Skip to content

Commit

Permalink
Start scoping cloudformation permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
jonathan-innis committed May 26, 2023
1 parent 76bbdaf commit d7f4de4
Showing 1 changed file with 27 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Resources:
InstanceProfileName: !Sub "KarpenterNodeInstanceProfile-${ClusterName}"
Path: "/"
Roles:
- Ref: "KarpenterNodeRole"
- !Ref "KarpenterNodeRole"
KarpenterNodeRole:
Type: "AWS::IAM::Role"
Properties:
Expand Down Expand Up @@ -45,9 +45,6 @@ Resources:
- ec2:CreateFleet
- ec2:CreateLaunchTemplate
- ec2:CreateTags
- ec2:DeleteLaunchTemplate
- ec2:RunInstances
- ec2:TerminateInstances
# Read Operations
- ec2:DescribeAvailabilityZones
- ec2:DescribeImages
Expand All @@ -59,7 +56,32 @@ Resources:
- ec2:DescribeSpotPriceHistory
- ec2:DescribeSubnets
- pricing:GetProducts
- ssm:GetParameter
- Effect: Allow
Resource: "arn:${AWS::Partition}:ssm:::parameter/aws/service/*"
Action: ssm:GetParameter
- Effect: Allow
Resource: !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:instance/*"
Action: ec2:TerminateInstances
Condition:
StringEquals:
"aws:ResourceTag/karpenter.sh/managed-by": !Sub "${ClusterName}"
- Effect: Allow
Resource: !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:launch-template/*"
Action: ec2:DeleteLaunchTemplate
Condition:
StringEquals:
"aws:ResourceTag/karpenter.k8s.aws/cluster": !Sub "${ClusterName}"
- Effect: Allow
Resource:
- !Sub "arn:${AWS::Partition}:ec2:*::image/*"
- !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:instance/*"
- !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:spot-instances-request/*"
- !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:security-group/*"
- !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:volume/*"
- !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:network-interface/*"
- !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:subnet/*"
- !Sub "arn:${AWS::Partition}:ec2::${AWS::AccountId}:launch-template/*"
Action: ec2:RunInstances
- Effect: Allow
Action:
# Write Operations
Expand Down

0 comments on commit d7f4de4

Please sign in to comment.