cluster-api-provider-aws icon indicating copy to clipboard operation
cluster-api-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Missing AWS resource from the GetPolicy permissions during machine pool reconciliation

Open vtremblay opened this issue 4 years ago • 19 comments
trafficstars

/kind bug

What steps did you take and what happened: When deploying an AWSManagedMachinePool in a multi-tenant setup, the CAPA controller is not able to do the machine pool reconciliation. The IAM permission for the "GetPolicy" generated by clusterawsadm does not cover all the needed resources.

Here is an example of the logs:

failed to reconcile machine pool for AWSManagedMachinePool **REDACTED**-pool-0: error ensuring policies are attached: [arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly]: error getting policy arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy: AccessDenied: User: arn:aws:sts::**REDACTED**:assumed-role/controllers.cluster-api-provider-aws.sigs.k8s.io/infra-pipeline-role-session is not authorized to perform: iam:GetPolicy on resource: policy arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\n\tstatus code: 403

It looks like the permission need to cover AmazonEKSWorkerNodePolicy, AmazonEC2ContainerRegistryReadOnly and AmazonEKS_CNI_Policy

Anything else you would like to add: The basic roles and permissions were created with clusterawsadm, with the following config:

apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1alpha1
kind: AWSIAMConfiguration
spec:
  eks:
    enable: true
    allowIAMRoleCreation: true # Set to true if you plan to use the EKSEnableIAM feature flag to enable automatic creation of IAM roles
    defaultControlPlaneRole:
      disable: true # Set to false to enable creation of the default control plane role
    managedMachinePool:
      disable: false # Set to false to enable creation of the default node role for managed machine pools
  clusterAPIControllers:
    disabled: false
    trustStatements:
      - Action:
          - "sts:AssumeRole"
        Effect: "Allow"
        Principal:
          AWS:
            - "arn:aws:iam::**REDACTED**:role/my-role-assumer"

The IAM Role "arn:aws:iam::REDACTED:role/my-role-assumer" can be assumed through IRSA and have the following permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/controllers.cluster-api-provider-aws.sigs.k8s.io"
        }
    ]
}
POLICY
}

Then the cluster was created with the following AWSClusterRoleIdentity:

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
kind: AWSClusterRoleIdentity
metadata:
  name: infra-pipeline
spec:
  allowedNamespaces: {}
  durationSeconds: 900
  roleARN: arn:aws:iam::**REDACTED**:role/controllers.cluster-api-provider-aws.sigs.k8s.io
  sessionName: infra-pipeline-role-session
  sourceIdentityRef:
    kind: AWSClusterControllerIdentity
    name: default

Environment:

  • Cluster-api-provider-aws version: v0.6.5
  • Kubernetes version: (use kubectl version): v1.16.15-eks-ad4801

vtremblay avatar May 06 '21 15:05 vtremblay