diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index 105adfd72d..c4ac258aed 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -235,190 +235,198 @@ func (t Template) ControllersPolicy() *infrav1.PolicyDocument { }) } } - if !t.Spec.EKS.Disable { - allowedIAMActions := infrav1.Actions{ - "iam:GetRole", - "iam:ListAttachedRolePolicies", - } + if t.Spec.EventBridge.Enable { statement = append(statement, infrav1.StatementEntry{ - Effect: infrav1.EffectAllow, - Resource: infrav1.Resources{ - "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*", - }, + Effect: infrav1.EffectAllow, + Resource: infrav1.Resources{infrav1.Any}, Action: infrav1.Actions{ - "ssm:GetParameter", + "events:DeleteRule", + "events:DescribeRule", + "events:ListTargetsByRule", + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets", + "sqs:CreateQueue", + "sqs:DeleteMessage", + "sqs:DeleteQueue", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SetQueueAttributes", }, }) + } + + return &infrav1.PolicyDocument{ + Version: infrav1.CurrentVersion, + Statement: statement, + } +} + +// ControllersPolicyEKS creates a policy from a template for AWS Controllers. +func (t Template) ControllersPolicyEKS() *infrav1.PolicyDocument { + statement := []infrav1.StatementEntry{} + + allowedIAMActions := infrav1.Actions{ + "iam:GetRole", + "iam:ListAttachedRolePolicies", + } + statement = append(statement, infrav1.StatementEntry{ + Effect: infrav1.EffectAllow, + Resource: infrav1.Resources{ + "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*", + }, + Action: infrav1.Actions{ + "ssm:GetParameter", + }, + }) + + statement = append(statement, infrav1.StatementEntry{ + Effect: infrav1.EffectAllow, + Action: infrav1.Actions{ + "iam:CreateServiceLinkedRole", + }, + Resource: infrav1.Resources{ + "arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", + }, + Condition: infrav1.Conditions{ + infrav1.StringLike: map[string]string{"iam:AWSServiceName": "eks.amazonaws.com"}, + }, + }) + + statement = append(statement, infrav1.StatementEntry{ + Effect: infrav1.EffectAllow, + Action: infrav1.Actions{ + "iam:CreateServiceLinkedRole", + }, + Resource: infrav1.Resources{ + "arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup", + }, + Condition: infrav1.Conditions{ + infrav1.StringLike: map[string]string{"iam:AWSServiceName": "eks-nodegroup.amazonaws.com"}, + }, + }) + + statement = append(statement, infrav1.StatementEntry{ + Effect: infrav1.EffectAllow, + Action: infrav1.Actions{ + "iam:CreateServiceLinkedRole", + }, + Resource: infrav1.Resources{ + "arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate", + }, + Condition: infrav1.Conditions{ + infrav1.StringLike: map[string]string{"iam:AWSServiceName": "eks-fargate.amazonaws.com"}, + }, + }) + + if t.Spec.EKS.AllowIAMRoleCreation { + allowedIAMActions = append(allowedIAMActions, infrav1.Actions{ + "iam:DetachRolePolicy", + "iam:DeleteRole", + "iam:CreateRole", + "iam:TagRole", + "iam:AttachRolePolicy", + }...) statement = append(statement, infrav1.StatementEntry{ - Effect: infrav1.EffectAllow, Action: infrav1.Actions{ - "iam:CreateServiceLinkedRole", + "iam:ListOpenIDConnectProviders", + "iam:CreateOpenIDConnectProvider", + "iam:AddClientIDToOpenIDConnectProvider", + "iam:UpdateOpenIDConnectProviderThumbprint", + "iam:DeleteOpenIDConnectProvider", }, Resource: infrav1.Resources{ - "arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", - }, - Condition: infrav1.Conditions{ - infrav1.StringLike: map[string]string{"iam:AWSServiceName": "eks.amazonaws.com"}, + "*", }, + Effect: infrav1.EffectAllow, }) - - statement = append(statement, infrav1.StatementEntry{ + } + statement = append(statement, []infrav1.StatementEntry{ + { + Action: allowedIAMActions, + Resource: infrav1.Resources{ + "arn:*:iam::*:role/*", + }, Effect: infrav1.EffectAllow, + }, { Action: infrav1.Actions{ - "iam:CreateServiceLinkedRole", + "iam:GetPolicy", }, Resource: infrav1.Resources{ - "arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup", + t.generateAWSManagedPolicyARN(eksClusterPolicyName), }, - Condition: infrav1.Conditions{ - infrav1.StringLike: map[string]string{"iam:AWSServiceName": "eks-nodegroup.amazonaws.com"}, + Effect: infrav1.EffectAllow, + }, { + Action: infrav1.Actions{ + "eks:DescribeCluster", + "eks:ListClusters", + "eks:CreateCluster", + "eks:TagResource", + "eks:UpdateClusterVersion", + "eks:DeleteCluster", + "eks:UpdateClusterConfig", + "eks:UntagResource", + "eks:UpdateNodegroupVersion", + "eks:DescribeNodegroup", + "eks:DeleteNodegroup", + "eks:UpdateNodegroupConfig", + "eks:CreateNodegroup", + "eks:AssociateEncryptionConfig", + }, + Resource: infrav1.Resources{ + "arn:*:eks:*:*:cluster/*", + "arn:*:eks:*:*:nodegroup/*/*/*", }, - }) - - statement = append(statement, infrav1.StatementEntry{ Effect: infrav1.EffectAllow, + }, { Action: infrav1.Actions{ - "iam:CreateServiceLinkedRole", + "eks:ListAddons", + "eks:CreateAddon", + "eks:DescribeAddonVersions", + "eks:DescribeAddon", + "eks:DeleteAddon", + "eks:UpdateAddon", + "eks:TagResource", + "eks:DescribeFargateProfile", + "eks:CreateFargateProfile", + "eks:DeleteFargateProfile", }, Resource: infrav1.Resources{ - "arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate", + "*", }, - Condition: infrav1.Conditions{ - infrav1.StringLike: map[string]string{"iam:AWSServiceName": "eks-fargate.amazonaws.com"}, + Effect: infrav1.EffectAllow, + }, { + Action: infrav1.Actions{ + "iam:PassRole", }, - }) - - if t.Spec.EKS.AllowIAMRoleCreation { - allowedIAMActions = append(allowedIAMActions, infrav1.Actions{ - "iam:DetachRolePolicy", - "iam:DeleteRole", - "iam:CreateRole", - "iam:TagRole", - "iam:AttachRolePolicy", - }...) - - statement = append(statement, infrav1.StatementEntry{ - Action: infrav1.Actions{ - "iam:ListOpenIDConnectProviders", - "iam:CreateOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:DeleteOpenIDConnectProvider", - }, - Resource: infrav1.Resources{ - "*", - }, - Effect: infrav1.EffectAllow, - }) - } - statement = append(statement, []infrav1.StatementEntry{ - { - Action: allowedIAMActions, - Resource: infrav1.Resources{ - "arn:*:iam::*:role/*", - }, - Effect: infrav1.EffectAllow, - }, { - Action: infrav1.Actions{ - "iam:GetPolicy", - }, - Resource: infrav1.Resources{ - t.generateAWSManagedPolicyARN(eksClusterPolicyName), - }, - Effect: infrav1.EffectAllow, - }, { - Action: infrav1.Actions{ - "eks:DescribeCluster", - "eks:ListClusters", - "eks:CreateCluster", - "eks:TagResource", - "eks:UpdateClusterVersion", - "eks:DeleteCluster", - "eks:UpdateClusterConfig", - "eks:UntagResource", - "eks:UpdateNodegroupVersion", - "eks:DescribeNodegroup", - "eks:DeleteNodegroup", - "eks:UpdateNodegroupConfig", - "eks:CreateNodegroup", - "eks:AssociateEncryptionConfig", - }, - Resource: infrav1.Resources{ - "arn:*:eks:*:*:cluster/*", - "arn:*:eks:*:*:nodegroup/*/*/*", - }, - Effect: infrav1.EffectAllow, - }, { - Action: infrav1.Actions{ - "eks:ListAddons", - "eks:CreateAddon", - "eks:DescribeAddonVersions", - "eks:DescribeAddon", - "eks:DeleteAddon", - "eks:UpdateAddon", - "eks:TagResource", - "eks:DescribeFargateProfile", - "eks:CreateFargateProfile", - "eks:DeleteFargateProfile", - }, - Resource: