Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Karpenter policy has limited iam:PassRole #276

Closed
1 task done
mehraneftekhari99 opened this issue Oct 9, 2023 · 1 comment
Closed
1 task done

Karpenter policy has limited iam:PassRole #276

mehraneftekhari99 opened this issue Oct 9, 2023 · 1 comment
Labels
question Further information is requested

Comments

@mehraneftekhari99
Copy link

  • ✋ I have searched the open/closed issues and my issue is not listed.

Please describe your question here

In previous version of blueprints addons, Karpenter policy included a iam:PassRole section that had a wildcard constraint but in V5, it has been changed to only allow aws_iam_role.karpenter[0].arn.

terraform-aws-eks-blueprints-addons/main.tf

Line 2729 in d45aada

karpenter_node_iam_role_arn = try(aws_iam_role.karpenter[0].arn, var.karpenter_node.iam_role_arn, "")

I want to know the rationale of this change, especially since it's not configurable unless creation of IAM resaources is done manually. We bumped into this because after upgrade, nodes couldn't join the cluste and we had to add the PassRole policy section manually to include the ondemand nodes ASG role. (We have one ASG with two nodes, but other nodes are managed by Karpenter)

"error": "creating machine, creating instance, with fleet error(s), UnauthorizedOperation: You are not authorized to perform this operation.

"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AROAZREDACTED4376624\",\"arn\":\"arn:aws:sts::REDACTED:assumed-role/karpenter-202310REDACTED00008/1696REDACTED624\"},\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::REDACTED:role/abcd-stg-ondemand\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"eu-central-1\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"role/abcd-stg-ondemand\"}]}},{\"key\":\"iam:RoleName\",\"values\":{\"items\":[{\"value\":\"blabs-stg-ondemand\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"role\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"REDACTED\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:iam::REDACTED:role/abcd-stg-ondemand\"}]}}]}}}"

Please let me know if more information is needed.
@askulkarni2 askulkarni2 added the question Further information is requested label Oct 25, 2023
@bryantbiggs
Copy link
Contributor

Karpenter should only allow passing the role used by the nodes it creates, which is why this is restricted in this project. There have been a number of changes in the upstream Karpenter project which we are planning to re-align with on the next breaking change. You can track that effort in #286

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@askulkarni2 @bryantbiggs @mehraneftekhari99