From 9f8041285ca5924de849857f50d88201c59783c7 Mon Sep 17 00:00:00 2001
From: Manabu Mccloskey <manabu.mccloskey@gmail.com>
Date: Thu, 18 Jan 2024 15:13:11 -0800
Subject: [PATCH 1/2] update iam policy

Signed-off-by: Manabu Mccloskey <manabu.mccloskey@gmail.com>
---
 apis/composition.yaml | 72 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 67 insertions(+), 5 deletions(-)

diff --git a/apis/composition.yaml b/apis/composition.yaml
index 1c055a2..b5f8b89 100644
--- a/apis/composition.yaml
+++ b/apis/composition.yaml
@@ -230,7 +230,6 @@ spec:
                             "Resource": [
                               "arn:aws:ec2:%[1]s::image/*",
                               "arn:aws:ec2:%[1]s::snapshot/*",
-                              "arn:aws:ec2:%[1]s:*:spot-instances-request/*",
                               "arn:aws:ec2:%[1]s:*:security-group/*",
                               "arn:aws:ec2:%[1]s:*:subnet/*",
                               "arn:aws:ec2:%[1]s:*:launch-template/*"
@@ -248,7 +247,8 @@ spec:
                               "arn:aws:ec2:%[1]s:*:instance/*",
                               "arn:aws:ec2:%[1]s:*:volume/*",
                               "arn:aws:ec2:%[1]s:*:network-interface/*",
-                              "arn:aws:ec2:%[1]s:*:launch-template/*"
+                              "arn:aws:ec2:%[1]s:*:launch-template/*",
+                              "arn:aws:ec2:%[1]s:*:spot-instances-request/*"
                             ],
                             "Action": [
                               "ec2:RunInstances",
@@ -272,7 +272,8 @@ spec:
                               "arn:aws:ec2:%[1]s:*:instance/*",
                               "arn:aws:ec2:%[1]s:*:volume/*",
                               "arn:aws:ec2:%[1]s:*:network-interface/*",
-                              "arn:aws:ec2:%[1]s:*:launch-template/*"
+                              "arn:aws:ec2:%[1]s:*:launch-template/*",
+                              "arn:aws:ec2:%[1]s:*:spot-instances-request/*"
                             ],
                             "Action": "ec2:CreateTags",
                             "Condition": {
@@ -368,7 +369,6 @@ spec:
                             "Resource": "%[3]s",
                             "Action": [
                               "sqs:DeleteMessage",
-                              "sqs:GetQueueAttributes",
                               "sqs:GetQueueUrl",
                               "sqs:ReceiveMessage"
                             ]
@@ -376,7 +376,7 @@ spec:
                           {
                             "Sid": "AllowPassingInstanceRole",
                             "Effect": "Allow",
-                            "Resource": "%[5]s",
+                            "Resource": "arn:aws:iam::%[4]s:role/KarpenterNodeRole-%[2]s",
                             "Action": "iam:PassRole",
                             "Condition": {
                               "StringEquals": {
@@ -384,6 +384,68 @@ spec:
                               }
                             }
                           },
+                          {
+                            "Sid": "AllowScopedInstanceProfileCreationActions",
+                            "Effect": "Allow",
+                            "Resource": "*",
+                            "Action": [
+                              "iam:CreateInstanceProfile"
+                            ],
+                            "Condition": {
+                              "StringEquals": {
+                                "aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned",
+                                "aws:RequestTag/topology.kubernetes.io/region": "%[1]s"
+                              },
+                              "StringLike": {
+                                "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*"
+                              }
+                            }
+                          },
+                          {
+                            "Sid": "AllowScopedInstanceProfileTagActions",
+                            "Effect": "Allow",
+                            "Resource": "*",
+                            "Action": [
+                              "iam:TagInstanceProfile"
+                            ],
+                            "Condition": {
+                              "StringEquals": {
+                                "aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned",
+                                "aws:ResourceTag/topology.kubernetes.io/region": "%[1]s",
+                                "aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned",
+                                "aws:RequestTag/topology.kubernetes.io/region": "%[1]s"
+                              },
+                              "StringLike": {
+                                "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*",
+                                "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*"
+                              }
+                            }
+                          },
+                          {
+                            "Sid": "AllowScopedInstanceProfileActions",
+                            "Effect": "Allow",
+                            "Resource": "*",
+                            "Action": [
+                              "iam:AddRoleToInstanceProfile",
+                              "iam:RemoveRoleFromInstanceProfile",
+                              "iam:DeleteInstanceProfile"
+                            ],
+                            "Condition": {
+                              "StringEquals": {
+                                "aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned",
+                                "aws:ResourceTag/topology.kubernetes.io/region": "%[1]s"
+                              },
+                              "StringLike": {
+                                "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*"
+                              }
+                            }
+                          },
+                          {
+                            "Sid": "AllowInstanceProfileReadActions",
+                            "Effect": "Allow",
+                            "Resource": "*",
+                            "Action": "iam:GetInstanceProfile"
+                          },
                           {
                             "Sid": "AllowAPIServerEndpointDiscovery",
                             "Effect": "Allow",

From 95f7bfa95fb08d16a7054180a1f25f5ae4f1b1b2 Mon Sep 17 00:00:00 2001
From: Manabu Mccloskey <manabu.mccloskey@gmail.com>
Date: Thu, 18 Jan 2024 15:16:40 -0800
Subject: [PATCH 2/2] fix pass role

Signed-off-by: Manabu Mccloskey <manabu.mccloskey@gmail.com>
---
 apis/composition.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apis/composition.yaml b/apis/composition.yaml
index b5f8b89..6bbbe54 100644
--- a/apis/composition.yaml
+++ b/apis/composition.yaml
@@ -376,7 +376,7 @@ spec:
                           {
                             "Sid": "AllowPassingInstanceRole",
                             "Effect": "Allow",
-                            "Resource": "arn:aws:iam::%[4]s:role/KarpenterNodeRole-%[2]s",
+                            "Resource": "%[5]s",
                             "Action": "iam:PassRole",
                             "Condition": {
                               "StringEquals": {