infrav1.Resources{ - "*", - }, - Effect: infrav1.EffectAllow, - }, { - Action: infrav1.Actions{ - "iam:PassRole", - }, - Resource: infrav1.Resources{ - "*", - }, - Condition: infrav1.Conditions{ - "StringEquals": map[string]string{ - "iam:PassedToService": "eks.amazonaws.com", - }, - }, - Effect: infrav1.EffectAllow, + Resource: infrav1.Resources{ + "*", }, - { - Action: infrav1.Actions{ - "kms:CreateGrant", - "kms:DescribeKey", - }, - Resource: infrav1.Resources{ - "*", - }, - Effect: infrav1.EffectAllow, - Condition: infrav1.Conditions{ - "ForAnyValue:StringLike": map[string]string{ - "kms:ResourceAliases": fmt.Sprintf("alias/%s", t.Spec.EKS.KMSAliasPrefix), - }, + Condition: infrav1.Conditions{ + "StringEquals": map[string]string{ + "iam:PassedToService": "eks.amazonaws.com", }, }, - }...) - } - - if t.Spec.EventBridge.Enable { - statement = append(statement, infrav1.StatementEntry{ - Effect: infrav1.EffectAllow, - Resource: infrav1.Resources{infrav1.Any}, + Effect: infrav1.EffectAllow, + }, + { Action: infrav1.Actions{ - "events:DeleteRule", - "events:DescribeRule", - "events:ListTargetsByRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "sqs:CreateQueue", - "sqs:DeleteMessage", - "sqs:DeleteQueue", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ReceiveMessage", - "sqs:SetQueueAttributes", + "kms:CreateGrant", + "kms:DescribeKey", }, - }) - } + Resource: infrav1.Resources{ + "*", + }, + Effect: infrav1.EffectAllow, + Condition: infrav1.Conditions{ + "ForAnyValue:StringLike": map[string]string{ + "kms:ResourceAliases": fmt.Sprintf("alias/%s", t.Spec.EKS.KMSAliasPrefix), + }, + }, + }, + }...) return &infrav1.PolicyDocument{ Version: infrav1.CurrentVersion, diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml index af2d1ab687..81c6508cfc 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml @@ -250,6 +250,17 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + ManagedPolicyName: controllers-eks.custom-suffix.com + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml index c9c6770e8f..18263cc594 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml @@ -250,6 +250,17 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml index 71cbf16577..4bd261c672 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml @@ -263,6 +263,17 @@ Resources: Effect: Allow Resource: - arn:*:ssm:*:*:parameter/cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml index cfa949ab5e..088385bc0d 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml @@ -255,6 +255,19 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + Groups: + - Ref: AWSIAMGroupBootstrapper + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml index a0210432b2..1b0b86e6ce 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml @@ -255,6 +255,19 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + Groups: + - Ref: AWSIAMGroupBootstrapper + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml index 378bd628c9..15d525473b 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml @@ -250,6 +250,17 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml index f01640e284..5cb5bda599 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml @@ -250,6 +250,17 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml index 749a9d23c9..cbfd59cb15 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml @@ -250,6 +250,17 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml index d0d38042de..c7f353a02f 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml @@ -255,6 +255,19 @@ Resources: Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + Groups: + - Ref: AWSIAMGroupBootstrapper + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml index 7a10384c38..d0f0b420f5 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml @@ -250,6 +250,17 @@ Resources: Effect: Allow Resource: - arn:*:ssm:*:*:parameter/cluster.x-k8s.io/* + Version: 2012-10-17 + Roles: + - Ref: AWSIAMRoleControllers + - Ref: AWSIAMRoleControlPlane + Type: AWS::IAM::ManagedPolicy + AWSIAMManagedPolicyControllersEKS: + Properties: + Description: For the Kubernetes Cluster API Provider AWS Controllers + ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io + PolicyDocument: + Statement: - Action: - ssm:GetParameter Effect: Allow diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/iam.go b/cmd/clusterawsadm/cloudformation/bootstrap/iam.go index 8ac63c8985..3c6665a4a3 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/iam.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/iam.go @@ -29,7 +29,7 @@ import ( type PolicyName string // ManagedIAMPolicyNames slice of managed IAM policies. -var ManagedIAMPolicyNames = [4]PolicyName{ControllersPolicy, ControlPlanePolicy, NodePolicy, CSIPolicy} +var ManagedIAMPolicyNames = [5]PolicyName{ControllersPolicy, ControllersPolicyEKS, ControlPlanePolicy, NodePolicy, CSIPolicy} // IsValid will check if a given policy name is valid. That is, it will check if the given policy name is // one of the ManagedIAMPolicyNames. @@ -63,10 +63,11 @@ func (t Template) GenerateManagedIAMPolicyDocuments(policyDocDir string) error { func (t Template) policyFunctionMap() map[PolicyName]func() *v1alpha4.PolicyDocument { return map[PolicyName]func() *v1alpha4.PolicyDocument{ - ControlPlanePolicy: t.cloudProviderControlPlaneAwsPolicy, - ControllersPolicy: t.ControllersPolicy, - NodePolicy: t.cloudProviderNodeAwsPolicy, - CSIPolicy: t.csiControllerPolicy, + ControlPlanePolicy: t.cloudProviderControlPlaneAwsPolicy, + ControllersPolicy: t.ControllersPolicy, + ControllersPolicyEKS: t.ControllersPolicyEKS, + NodePolicy: t.cloudProviderNodeAwsPolicy, + CSIPolicy: t.csiControllerPolicy, } } diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/template.go b/cmd/clusterawsadm/cloudformation/bootstrap/template.go index c357eedee6..41cdf6c103 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/template.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/template.go @@ -45,6 +45,7 @@ const ( AWSIAMRoleEKSFargate = "AWSIAMRoleEKSFargate" AWSIAMUserBootstrapper = "AWSIAMUserBootstrapper" ControllersPolicy PolicyName = "AWSIAMManagedPolicyControllers" + ControllersPolicyEKS PolicyName = "AWSIAMManagedPolicyControllersEKS" ControlPlanePolicy PolicyName = "AWSIAMManagedPolicyCloudProviderControlPlane" NodePolicy PolicyName = "AWSIAMManagedPolicyCloudProviderNodes" CSIPolicy PolicyName = "AWSEBSCSIPolicyController" @@ -96,6 +97,16 @@ func (t Template) RenderCloudFormation() *cloudformation.Template { Roles: t.controllersPolicyRoleAttachments(), } + if !t.Spec.EKS.Disable { + template.Resources[string(ControllersPolicyEKS)] = &cfn_iam.ManagedPolicy{ + ManagedPolicyName: t.NewManagedName("controllers-eks"), + Description: `For the Kubernetes Cluster API Provider AWS Controllers`, + PolicyDocument: t.ControllersPolicyEKS(), + Groups: t.controllersPolicyGroups(), + Roles: t.controllersPolicyRoleAttachments(), + } + } + if !t.Spec.ControlPlane.DisableCloudProviderPolicy { template.Resources[string(ControlPlanePolicy)] = &cfn_iam.ManagedPolicy{ ManagedPolicyName: t.NewManagedName("control-plane"),