Merge pull request #3518 from jalaziz/ebs-irsa-wellknown-policy

Add well-known IAM Role Service Account policy for the EBS CSI driver
eksctl-io · Apr 19, 2021 · 2ff9e67 · 2ff9e67
2 parents d484022 + 09ed438
commit 2ff9e67
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 8 deletions.
diff --git a/examples/13-iamserviceaccounts.yaml b/examples/13-iamserviceaccounts.yaml
@@ -23,6 +23,32 @@ iam:
       namespace: kube-system
     wellKnownPolicies:
       awsLoadBalancerController: true
+  - metadata:
+      name: ebs-csi-controller-sa
+      namespace: kube-system
+    wellKnownPolicies:
+      ebsCSIController: true
+  - metadata:
+      name: external-dns
+      namespace: kube-system
+    wellKnownPolicies:
+      externalDNS: true
+  - metadata:
+      name: cert-manager
+      namespace: cert-manager
+    wellKnownPolicies:
+      certManager: true
+  - metadata:
+      name: cluster-autoscaler
+      namespace: kube-system
+      labels: {aws-usage: "cluster-ops"}
+    wellKnownPolicies:
+      autoScaler: true
+  - metadata:
+      name: build-service
+      namespace: ci-cd
+    wellKnownPolicies:
+      imageBuilder: true
   - metadata:
       name: cache-access
       namespace: backend-apps
@@ -31,9 +57,8 @@ iam:
     - "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
     - "arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess"
   - metadata:
-      name: cluster-autoscaler
+      name: autoscaler-service
       namespace: kube-system
-      labels: {aws-usage: "cluster-ops"}
     attachPolicy: # inline policy can be defined along with `attachPolicyARNs`
       Version: "2012-10-17"
       Statement:

diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json
@@ -2013,6 +2013,12 @@
           "x-intellij-html-description": "adds cert-manager policies. See <a href=\"https://cert-manager.io/docs/configuration/acme/dns01/route53\">cert-manager docs</a>.",
           "default": "false"
         },
+        "ebsCSIController": {
+          "type": "boolean",
+          "description": "adds policies for using the ebs-csi-controller. See [aws-ebs-csi-driver docs](https://github.com/kubernetes-sigs/aws-ebs-csi-driver#set-up-driver-permission).",
+          "x-intellij-html-description": "adds policies for using the ebs-csi-controller. See <a href=\"https://github.com/kubernetes-sigs/aws-ebs-csi-driver#set-up-driver-permission\">aws-ebs-csi-driver docs</a>.",
+          "default": "false"
+        },
         "externalDNS": {
           "type": "boolean",
           "description": "adds external-dns policies for Amazon Route 53. See [external-dns docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md).",
@@ -2031,7 +2037,8 @@
         "autoScaler",
         "awsLoadBalancerController",
         "externalDNS",
-        "certManager"
+        "certManager",
+        "ebsCSIController"
       ],
       "additionalProperties": false,
       "description": "for attaching common IAM policies",

diff --git a/pkg/apis/eksctl.io/v1alpha5/schema.go b/pkg/apis/eksctl.io/v1alpha5/schema.go
diff --git a/pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go b/pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go
@@ -18,8 +18,12 @@ type WellKnownPolicies struct {
 	// CertManager adds cert-manager policies. See [cert-manager
 	// docs](https://cert-manager.io/docs/configuration/acme/dns01/route53).
 	CertManager bool `json:"certManager,inline"`
+	// EBSCSIController adds policies for using the
+	// ebs-csi-controller. See [aws-ebs-csi-driver
+	// docs](https://github.com/kubernetes-sigs/aws-ebs-csi-driver#set-up-driver-permission).
+	EBSCSIController bool `json:"ebsCSIController,inline"`
 }
 
 func (p *WellKnownPolicies) HasPolicy() bool {
-	return p.ImageBuilder || p.AutoScaler || p.AWSLoadBalancerController || p.ExternalDNS || p.CertManager
+	return p.ImageBuilder || p.AutoScaler || p.AWSLoadBalancerController || p.ExternalDNS || p.CertManager || p.EBSCSIController
 }
diff --git a/pkg/cfn/builder/iam_helper.go b/pkg/cfn/builder/iam_helper.go
@@ -62,6 +62,11 @@ func createWellKnownPolicies(wellKnownPolicies api.WellKnownPolicies) ([]managed
 			}...,
 		)
 	}
+	if wellKnownPolicies.EBSCSIController {
+		customPolicies = append(customPolicies,
+			customPolicyForRole{Name: "PolicyEBSCSIController", Statements: ebsStatements()},
+		)
+	}
 	return managedPolicies, customPolicies
 }
 

diff --git a/userdocs/src/usage/iamserviceaccounts.md b/userdocs/src/usage/iamserviceaccounts.md
@@ -101,7 +101,7 @@ The option to enable `wellKnownPolicies` is included for using IRSA with well-kn
 use cases like `cluster-autoscaler` and `cert-manager`, as a shorthand for lists
 of policies.
 
-Other properties of `serviceAccounts` are documented at
+Supported well-known policies and other properties of `serviceAccounts` are documented at
 [the config schema](https://eksctl.io/usage/schema/#iam-serviceAccounts).
 
 You use the following config example with `eksctl create cluster`: