Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[iam-role-for-service-accounts-eks] Karpenter IAM Policy expects a tag #208

Closed
dewjam opened this issue Mar 15, 2022 · 2 comments · Fixed by aws/karpenter-provider-aws#1332
Closed

[iam-role-for-service-accounts-eks] Karpenter IAM Policy expects a tag #208

dewjam opened this issue Mar 15, 2022 · 2 comments · Fixed by aws/karpenter-provider-aws#1332

Comments

@dewjam
Copy link

dewjam commented Mar 15, 2022
edited
Loading

Description

When using the iam-role-for-service-accounts-eks module to create the Karpenter Controller IAM policy, a condition is set by default which assumes all resources created by Karpenter have a specific Tag (karpenter.sh/discovery). As a result, you must also supply this Tag in the Karpenter Provisioner spec otherwise Karpenter will not have permissions to manage all the necessary AWS resources. (related to aws/karpenter-provider-aws#1488)

It seems it would be ideal to make this condition configurable and have it default to no condition. This isn't really a bug, so looking for feedback about how this should be handled.

  • Terraform: v1.1.6
  • Provider(s):
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.4.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/helm v2.4.1
+ provider registry.terraform.io/hashicorp/tls v3.1.0
  • Module: iam-role-for-service-accounts-eks, Karpenter IRSA

Reproduction

Steps to reproduce the behavior:

  1. Deploy the Terraform plan from the gist below. This will create an EKS cluster and deploy Karpenter to the cluster.
  2. Deploy the Karpenter provisioner.yaml spec from the gist below.
  3. Create a deployment and scale it up so Karpenter attempts to create new nodes.
  4. Karpenter will fail to launch instances due to permissions problems with the RunInstances action.

https://gist.github.com/dewjam/a17f428dab130a5252b355e5c2c1851b

Expected behavior

We expect Karpenter to be able to execute the RunInstances, TerminateInstances, or DeleteLaunchTempate actions on resources it creates.

Actual behavior

By default, Karpenter is unable to execute the RunInstances, TerminateInstances, or DeleteLaunchTempate actions.

Additional Info

You can work around this by including the necessary tags in the provisioner spec.

apiVersion: karpenter.sh/v1alpha5
kind: Provisioner
metadata:
  name: default
spec:
  tags:
     karpenter.sh/discovery: <cluster_name>
@bryantbiggs
Copy link
Member

thanks for the issue @dewjam - I've re-opened my pull request aws/karpenter-provider-aws#1332 related to this. Once I have a resolution with the karpenter project, we can make the necessary changes to suit (if needed)

@bryantbiggs bryantbiggs mentioned this issue Mar 24, 2022
Merged
3 tasks
@github-actions
Copy link

github-actions bot commented Nov 8, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Restrict IAM permissions to those related to Karpenter managed resources
2 participants
@dewjam @bryantbiggs