[EKS] [request]: "patch" permissions for pods resource in aws-node clusterrole

[mijndert]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
We are trying work around this issue: kubernetes/kubernetes#39113
The workaround is to set ANNOTATE_POD_IP: https://github.com/aws/amazon-vpc-cni-k8s#annotate_pod_ip-v193
But that requires patch permissions. We would like to get these permissions so we can use the VPC CNI addon properly.

Which service(s) is this request for?
EKS

Are you currently working around this issue?
We are currently trying to remove the VPC CNI resources and installing the Helm chart.

Additional context
None at this time.

Attachments
None at this time.

[mikestef9]

EKS add-ons now supports configuration https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/. You can set the ANNOTATE_POD_IP variable with the EKS add-on using configuration now.

See https://github.com/aws/amazon-vpc-cni-k8s/blob/master/charts/aws-vpc-cni/templates/clusterrole.yaml#L17. Setting this env var adds the patch permission.

[jans-jeroen]

Thanks for the update.

Previously we ran into the issue where we got the following error: clusterroles.rbac.authorization.k8s.io "aws-node" is forbidden: user "eks:addon-manager" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["pods"], Verbs:["patch"]}.

However it seems that the eks:addon-manager user was recently linked to the cluster-admin role which resolves this issue!