You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
What is the outcome that you are trying to reach?
The Karpenter controller uses an AWS Identity and Access Management (AWS IAM) role to grant the permissions to launch and operate Amazon Elastic Compute Cloud (Amazon EC2) instances in your AWS account. As part of the upgrade to v0.32.X , we need to make changes to the IAM role.
Describe the solution you would like
As part of the upgrade to v0.32.X, I propose creating a new permission policy for the AWS IAM role used by the Karpenter controller. This new policy should include the following changes:
Add the following permissions scoped down to the tag-based constraint "karpenter.sh/nodepool" instead of the previous tag key "karpenter.sh/provisioner-name":
ec2:RunInstances
ec2:CreateFleet
ec2:CreateLaunchTemplate
Grant permissions to the following actions:
iam:CreateInstanceProfile
iam:AddRoleToInstanceProfile
iam:RemoveRoleFromInstanceProfile
iam:DeleteInstanceProfile
iam:GetInstanceProfile
All of these permissions (except for the GetInstanceProfile permission) should be constrained by tag-based policies to ensure that the controller only has permission to operate on instance profiles that it was responsible for creating. These changes are necessary to support the Karpenter-managed instance profiles.
Describe alternatives you have considered
We have not considered any alternative solutions at this time.
Additional context
For more information on the upgrade and migration path, please refer to the Karpenter documentation.
The text was updated successfully, but these errors were encountered:
We are tracking intermediate changes to support v0.32.x+ of Karpenter in #285 - and then the larger, breaking changes to re-align Karpenter's permissions with the upstream project in #286
Community Note
What is the outcome that you are trying to reach?
The Karpenter controller uses an AWS Identity and Access Management (AWS IAM) role to grant the permissions to launch and operate Amazon Elastic Compute Cloud (Amazon EC2) instances in your AWS account. As part of the upgrade to v0.32.X , we need to make changes to the IAM role.
Describe the solution you would like
As part of the upgrade to v0.32.X, I propose creating a new permission policy for the AWS IAM role used by the Karpenter controller. This new policy should include the following changes:
Add the following permissions scoped down to the tag-based constraint "karpenter.sh/nodepool" instead of the previous tag key "karpenter.sh/provisioner-name":
Grant permissions to the following actions:
All of these permissions (except for the GetInstanceProfile permission) should be constrained by tag-based policies to ensure that the controller only has permission to operate on instance profiles that it was responsible for creating. These changes are necessary to support the Karpenter-managed instance profiles.
Describe alternatives you have considered
We have not considered any alternative solutions at this time.
Additional context
For more information on the upgrade and migration path, please refer to the Karpenter documentation.
The text was updated successfully, but these errors were encountered: