aws-quickstart
[Karpenter] Cannot configure node role policy in KarpenterAddOn
Describe the feature
Since the policies of node role and service account are hardcode, there is no way to configure the policy of nodes created by Karpenter in cdk-eks-blueprints.
I can only modify the policy in another way which is not so IaC.
Use Case
Define policy of nodes created by Karpenter as needed.
Proposed Solution
No response
Other Information
No response
Acknowledgements
- [ ] I may be able to implement this feature request
CDK version used
2.105.0
EKS Blueprints Version
No response
Node.js Version
v20.9.0
Environment details (OS name and version, etc.)
MacOS 14.1.2 (23B92)
@youngjeong46 please take a look when you get a chance and let me know on the LOE.
@Shellmode I'm trying to understand this better.
- There are two roles in question - Node Role that gets attached to the Karpenter nodes, and the role for the controller that gets attached to the service account, and which the karpenter controller uses to provision instances. Are you trying to replace both with your custom roles? What would be the reasoning?
- Would your ideal feature here be to 1/ provide additional policy on top of what is being generated, or 2/ provide a new role all together (which you as a user would manage to make sure it has the minimal required policy to operate Karpenter functionally)?
@Shellmode I'm trying to understand this better.
There are two roles in question - Node Role that gets attached to the Karpenter nodes, and the role for the controller that gets attached to the service account, and which the karpenter controller uses to provision instances. Are you trying to replace both with your custom roles? What would be the reasoning?
Would your ideal feature here be to 1/ provide additional policy on top of what is being generated, or 2/ provide a new role all together (which you as a user would manage to make sure it has the minimal required policy to operate Karpenter functionally)?
First question, the role of the nodes which are scaled in or scaled out by karpenter.
It's a common situation that worker nodes(karpenter scale them in or out) need various of permissions to finish tasks.
Second question, I think additional policy will be better, because developers always focus on the permissions and don't want to define another role resource.
+1. Hitting this now, when trying to configure CloudwatchInsightsAddon with Karpenter. No easy way to configure the extra permissions needed. Ideally, I just want to either pass in the extra policies, or expose the role out from the addon, so that I can add to it after creation.
https://github.com/aws-quickstart/cdk-eks-blueprints/blob/7869d39fd088fc54e5b82815cb292c7ed92209b3/lib/addons/karpenter/index.ts#L700-L711
Karpenter add-on creates node role with a fixed logical name karpenter-node-role. You can use clusterInfo.cluster.node.findChild('karpenter-node-role') as iam.IRole to refer to node IAM role created by Karpenter. After fetched the role you can add policy by attachInlinePolicy("your-policy") or add managed policy.
Karpenter add-on creates node role with a fixed logical name
karpenter-node-role. You can useclusterInfo.cluster.node.findChild('karpenter-node-role') as iam.IRoleto refer to node IAM role created by Karpenter. After fetched the role you can add policy byattachInlinePolicy("your-policy")or add managed policy.
If this logical name is fixed, can we document the recommended way in the KarpenterAddon docs?
@yubingjiaocn thanks for providing the walk around, I'll try that to make the system more IaC.