From fc098dc7d30bd6f735d856c5ae25956cb11ca7f7 Mon Sep 17 00:00:00 2001 From: njtran Date: Thu, 2 Nov 2023 15:01:51 -0700 Subject: [PATCH] remove alpha policy --- .../actions/e2e/create-cluster/action.yaml | 18 -- .../alpha-controller-policy.json | 166 ------------------ 2 files changed, 184 deletions(-) delete mode 100644 .github/actions/e2e/create-cluster/alpha-controller-policy.json diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml index d8a4c096cdf2..492f6d940afe 100644 --- a/.github/actions/e2e/create-cluster/action.yaml +++ b/.github/actions/e2e/create-cluster/action.yaml @@ -55,23 +55,6 @@ runs: --capabilities CAPABILITY_NAMED_IAM \ --parameter-overrides "ClusterName=${{ inputs.cluster_name }}" \ --tags "testing/type=e2e" "testing/cluster=${{ inputs.cluster_name }}" "github.com/run-url=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" "karpenter.sh/discovery=${{ inputs.cluster_name }}" - - name: deploy alpha instance profile - shell: bash - run: | - aws iam create-instance-profile --instance-profile-name "KarpenterNodeInstanceProfile-${{ inputs.cluster_name }}" --tags Key=testing/type,Value=e2e Key=testing/cluster,Value=${{ inputs.cluster_name }} || true - aws iam add-role-to-instance-profile --instance-profile-name "KarpenterNodeInstanceProfile-${{ inputs.cluster_name }}" --role-name "KarpenterNodeRole-${{ inputs.cluster_name }}" || true - - name: deploy alpha policy - shell: bash - run: | - export AWS_PARTITION=aws - export AWS_REGION=${{ inputs.region }} - export AWS_ACCOUNT_ID=${{ inputs.account_id }} - export CLUSTER_NAME=${{ inputs.cluster_name }} - - POLICY_DOCUMENT=$(envsubst < .github/actions/e2e/create-cluster/alpha-controller-policy.json) - POLICY_NAME="KarpenterControllerPolicy-Alpha-${CLUSTER_NAME}" - echo "Creating policy $POLICY_NAME..." - aws iam create-policy --policy-name "$POLICY_NAME" --policy-document "$POLICY_DOCUMENT" || true - name: create or upgrade cluster shell: bash run: | @@ -119,7 +102,6 @@ runs: namespace: karpenter attachPolicyARNs: - "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-${{ inputs.cluster_name }}" - - "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-Alpha-${{ inputs.cluster_name }}" permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary" roleName: karpenter-irsa-${{ inputs.cluster_name }} roleOnly: true diff --git a/.github/actions/e2e/create-cluster/alpha-controller-policy.json b/.github/actions/e2e/create-cluster/alpha-controller-policy.json deleted file mode 100644 index 54b7903ab5d1..000000000000 --- a/.github/actions/e2e/create-cluster/alpha-controller-policy.json +++ /dev/null @@ -1,166 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowScopedEC2InstanceActions", - "Effect": "Allow", - "Resource": [ - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}::image/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}::snapshot/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:spot-instances-request/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:security-group/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:subnet/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" - ], - "Action": [ - "ec2:RunInstances", - "ec2:CreateFleet" - ] - }, - { - "Sid": "AllowScopedEC2InstanceActionsWithTags", - "Effect": "Allow", - "Resource": [ - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" - ], - "Action": [ - "ec2:RunInstances", - "ec2:CreateFleet", - "ec2:CreateLaunchTemplate" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned" - }, - "StringLike": { - "aws:RequestTag/karpenter.sh/provisioner-name": "*" - } - } - }, - { - "Sid": "AllowScopedResourceCreationTagging", - "Effect": "Allow", - "Resource": [ - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" - ], - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned", - "ec2:CreateAction": [ - "RunInstances", - "CreateFleet", - "CreateLaunchTemplate" - ] - }, - "StringLike": { - "aws:RequestTag/karpenter.sh/provisioner-name": "*" - } - } - }, - { - "Sid": "AllowMachineMigrationTagging", - "Effect": "Allow", - "Resource": "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned", - "aws:RequestTag/karpenter.sh/managed-by": "${CLUSTER_NAME}" - }, - "StringLike": { - "aws:RequestTag/karpenter.sh/provisioner-name": "*" - }, - "ForAllValues:StringEquals": { - "aws:TagKeys": [ - "karpenter.sh/provisioner-name", - "karpenter.sh/managed-by" - ] - } - } - }, - { - "Sid": "AllowScopedDeletion", - "Effect": "Allow", - "Resource": [ - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", - "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" - ], - "Action": [ - "ec2:TerminateInstances", - "ec2:DeleteLaunchTemplate" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned" - }, - "StringLike": { - "aws:ResourceTag/karpenter.sh/provisioner-name": "*" - } - } - }, - { - "Sid": "AllowRegionalReadActions", - "Effect": "Allow", - "Resource": "*", - "Action": [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeImages", - "ec2:DescribeInstances", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInstanceTypes", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSpotPriceHistory", - "ec2:DescribeSubnets" - ], - "Condition": { - "StringEquals": { - "aws:RequestedRegion": "${AWS_REGION}" - } - } - }, - { - "Sid": "AllowSSMReadActions", - "Effect": "Allow", - "Resource": "arn:${AWS_PARTITION}:ssm:${AWS_REGION}::parameter/aws/service/*", - "Action": "ssm:GetParameter" - }, - { - "Sid": "AllowPricingReadActions", - "Effect": "Allow", - "Resource": "*", - "Action": "pricing:GetProducts" - }, - { - "Sid": "AllowInterruptionQueueActions", - "Effect": "Allow", - "Resource": "arn:aws:sqs:${AWS_REGION}:${AWS_ACCOUNT_ID}:${CLUSTER_NAME}", - "Action": [ - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ReceiveMessage" - ] - }, - { - "Sid": "AllowPassingInstanceRole", - "Effect": "Allow", - "Resource": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}", - "Action": "iam:PassRole", - "Condition": { - "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" - } - } - } - ] -}