fix: Insufficient permissions for karpenter policy when not using karpenter discovery tags on security group #294
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes an issue where the policy was not sufficient if you use security group ids in the Karpenter
AWSNodeTemplate
instead of relying on discovery tags. Then the security groups weren't tagged, which led to insufficient permissions for Karpenter to launch the node.Description
Removes the need for the security group to be tagged with the Karpenter discovery tag
for Karpenter to be able to use it when launching an instance.
Motivation and Context
If we create an AWSNodeTemplate like this:
which is perfectly valid according to Karpenter docs, we will not
be able to use the module policy as is, since the security group we are referring to doesn't have the correct discovery tag (since we don't want to use discovery tags).
The change here changes the policy such that this constraint is relaxed. This makes the security group part of the policy behave like the subnet part, which wasn't dependent on the tag being present.
Breaking Changes
No breaking changes, just a little bit more permissive policy.
How Has This Been Tested?
examples/*
projectspre-commit run -a
on my pull request