Merge pull request #2265 from michaelbeaumont/fargate

Add AWSFargateProfile resource

cmd/clusterawsadm/api/bootstrap/v1alpha1/defaults.go

@@ -73,6 +73,11 @@ func SetDefaults_AWSIAMConfigurationSpec(obj *AWSIAMConfigurationSpec) { //nolin
 			Disable: true,
 		}
 	}
+	if obj.EKS.Fargate == nil {
+		obj.EKS.Fargate = &AWSIAMRoleSpec{
+			Disable: true,
+		}
+	}
 	if len(obj.SecureSecretsBackends) == 0 {
 		obj.SecureSecretsBackends = []infrav1.SecretBackend{
 			infrav1.SecretBackendSecretsManager,

cmd/clusterawsadm/api/bootstrap/v1alpha1/types.go

@@ -105,6 +105,9 @@ type EKSConfig struct {
 	// ManagedMachinePool controls the configuration of the AWS IAM role for
 	// used by EKS managed machine pools.
 	ManagedMachinePool *AWSIAMRoleSpec `json:"managedMachinePool,omitempty"`
+	// Fargate controls the configuration of the AWS IAM role for
+	// used by EKS managed machine pools.
+	Fargate *AWSIAMRoleSpec `json:"fargate,omitempty"`
 }
 
 // EventBridgeConfig represents configuration for enabling experimental feature to consume

cmd/clusterawsadm/api/iam/v1alpha1/types.go

@@ -16,6 +16,12 @@ limitations under the License.
 
 package v1alpha1
 
+import (
+	"encoding/json"
+
+	"github.com/pkg/errors"
+)
+
 type (
 	Effect            string
 	ConditionOperator string
@@ -89,12 +95,40 @@ type Principals map[PrincipalType]PrincipalID
 // Actions is the list of actions
 type Actions []string
 
+func (actions *Actions) UnmarshalJSON(data []byte) error {
+	var ids []string
+	if err := json.Unmarshal(data, &ids); err == nil {
+		*actions = Actions(ids)
+		return nil
+	}
+	var id string
+	if err := json.Unmarshal(data, &id); err != nil {
+		return errors.Wrap(err, "couldn't unmarshal as either []string or string")
+	}
+	*actions = []string{id}
+	return nil
+}
+
 // Resources is the list of resources
 type Resources []string
 
 // PrincipalID represents the list of all principals, such as ARNs
 type PrincipalID []string
 
+func (principalID *PrincipalID) UnmarshalJSON(data []byte) error {
+	var ids []string
+	if err := json.Unmarshal(data, &ids); err == nil {
+		*principalID = PrincipalID(ids)
+		return nil
+	}
+	var id string
+	if err := json.Unmarshal(data, &id); err != nil {
+		return errors.Wrap(err, "couldn't unmarshal as either []string or string")
+	}
+	*principalID = []string{id}
+	return nil
+}
+
 // Conditions is the map of all conditions in the statement entry.
 type Conditions map[ConditionOperator]interface{}
 

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -256,6 +256,19 @@ func (t Template) controllersPolicy() *iamv1.PolicyDocument {
 			},
 		})
 
+		statement = append(statement, iamv1.StatementEntry{
+			Effect: iamv1.EffectAllow,
+			Action: iamv1.Actions{
+				"iam:CreateServiceLinkedRole",
+			},
+			Resource: iamv1.Resources{
+				"arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate",
+			},
+			Condition: iamv1.Conditions{
+				iamv1.StringLike: map[string]string{"iam:AWSServiceName": "eks-fargate.amazonaws.com"},
+			},
+		})
+
 		if t.Spec.EKS.AllowIAMRoleCreation {
 			allowedIAMActions = append(allowedIAMActions, iamv1.Actions{
 				"iam:DetachRolePolicy",
@@ -324,6 +337,9 @@ func (t Template) controllersPolicy() *iamv1.PolicyDocument {
 					"eks:DeleteAddon",
 					"eks:UpdateAddon",
 					"eks:TagResource",
+					"eks:DescribeFargateProfile",
+					"eks:CreateFargateProfile",
+					"eks:DeleteFargateProfile",
 				},
 				Resource: iamv1.Resources{
 					"*",

cmd/clusterawsadm/cloudformation/bootstrap/fargate.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package bootstrap
+
+import (
+	bootstrapv1 "sigs.k8s.io/cluster-api-provider-aws/cmd/clusterawsadm/api/bootstrap/v1alpha1"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/eks"
+)
+
+func fargateProfilePolicies(roleSpec *bootstrapv1.AWSIAMRoleSpec) []string {
+	policies := eks.FargateRolePolicies()
+	if roleSpec.ExtraPolicyAttachments != nil {
+		for _, policy := range roleSpec.ExtraPolicyAttachments {
+			policies = append(policies, policy)
+		}
+	}
+
+	return policies
+}

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml

@@ -269,6 +269,14 @@ Resources:
           Effect: Allow
           Resource:
           - arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: eks-fargate.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate
         - Action:
           - iam:GetRole
           - iam:ListAttachedRolePolicies
@@ -306,6 +314,9 @@ Resources:
           - eks:DeleteAddon
           - eks:UpdateAddon
           - eks:TagResource
+          - eks:DescribeFargateProfile
+          - eks:CreateFargateProfile
+          - eks:DeleteFargateProfile
           Effect: Allow
           Resource:
           - '*'
@@ -363,6 +374,21 @@ Resources:
       - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
       RoleName: eks-controlplane.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
+  AWSIAMRoleEKSFargate:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Action:
+          - sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service:
+            - eks-fargate-pods.amazonaws.com
+        Version: 2012-10-17
+      ManagedPolicyArns:
+      - arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy
+      RoleName: eks-fargate.cluster-api-provider-aws.sigs.k8s.io
+    Type: AWS::IAM::Role
   AWSIAMRoleEKSNodegroup:
     Properties:
       AssumeRolePolicyDocument:

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_enable.yaml

@@ -269,6 +269,14 @@ Resources:
           Effect: Allow
           Resource:
           - arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: eks-fargate.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate
         - Action:
           - iam:GetRole
           - iam:ListAttachedRolePolicies
@@ -306,6 +314,9 @@ Resources:
           - eks:DeleteAddon
           - eks:UpdateAddon
           - eks:TagResource
+          - eks:DescribeFargateProfile
+          - eks:CreateFargateProfile
+          - eks:DeleteFargateProfile
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/template.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/cluster-api-provider-aws/cmd/clusterawsadm/converters"
 	ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/controlplane/eks/api/v1alpha3"
 	infrav1exp "sigs.k8s.io/cluster-api-provider-aws/exp/api/v1alpha3"
+	eksiam "sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/eks/iam"
 )
 
 const (
@@ -39,6 +40,7 @@ const (
 	AWSIAMRoleNodes                              = "AWSIAMRoleNodes"
 	AWSIAMRoleEKSControlPlane                    = "AWSIAMRoleEKSControlPlane"
 	AWSIAMRoleEKSNodegroup                       = "AWSIAMRoleEKSNodegroup"
+	AWSIAMRoleEKSFargate                         = "AWSIAMRoleEKSFargate"
 	AWSIAMUserBootstrapper                       = "AWSIAMUserBootstrapper"
 	ControllersPolicy                 PolicyName = "AWSIAMManagedPolicyControllers"
 	ControlPlanePolicy                PolicyName = "AWSIAMManagedPolicyCloudProviderControlPlane"
@@ -178,6 +180,15 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 		}
 	}
 
+	if !t.Spec.EKS.Fargate.Disable {
+		template.Resources[AWSIAMRoleEKSFargate] = &cfn_iam.Role{
+			RoleName:                 infrav1exp.DefaultEKSFargateRole,
+			AssumeRolePolicyDocument: assumeRolePolicy([]string{eksiam.EKSFargateService}),
+			ManagedPolicyArns:        fargateProfilePolicies(t.Spec.EKS.Fargate),
+			Tags:                     converters.MapToCloudFormationTags(t.Spec.EKS.Fargate.Tags),
+		}
+	}
+
 	return template
 }
 

cmd/clusterawsadm/cloudformation/bootstrap/template_test.go

@@ -103,6 +103,7 @@ func Test_RenderCloudformation(t *testing.T) {
 				t.Spec.Nodes.EC2ContainerRegistryReadOnly = true
 				t.Spec.EKS.DefaultControlPlaneRole.Disable = false
 				t.Spec.EKS.ManagedMachinePool.Disable = false
+				t.Spec.EKS.Fargate.Disable = false
 				return t
 			},
 		},