Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable to use Karpenter v1 controller policy (backport to 1.29) #373

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
392 changes: 392 additions & 0 deletions modules/karpenter/controller_iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -645,3 +645,395 @@ data "aws_iam_policy_document" "karpenter_controller_v1_beta" {
actions = ["eks:DescribeCluster"]
}
}

resource "aws_iam_role_policy_attachment" "karpenter_controller_v1" {
count = var.v1 ? 1 : 0
role = aws_iam_role.karpenter_controller.id
policy_arn = aws_iam_policy.karpenter_controller_v1[0].arn
}

resource "aws_iam_policy" "karpenter_controller_v1" {
count = var.v1 ? 1 : 0
name = "${var.cluster_config.iam_policy_name_prefix}KarpenterController-v1-${var.cluster_config.name}"
policy = data.aws_iam_policy_document.karpenter_controller_v1.json
}

data "aws_iam_policy_document" "karpenter_controller_v1" {
statement {
sid = "AllowScopedEC2InstanceAccessActions"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::image/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::snapshot/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:security-group/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:subnet/*",
]

actions = [
"ec2:RunInstances",
"ec2:CreateFleet",
]
}

statement {
sid = "AllowScopedEC2LaunchTemplateAccessActions"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
]

actions = [
"ec2:RunInstances",
"ec2:CreateFleet",
]

condition {
test = "StringEquals"
variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringLike"
variable = "aws:ResourceTag/karpenter.sh/nodepool"
values = ["*"]
}
}

statement {
sid = "AllowScopedEC2InstanceActionsWithTags"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:spot-instances-request/*",
]

actions = [
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
]

condition {
test = "StringEquals"
variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_config.name]
}

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/nodepool"
values = ["*"]
}
}

statement {
sid = "AllowScopedResourceCreationTagging"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:spot-instances-request/*",
]

actions = ["ec2:CreateTags"]

condition {
test = "StringEquals"
variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_config.name]
}

condition {
test = "StringEquals"
variable = "ec2:CreateAction"

values = [
"RunInstances",
"CreateFleet",
"CreateLaunchTemplate",
]
}

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/nodepool"
values = ["*"]
}
}

statement {
sid = "AllowScopedResourceTagging"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = ["arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*"]
actions = ["ec2:CreateTags"]

condition {
test = "StringEquals"
variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringLike"
variable = "aws:ResourceTag/karpenter.sh/nodepool"
values = ["*"]
}

condition {
test = "StringEqualsIfExists"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_config.name]
}

condition {
test = "ForAllValues:StringEquals"
variable = "aws:TagKeys"
values = ["eks:eks-cluster-name", "karpenter.sh/nodeclaim", "Name"]
}
}


statement {
sid = "AllowScopedDeletion"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
]

actions = [
"ec2:TerminateInstances",
"ec2:DeleteLaunchTemplate",
]

condition {
test = "StringEquals"
variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringLike"
variable = "aws:ResourceTag/karpenter.sh/nodepool"
values = ["*"]
}
}

statement {
sid = "AllowRegionalReadActions"
effect = "Allow"
resources = ["*"]

actions = [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
]

condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = [data.aws_region.current.name]
}
}

statement {
sid = "AllowSSMReadActions"
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}::parameter/aws/service/*"]
actions = ["ssm:GetParameter"]
}

statement {
sid = "AllowPricingReadActions"
effect = "Allow"
resources = ["*"]
actions = ["pricing:GetProducts"]
}

statement {
sid = "AllowInterruptionQueueActions"
effect = "Allow"
resources = [aws_sqs_queue.karpenter_interruption.arn]

actions = [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
]
}

statement {
sid = "AllowPassingInstanceRole"
effect = "Allow"
resources = concat([aws_iam_role.karpenter_node.arn], var.additional_node_role_arns)
actions = ["iam:PassRole"]

condition {
test = "StringEquals"
variable = "iam:PassedToService"
values = ["ec2.amazonaws.com"]
}
}

statement {
sid = "AllowScopedInstanceProfileCreationActions"
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*"]
actions = ["iam:CreateInstanceProfile"]

condition {
test = "StringEquals"
variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_config.name]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/topology.kubernetes.io/region"
values = [data.aws_region.current.name]
}

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
values = ["*"]
}
}

statement {
sid = "AllowScopedInstanceProfileTagActions"
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*"]
actions = ["iam:TagInstanceProfile"]

condition {
test = "StringEquals"
variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "aws:ResourceTag/topology.kubernetes.io/region"
values = [data.aws_region.current.name]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/eks:eks-cluster-name"
values = [var.cluster_config.name]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/topology.kubernetes.io/region"
values = [data.aws_region.current.name]
}

condition {
test = "StringLike"
variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
values = ["*"]
}

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
values = ["*"]
}
}

statement {
sid = "AllowScopedInstanceProfileActions"
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*"]
actions = [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
]

condition {
test = "StringEquals"
variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "aws:ResourceTag/topology.kubernetes.io/region"
values = [data.aws_region.current.name]
}

condition {
test = "StringLike"
variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
values = ["*"]
}
}

statement {
sid = "AllowInstanceProfileReadActions"
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*"]
actions = ["iam:GetInstanceProfile"]
}

statement {
sid = "AllowAPIServerEndpointDiscovery"
effect = "Allow"
resources = [var.cluster_config.arn]
actions = ["eks:DescribeCluster"]
}
}
Loading