KarpenterControllerRole hit AccessDeniedException on missing eks:DescribeCluster permission

[udhos]

Version

Karpenter Version: v0.25.0

Kubernetes Version: v1.25.6-eks-48e63af

Expected Behavior

karpenter pods running

Actual Behavior

karpenter pods crashing on missing permission eks:DescribeCluster in KarpenterControllerRole

eks:DescribeCluster is not mentioned in: https://karpenter.sh/v0.25.0/getting-started/migrating-from-cas/

k get po -n karpenter
NAME                         READY   STATUS             RESTARTS        AGE
karpenter-75d99d7867-fc2qk   0/1     CrashLoopBackOff   7 (2m11s ago)   13m
karpenter-75d99d7867-mbd6m   0/1     CrashLoopBackOff   7 (2m2s ago)    13m

k -n karpenter logs karpenter-75d99d7867-fc2qk
2023-02-25T05:00:29.325Z	DEBUG	Successfully created the logger.
2023-02-25T05:00:29.325Z	DEBUG	Logging level set to: debug
{"level":"info","ts":1677301229.3299422,"logger":"fallback","caller":"injection/injection.go:63","msg":"Starting informers..."}
2023-02-25T05:00:29.430Z	DEBUG	controller	waiting for configmaps	{"commit": "beb0a64-dirty"}
2023-02-25T05:00:29.947Z	DEBUG	controller	waiting for configmaps	{"commit": "beb0a64-dirty"}
2023-02-25T05:00:30.448Z	DEBUG	controller	waiting for configmaps	{"commit": "beb0a64-dirty"}
2023-02-25T05:00:30.949Z	DEBUG	controller	waiting for configmaps	{"commit": "beb0a64-dirty"}
2023-02-25T05:00:31.449Z	DEBUG	controller	waiting for configmaps	{"commit": "beb0a64-dirty"}
2023-02-25T05:00:32.031Z	DEBUG	controller.aws	discovered region	{"commit": "beb0a64-dirty", "region": "us-east-2"}
2023-02-25T05:00:32.076Z	FATAL	controller.aws	unable to detect the cluster endpoint, failed to resolve cluster endpoint, AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/KarpenterControllerRole-eks_toyeks_cluster1/1677301231950505885 is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-2:xxx:cluster/eks_toyeks_cluster1	{"commit": "beb0a64-dirty"}

Steps to Reproduce the Problem

1. Create a brand new EKS cluster v1.25
2. Enable karpenter from directions at https://karpenter.sh/v0.25.0/getting-started/migrating-from-cas/
3. k get po -n karpenter
4. Adding eks:DescribeCluster to KarpenterControllerRole did fix the crash

Resource Specs and Logs

AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/KarpenterControllerRole-eks_toyeks_cluster1/1677301231950505885 is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-2:xxx:cluster/eks_toyeks_cluster1 {"commit": "beb0a64-dirty"}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[bwagner5]

I made some updates to the migrating-from-cas getting started guide to include the eks:DescribeCluster permission that was recently introduced in Karpenter v0.25.0. I went ahead and updated the guide to match our regular getting started guide too. For example, matching iam role names and constrained iam:PassRole permission to the actual node instance profile for a least privileged Karpenter controller role.

Here is the website preview of the docs with the updates from the PR (until that PR gets merged): https://deploy-preview-3463--karpenter-docs-prod.netlify.app/v0.25.0/getting-started/migrating-from-cas/

[el0911]

i am having the same issue and i don't really get your changes