Tighten IAM permissions around deletion #4159

johngmyers · 2023-06-28T23:54:05Z

What problem are you trying to solve?

Reduce the scope of Karpenter's IAM permissions to the minimum needed.

The example IAM permissions for KarpenterControllerPolicy grant Karpenter to terminate any instance and delete any launch template in the account.

These permissions should have conditions limiting them to instances and launch templates that are tagged by Karpenter as belonging to the cluster.

How important is this feature to you?

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

jonathan-innis · 2023-06-29T00:34:51Z

These permissions should have conditions limiting them to instances and launch templates that are tagged by Karpenter as belonging to the cluster.

This template was recently updated to scope these permissions more like you suggest.

jonathan-innis · 2023-06-30T17:06:59Z

Closing this since the new CF template now only allows Karpenter to delete instances that contain these set of tag keys.

johngmyers added the feature New feature or request label Jun 28, 2023

jonathan-innis added question Further information is requested and removed feature New feature or request labels Jun 29, 2023

jonathan-innis closed this as completed Jun 30, 2023

Provide feedback