From 9f8041285ca5924de849857f50d88201c59783c7 Mon Sep 17 00:00:00 2001 From: Manabu Mccloskey <manabu.mccloskey@gmail.com> Date: Thu, 18 Jan 2024 15:13:11 -0800 Subject: [PATCH 1/2] update iam policy Signed-off-by: Manabu Mccloskey <manabu.mccloskey@gmail.com> --- apis/composition.yaml | 72 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 67 insertions(+), 5 deletions(-) diff --git a/apis/composition.yaml b/apis/composition.yaml index 1c055a2..b5f8b89 100644 --- a/apis/composition.yaml +++ b/apis/composition.yaml @@ -230,7 +230,6 @@ spec: "Resource": [ "arn:aws:ec2:%[1]s::image/*", "arn:aws:ec2:%[1]s::snapshot/*", - "arn:aws:ec2:%[1]s:*:spot-instances-request/*", "arn:aws:ec2:%[1]s:*:security-group/*", "arn:aws:ec2:%[1]s:*:subnet/*", "arn:aws:ec2:%[1]s:*:launch-template/*" @@ -248,7 +247,8 @@ spec: "arn:aws:ec2:%[1]s:*:instance/*", "arn:aws:ec2:%[1]s:*:volume/*", "arn:aws:ec2:%[1]s:*:network-interface/*", - "arn:aws:ec2:%[1]s:*:launch-template/*" + "arn:aws:ec2:%[1]s:*:launch-template/*", + "arn:aws:ec2:%[1]s:*:spot-instances-request/*" ], "Action": [ "ec2:RunInstances", @@ -272,7 +272,8 @@ spec: "arn:aws:ec2:%[1]s:*:instance/*", "arn:aws:ec2:%[1]s:*:volume/*", "arn:aws:ec2:%[1]s:*:network-interface/*", - "arn:aws:ec2:%[1]s:*:launch-template/*" + "arn:aws:ec2:%[1]s:*:launch-template/*", + "arn:aws:ec2:%[1]s:*:spot-instances-request/*" ], "Action": "ec2:CreateTags", "Condition": { @@ -368,7 +369,6 @@ spec: "Resource": "%[3]s", "Action": [ "sqs:DeleteMessage", - "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage" ] @@ -376,7 +376,7 @@ spec: { "Sid": "AllowPassingInstanceRole", "Effect": "Allow", - "Resource": "%[5]s", + "Resource": "arn:aws:iam::%[4]s:role/KarpenterNodeRole-%[2]s", "Action": "iam:PassRole", "Condition": { "StringEquals": { @@ -384,6 +384,68 @@ spec: } } }, + { + "Sid": "AllowScopedInstanceProfileCreationActions", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:CreateInstanceProfile" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:RequestTag/topology.kubernetes.io/region": "%[1]s" + }, + "StringLike": { + "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*" + } + } + }, + { + "Sid": "AllowScopedInstanceProfileTagActions", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:TagInstanceProfile" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:ResourceTag/topology.kubernetes.io/region": "%[1]s", + "aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:RequestTag/topology.kubernetes.io/region": "%[1]s" + }, + "StringLike": { + "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*", + "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*" + } + } + }, + { + "Sid": "AllowScopedInstanceProfileActions", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned", + "aws:ResourceTag/topology.kubernetes.io/region": "%[1]s" + }, + "StringLike": { + "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*" + } + } + }, + { + "Sid": "AllowInstanceProfileReadActions", + "Effect": "Allow", + "Resource": "*", + "Action": "iam:GetInstanceProfile" + }, { "Sid": "AllowAPIServerEndpointDiscovery", "Effect": "Allow", From 95f7bfa95fb08d16a7054180a1f25f5ae4f1b1b2 Mon Sep 17 00:00:00 2001 From: Manabu Mccloskey <manabu.mccloskey@gmail.com> Date: Thu, 18 Jan 2024 15:16:40 -0800 Subject: [PATCH 2/2] fix pass role Signed-off-by: Manabu Mccloskey <manabu.mccloskey@gmail.com> --- apis/composition.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apis/composition.yaml b/apis/composition.yaml index b5f8b89..6bbbe54 100644 --- a/apis/composition.yaml +++ b/apis/composition.yaml @@ -376,7 +376,7 @@ spec: { "Sid": "AllowPassingInstanceRole", "Effect": "Allow", - "Resource": "arn:aws:iam::%[4]s:role/KarpenterNodeRole-%[2]s", + "Resource": "%[5]s", "Action": "iam:PassRole", "Condition": { "StringEquals": {