Skip to content

Commit

Permalink
Start scoping cloudformation permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonathan-innis
jonathan-innis committed May 26, 2023
1 parent 76bbdaf commit 1ff134e
Showing 1 changed file with 48 additions and 8 deletions.
56 changes: 48 additions & 8 deletions ...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Resources:
InstanceProfileName: !Sub "KarpenterNodeInstanceProfile-${ClusterName}"
Path: "/"
Roles:
- Ref: "KarpenterNodeRole"
- !Ref "KarpenterNodeRole"
KarpenterNodeRole:
Type: "AWS::IAM::Role"
Properties:
Expand Down Expand Up @@ -39,16 +39,24 @@ Resources:
Version: "2012-10-17"
Statement:
- Effect: Allow
Resource: "*"
Resource:
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*"
Action:
# Write Operations
- ec2:CreateFleet
- ec2:CreateLaunchTemplate
- ec2:CreateTags
- ec2:DeleteLaunchTemplate
- ec2:RunInstances
- ec2:TerminateInstances
# Read Operations
- Effect: Allow
Resource: "*"
Action:
- ec2:DescribeAvailabilityZones
- ec2:DescribeImages
- ec2:DescribeInstances
Expand All @@ -58,8 +66,40 @@ Resources:
- ec2:DescribeSecurityGroups
- ec2:DescribeSpotPriceHistory
- ec2:DescribeSubnets
Condition:
StringEquals:
"ec2:Region": !Sub "${AWS:Region}"
- Effect: Allow
Resource: "*"
Action:
- pricing:GetProducts
- ssm:GetParameter
- Effect: Allow
Resource: !Sub "arn:${AWS::Partition}:ssm:::parameter/aws/service/*"
Action: ssm:GetParameter
- Effect: Allow
Resource: !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:instance/*"
Action: ec2:TerminateInstances
Condition:
StringEquals:
"aws:ResourceTag/karpenter.sh/managed-by": !Sub "${ClusterName}"
- Effect: Allow
Resource: !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:launch-template/*"
Action: ec2:DeleteLaunchTemplate
Condition:
StringEquals:
"aws:ResourceTag/karpenter.k8s.aws/cluster": !Sub "${ClusterName}"
- Effect: Allow
Resource:
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*"
- !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*"
Action: ec2:RunInstances
- Effect: Allow
Action:
# Write Operations
Expand Down

0 comments on commit 1ff134e

Please sign in to comment.