fix(bootstrap): ensure node role and fargate policies are included in IAM permissions

Author: adammw

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -28,6 +28,7 @@ import (
 
 const (
 	eksClusterPolicyName = "AmazonEKSClusterPolicy"
+	eksFargatePolicyName = "AmazonEKSFargatePodExecutionRolePolicy"
 )
 
 func (t Template) controllersPolicyGroups() []string {
@@ -409,6 +410,14 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument {
 		})
 	}
 
+	allowedGetPolicies := append(iamv1.Resources{
+		t.generateAWSManagedPolicyARN(eksClusterPolicyName),
+	}, t.nodeManagedPolicies()...)
+
+	if !t.Spec.EKS.Fargate.Disable {
+		allowedGetPolicies = append(allowedGetPolicies, t.generateAWSManagedPolicyARN(eksFargatePolicyName))
+	}
+
 	statements = append(statements, []iamv1.StatementEntry{
 		{
 			Action: allowedIAMActions,
@@ -421,10 +430,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument {
 			Action: iamv1.Actions{
 				"iam:GetPolicy",
 			},
-			Resource: iamv1.Resources{
-				t.generateAWSManagedPolicyARN(eksClusterPolicyName),
-			},
-			Effect: iamv1.EffectAllow,
+			Resource: allowedGetPolicies,
+			Effect:   iamv1.EffectAllow,
 		},
 		{
 			Action: iamv1.Actions{

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml

@@ -345,6 +345,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml

@@ -345,6 +345,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml

@@ -358,6 +358,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml

@@ -350,6 +350,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml

@@ -353,6 +353,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml

@@ -353,6 +353,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml

@@ -345,6 +345,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml

@@ -345,6 +345,8 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml

@@ -345,6 +345,10 @@ Resources:
           Effect: Allow
           Resource:
           - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+          - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+          - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
+          - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
+          - arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy
         - Action:
           - eks:DescribeCluster
           - eks:ListClusters