From 4da472f4973f042b4b53ddb1d960a15008f578fc Mon Sep 17 00:00:00 2001 From: Jonathan Innis Date: Thu, 1 Jun 2023 00:17:03 -0700 Subject: [PATCH] Scope down policies to do tag-based authz --- pkg/providers/instance/instance.go | 4 - .../cloudformation.yaml | 145 ++++++++++++++--- .../cloudformation.yaml | 147 +++++++++++++++--- .../cloudformation.yaml | 145 ++++++++++++++--- 4 files changed, 367 insertions(+), 74 deletions(-) diff --git a/pkg/providers/instance/instance.go b/pkg/providers/instance/instance.go index 53a90aefc473..c82b55b3b5a9 100644 --- a/pkg/providers/instance/instance.go +++ b/pkg/providers/instance/instance.go @@ -108,10 +108,6 @@ func (p *Provider) Link(ctx context.Context, id, provisionerName string) error { Key: aws.String(v1alpha5.ManagedByLabelKey), Value: aws.String(settings.FromContext(ctx).ClusterName), }, - { - Key: aws.String(fmt.Sprintf("kubernetes.io/cluster/%s", settings.FromContext(ctx).ClusterName)), - Value: aws.String("owned"), - }, { Key: aws.String(v1alpha5.ProvisionerNameLabelKey), Value: aws.String(provisionerName), diff --git a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml index f1be525ccb8c..8b4d300af9f4 100644 --- a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -42,25 +42,129 @@ Resources: "Version": "2012-10-17", "Statement": [ { + "Sid": "AllowScopedEC2InstanceActions", "Effect": "Allow", "Resource": [ "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*", "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" ], "Action": [ - "ec2:CreateFleet", - "ec2:CreateLaunchTemplate", - "ec2:CreateTags" + "ec2:RunInstances", + "ec2:CreateFleet" ] }, + { + "Sid": "AllowScopedEC2LaunchTemplateActions", + "Effect": "Allow", + "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*", + "Action": "ec2:CreateLaunchTemplate", + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}", + "karpenter.k8s.aws/cluster" + ] + } + } + }, + { + "Sid": "AllowScopedEC2InstanceActionsWithTags", + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*" + ], + "Action": [ + "ec2:RunInstances", + "ec2:CreateFleet" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}" + ] + } + } + }, + { + "Sid": "AllowScopedResourceTagging", + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" + ], + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned", + "ec2:CreateAction": [ + "RunInstances", + "CreateFleet", + "CreateLaunchTemplate" + ] + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}", + "karpenter.k8s.aws/cluster" + ] + } + } + }, + { + "Sid": "AllowMachineMigrationTagging", + "Effect": "Allow", + "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned", + "aws:RequestTag/karpenter.sh/managed-by": "${ClusterName}" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "karpenter.sh/provisioner-name", + "karpenter.sh/managed-by" + ] + } + } + }, { "Effect": "Allow", "Resource": "*", @@ -92,6 +196,7 @@ Resources: "Action": "ssm:GetParameter" }, { + "Sid": "AllowScopedInstanceTermination", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", "Action": "ec2:TerminateInstances", @@ -105,6 +210,7 @@ Resources: } }, { + "Sid": "AllowScopedLaunchTemplateDeletion", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*", "Action": "ec2:DeleteLaunchTemplate", @@ -118,21 +224,7 @@ Resources: } }, { - "Effect": "Allow", - "Resource": [ - "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" - ], - "Action": "ec2:RunInstances" - }, - { + "Sid": "AllowInterruptionQueueActions", "Effect": "Allow", "Resource": "${KarpenterInterruptionQueue.Arn}", "Action": [ @@ -143,11 +235,18 @@ Resources: ] }, { + "Sid": "AllowPassingInstanceRole", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-${ClusterName}", - "Action": "iam:PassRole" + "Action": "iam:PassRole", + "Condition": { + "StringEquals": { + "iam:PassedToService": "ec2.amazonaws.com" + } + } }, { + "Sid": "AllowAPIServerEndpointDiscovery", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}", "Action": "eks:DescribeCluster" diff --git a/website/content/en/v0.26.1/getting-started/getting-started-with-eksctl/cloudformation.yaml b/website/content/en/v0.26.1/getting-started/getting-started-with-eksctl/cloudformation.yaml index 159ba9813608..8b4d300af9f4 100644 --- a/website/content/en/v0.26.1/getting-started/getting-started-with-eksctl/cloudformation.yaml +++ b/website/content/en/v0.26.1/getting-started/getting-started-with-eksctl/cloudformation.yaml @@ -42,25 +42,129 @@ Resources: "Version": "2012-10-17", "Statement": [ { + "Sid": "AllowScopedEC2InstanceActions", "Effect": "Allow", "Resource": [ "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*", "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" ], "Action": [ - "ec2:CreateFleet", - "ec2:CreateLaunchTemplate", - "ec2:CreateTags" + "ec2:RunInstances", + "ec2:CreateFleet" ] }, + { + "Sid": "AllowScopedEC2LaunchTemplateActions", + "Effect": "Allow", + "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*", + "Action": "ec2:CreateLaunchTemplate", + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}", + "karpenter.k8s.aws/cluster" + ] + } + } + }, + { + "Sid": "AllowScopedEC2InstanceActionsWithTags", + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*" + ], + "Action": [ + "ec2:RunInstances", + "ec2:CreateFleet" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}" + ] + } + } + }, + { + "Sid": "AllowScopedResourceTagging", + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" + ], + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned", + "ec2:CreateAction": [ + "RunInstances", + "CreateFleet", + "CreateLaunchTemplate" + ] + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}", + "karpenter.k8s.aws/cluster" + ] + } + } + }, + { + "Sid": "AllowMachineMigrationTagging", + "Effect": "Allow", + "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned", + "aws:RequestTag/karpenter.sh/managed-by": "${ClusterName}" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "karpenter.sh/provisioner-name", + "karpenter.sh/managed-by" + ] + } + } + }, { "Effect": "Allow", "Resource": "*", @@ -92,6 +196,7 @@ Resources: "Action": "ssm:GetParameter" }, { + "Sid": "AllowScopedInstanceTermination", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", "Action": "ec2:TerminateInstances", @@ -105,10 +210,11 @@ Resources: } }, { + "Sid": "AllowScopedLaunchTemplateDeletion", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*", "Action": "ec2:DeleteLaunchTemplate", - "Condition": { + "Condition": { "StringEquals": { "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned" }, @@ -118,21 +224,7 @@ Resources: } }, { - "Effect": "Allow", - "Resource": [ - "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" - ], - "Action": "ec2:RunInstances" - }, - { + "Sid": "AllowInterruptionQueueActions", "Effect": "Allow", "Resource": "${KarpenterInterruptionQueue.Arn}", "Action": [ @@ -143,11 +235,18 @@ Resources: ] }, { + "Sid": "AllowPassingInstanceRole", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-${ClusterName}", - "Action": "iam:PassRole" + "Action": "iam:PassRole", + "Condition": { + "StringEquals": { + "iam:PassedToService": "ec2.amazonaws.com" + } + } }, { + "Sid": "AllowAPIServerEndpointDiscovery", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}", "Action": "eks:DescribeCluster" diff --git a/website/content/en/v0.27.5/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.27.5/getting-started/getting-started-with-karpenter/cloudformation.yaml index f1be525ccb8c..8b4d300af9f4 100644 --- a/website/content/en/v0.27.5/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v0.27.5/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -42,25 +42,129 @@ Resources: "Version": "2012-10-17", "Statement": [ { + "Sid": "AllowScopedEC2InstanceActions", "Effect": "Allow", "Resource": [ "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*", "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*", "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" ], "Action": [ - "ec2:CreateFleet", - "ec2:CreateLaunchTemplate", - "ec2:CreateTags" + "ec2:RunInstances", + "ec2:CreateFleet" ] }, + { + "Sid": "AllowScopedEC2LaunchTemplateActions", + "Effect": "Allow", + "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*", + "Action": "ec2:CreateLaunchTemplate", + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}", + "karpenter.k8s.aws/cluster" + ] + } + } + }, + { + "Sid": "AllowScopedEC2InstanceActionsWithTags", + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*" + ], + "Action": [ + "ec2:RunInstances", + "ec2:CreateFleet" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}" + ] + } + } + }, + { + "Sid": "AllowScopedResourceTagging", + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" + ], + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned", + "ec2:CreateAction": [ + "RunInstances", + "CreateFleet", + "CreateLaunchTemplate" + ] + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "Name", + "karpenter.sh/managed-by", + "karpenter.sh/provisioner-name", + "kubernetes.io/cluster/${ClusterName}", + "karpenter.k8s.aws/cluster" + ] + } + } + }, + { + "Sid": "AllowMachineMigrationTagging", + "Effect": "Allow", + "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned", + "aws:RequestTag/karpenter.sh/managed-by": "${ClusterName}" + }, + "StringLike": { + "aws:RequestTag/karpenter.sh/provisioner-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "karpenter.sh/provisioner-name", + "karpenter.sh/managed-by" + ] + } + } + }, { "Effect": "Allow", "Resource": "*", @@ -92,6 +196,7 @@ Resources: "Action": "ssm:GetParameter" }, { + "Sid": "AllowScopedInstanceTermination", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", "Action": "ec2:TerminateInstances", @@ -105,6 +210,7 @@ Resources: } }, { + "Sid": "AllowScopedLaunchTemplateDeletion", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*", "Action": "ec2:DeleteLaunchTemplate", @@ -118,21 +224,7 @@ Resources: } }, { - "Effect": "Allow", - "Resource": [ - "arn:${AWS::Partition}:ec2:${AWS::Region}::image/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*", - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*" - ], - "Action": "ec2:RunInstances" - }, - { + "Sid": "AllowInterruptionQueueActions", "Effect": "Allow", "Resource": "${KarpenterInterruptionQueue.Arn}", "Action": [ @@ -143,11 +235,18 @@ Resources: ] }, { + "Sid": "AllowPassingInstanceRole", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-${ClusterName}", - "Action": "iam:PassRole" + "Action": "iam:PassRole", + "Condition": { + "StringEquals": { + "iam:PassedToService": "ec2.amazonaws.com" + } + } }, { + "Sid": "AllowAPIServerEndpointDiscovery", "Effect": "Allow", "Resource": "arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}", "Action": "eks:DescribeCluster"