[Feature] Request for improvements to IAM policies set from the nodeGroups.iam.withAddonPolicies.efs parameter

[KazuhoShibutani]

What feature/behavior/change do you want?

I want to improve the permissions when set from the nodeGroups.iam.withAddonPolicies.efs parameter. Specifically, isn't it possible to have the same permissions as AmazonEFSCSIDriverPolicy.? If can't it, I want to know why the current permissions is needed.

Why do you want this feature?

This is to minimize more unnecessary permissions and make it more secure.

I understand that the nodeGroups.iam.withAddonPolicies.efs parameter is a setting for the IAM policy to use the EFS CSI driver add-on like the EBS CSI driver. IAM policies - eksctl

EBS Policy¶ The ebs policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver.

Currently, when the parameter is set to true, the following policies are set to the node's IAM role. https://github.com/eksctl-io/eksctl/blob/268db7bc5dbef44eec2e83ec689b8d671cc8e71d/pkg/cfn/builder/iam_helper.go#L136-L139 https://github.com/eksctl-io/eksctl/blob/268db7bc5dbef44eec2e83ec689b8d671cc8e71d/pkg/cfn/builder/statement.go#L578-L605

This permission is powerful compared to the AmazonEFSCSIDriverPolicy. For example, other pods on the node can use permission elasticfilesystem:DeleteFileSystem when the parameter is true.

I open this issue on behalf our customer.

[github-actions[bot]]

Hello KazuhoShibutani :wave: Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.