Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

karpenter policy does not works for shared subnets #227

Closed
amkartashov opened this issue Apr 17, 2022 · 2 comments · Fixed by #237
Closed

karpenter policy does not works for shared subnets #227

amkartashov opened this issue Apr 17, 2022 · 2 comments · Fixed by #237

Comments

@amkartashov
Copy link

Is your request related to a problem? Please describe.

Karpenter policy does not work if EKS is using shared subnets (from another account)

Karpenter fails to execute action ec2:RunInstances because of policy condition restricting subnet resources to be from the same account: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/v4.20.1/modules/iam-role-for-service-accounts-eks/policies.tf#L553

Error from Karpenter controller log: ... UnauthorizedOperation: You are not authorized to perform this operation ..., and I see which operation is not allowed from encoded message:

---
allowed: false
...
context:
  principal:
    id: AROASEFEKOCWDZGYOAICS:1650207580783606011
    arn: arn:aws:sts::ACCOUNTIDHERE:assumed-role/karpenter-stg2022041707544102590000000f/1650207580783606011
  action: ec2:RunInstances
  resource: arn:aws:ec2:eu-west-1:SHAREDACCOUNTIDHERE:subnet/subnet-0169afaec3c59b271

Describe the solution you'd like.

Possible options:

  • allow any account in policy
  • add variable for subnets account id
  • filter by tag maybe?

Describe alternatives you've considered.

I'm going to create role myself.

@antonbabenko
Copy link
Member

This issue has been resolved in version 4.22.0 🎉

@github-actions
Copy link

github-actions bot commented Nov 8, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants