Skip to content

Commit

Permalink
Scope down policies to do tag-based authz
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonathan-innis
jonathan-innis committed Jun 1, 2023
1 parent d52d192 commit ee2e43f
Show file tree
Hide file tree
Showing 4 changed files with 367 additions and 74 deletions.
4 changes: 0 additions & 4 deletions pkg/providers/instance/instance.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,6 @@ func (p *Provider) Link(ctx context.Context, id, provisionerName string) error {
Key: aws.String(v1alpha5.ManagedByLabelKey),
Value: aws.String(settings.FromContext(ctx).ClusterName),
},
{
Key: aws.String(fmt.Sprintf("kubernetes.io/cluster/%s", settings.FromContext(ctx).ClusterName)),
Value: aws.String("owned"),
},
{
Key: aws.String(v1alpha5.ProvisionerNameLabelKey),
Value: aws.String(provisionerName),
Expand Down
145 changes: 122 additions & 23 deletions ...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,25 +42,129 @@ Resources:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowScopedEC2InstanceActions",
"Effect": "Allow",
"Resource": [
"arn:${AWS::Partition}:ec2:${AWS::Region}::image/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*"
],
"Action": [
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateTags"
"ec2:RunInstances",
"ec2:CreateFleet"
]
},
{
"Sid": "AllowScopedEC2LaunchTemplateActions",
"Effect": "Allow",
"Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*",
"Action": "ec2:CreateLaunchTemplate",
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/provisioner-name": "*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Name",
"karpenter.sh/managed-by",
"karpenter.sh/provisioner-name",
"kubernetes.io/cluster/${ClusterName}",
"karpenter.k8s.aws/cluster"
]
}
}
},
{
"Sid": "AllowScopedEC2InstanceActionsWithTags",
"Effect": "Allow",
"Resource": [
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*"
],
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/provisioner-name": "*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Name",
"karpenter.sh/managed-by",
"karpenter.sh/provisioner-name",
"kubernetes.io/cluster/${ClusterName}"
]
}
}
},
{
"Sid": "AllowScopedResourceTagging",
"Effect": "Allow",
"Resource": [
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:fleet/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*"
],
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned",
"ec2:CreateAction": [
"RunInstances",
"CreateFleet",
"CreateLaunchTemplate"
]
},
"StringLike": {
"aws:RequestTag/karpenter.sh/provisioner-name": "*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Name",
"karpenter.sh/managed-by",
"karpenter.sh/provisioner-name",
"kubernetes.io/cluster/${ClusterName}",
"karpenter.k8s.aws/cluster"
]
}
}
},
{
"Sid": "AllowMachineMigrationTagging",
"Effect": "Allow",
"Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned",
"aws:RequestTag/karpenter.sh/managed-by": "${ClusterName}"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/provisioner-name": "*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"karpenter.sh/provisioner-name",
"karpenter.sh/managed-by"
]
}
}
},
{
"Effect": "Allow",
"Resource": "*",
Expand Down Expand Up @@ -92,6 +196,7 @@ Resources:
"Action": "ssm:GetParameter"
},
{
"Sid": "AllowScopedInstanceTermination",
"Effect": "Allow",
"Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
"Action": "ec2:TerminateInstances",
Expand All @@ -105,6 +210,7 @@ Resources:
}
},
{
"Sid": "AllowScopedLaunchTemplateDeletion",
"Effect": "Allow",
"Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*",
"Action": "ec2:DeleteLaunchTemplate",
Expand All @@ -118,21 +224,7 @@ Resources:
}
},
{
"Effect": "Allow",
"Resource": [
"arn:${AWS::Partition}:ec2:${AWS::Region}::image/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:spot-instances-request/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*",
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:launch-template/*"
],
"Action": "ec2:RunInstances"
},
{
"Sid": "AllowInterruptionQueueActions",
"Effect": "Allow",
"Resource": "${KarpenterInterruptionQueue.Arn}",
"Action": [
Expand All @@ -143,11 +235,18 @@ Resources:
]
},
{
"Sid": "AllowPassingInstanceRole",
"Effect": "Allow",
"Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-${ClusterName}",
"Action": "iam:PassRole"
"Action": "iam:PassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "AllowAPIServerEndpointDiscovery",
"Effect": "Allow",
"Resource": "arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}",
"Action": "eks:DescribeCluster"
Expand Down
Loading

0 comments on commit ee2e43f

Please sign in to comment.