProfile"]
condition { condition {
@@ -289,6 +330,12 @@ data "aws_iam_policy_document" "controller" {
values = ["owned"] values = ["owned"]
} }
condition {
test = "StringEquals"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_name]
}
condition { condition {
test = "StringEquals" test = "StringEquals"
variable = "aws:RequestTag/topology.kubernetes.io/region" variable = "aws:RequestTag/topology.kubernetes.io/region"
@@ -304,7 +351,7 @@ data "aws_iam_policy_document" "controller" {
statement { statement {
sid = "AllowScopedInstanceProfileTagActions" sid = "AllowScopedInstanceProfileTagActions"
resources = ["*"] resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
actions = ["iam:TagInstanceProfile"] actions = ["iam:TagInstanceProfile"]
condition { condition {
@@ -327,7 +374,13 @@ data "aws_iam_policy_document" "controller" {
condition { condition {
test = "StringEquals" test = "StringEquals"
variable = "aws:ResourceTag/topology.kubernetes.io/region" variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_name]
}
condition {
test = "StringEquals"
variable = "aws:RequestTag/topology.kubernetes.io/region"
values = [local.region] values = [local.region]
} }
@@ -346,7 +399,7 @@ data "aws_iam_policy_document" "controller" {
statement { statement {
sid = "AllowScopedInstanceProfileActions" sid = "AllowScopedInstanceProfileActions"
resources = ["*"] resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
actions = [ actions = [
"iam:AddRoleToInstanceProfile", "iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile", "iam:RemoveRoleFromInstanceProfile",
@@ -374,7 +427,7 @@ data "aws_iam_policy_document" "controller" {
statement { statement {
sid = "AllowInstanceProfileReadActions" sid = "AllowInstanceProfileReadActions"
resources = ["*"] resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
actions = ["iam:GetInstanceProfile"] actions = ["iam:GetInstanceProfile"]
} }