diff --git a/apis/composition.yaml b/apis/composition.yaml index 1c055a2..6bbbe54 100644 --- a/apis/composition.yaml +++ b/apis/composition.yaml @@ -230,7 +230,6 @@ spec: "Resource": [ "arn:aws:ec2:%[1]s::image/*", "arn:aws:ec2:%[1]s::snapshot/*", - "arn:aws:ec2:%[1]s:*:spot-instances-request/*", "arn:aws:ec2:%[1]s:*:security-group/*", "arn:aws:ec2:%[1]s:*:subnet/*", "arn:aws:ec2:%[1]s:*:launch-template/*" @@ -248,7 +247,8 @@ spec: "arn:aws:ec2:%[1]s:*:instance/*", "arn:aws:ec2:%[1]s:*:volume/*", "arn:aws:ec2:%[1]s:*:network-interface/*", - "arn:aws:ec2:%[1]s:*:launch-template/*" + "arn:aws:ec2:%[1]s:*:launch-template/*", + "arn:aws:ec2:%[1]s:*:spot-instances-request/*" ], "Action": [ "ec2:RunInstances", @@ -272,7 +272,8 @@ spec: "arn:aws:ec2:%[1]s:*:instance/*", "arn:aws:ec2:%[1]s:*:volume/*", "arn:aws:ec2:%[1]s:*:network-interface/*", - "arn:aws:ec2:%[1]s:*:launch-template/*" + "arn:aws:ec2:%[1]s:*:launch-template/*", + "arn:aws:ec2:%[1]s:*:spot-instances-request/*" ], "Action": "ec2:CreateTags", "Condition": { @@ -368,7 +369,6 @@ spec: "Resource": "%[3]s", "Action": [ "sqs:DeleteMessage", - "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage" ] @@ -384,6 +384,68 @@ spec: } } }, + { + "Sid": "AllowScopedInstanceProfileCreationActions", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:CreateInstanceProfile" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:RequestTag/topology.kubernetes.io/region": "%[1]s" + }, + "StringLike": { + "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*" + } + } + }, + { + "Sid": "AllowScopedInstanceProfileTagActions", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:TagInstanceProfile" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:ResourceTag/topology.kubernetes.io/region": "%[1]s", + "aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:RequestTag/topology.kubernetes.io/region": "%[1]s" + }, + "StringLike": { + "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*", + "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*" + } + } + }, + { + "Sid": "AllowScopedInstanceProfileActions", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:ResourceTag/topology.kubernetes.io/region": "%[1]s" + }, + "StringLike": { + "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*" + } + } + }, + { + "Sid": "AllowInstanceProfileReadActions", + "Effect": "Allow", + "Resource": "*", + "Action": "iam:GetInstanceProfile" + }, { "Sid": "AllowAPIServerEndpointDiscovery", "Effect": "Allow",