Remove inline ELB and CloudWatch policies from Cluster Role (#7603)

* remove inline elb and cloud watch policy #7139 * fixed unit tests for removing extra inline policies
eksctl-io · Feb 27, 2024 · 75c95b1 · 75c95b1
1 parent f1fa4a1
commit 75c95b1
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 40 deletions.
diff --git a/pkg/cfn/builder/cluster_test.go b/pkg/cfn/builder/cluster_test.go
@@ -281,18 +281,11 @@ var _ = Describe("Cluster Template Builder", func() {
 
 		It("should add iam resources and policies", func() {
 			Expect(clusterTemplate.Resources).To(HaveKey("ServiceRole"))
-			Expect(clusterTemplate.Resources).To(HaveKey("PolicyELBPermissions"))
-			Expect(clusterTemplate.Resources).To(HaveKey("PolicyCloudWatchMetrics"))
 		})
 
 		It("should add the correct policies and references to the ServiceRole ARN", func() {
 			Expect(clusterTemplate.Resources["ServiceRole"].Properties.ManagedPolicyArns).To(HaveLen(2))
 			Expect(clusterTemplate.Resources["ServiceRole"].Properties.ManagedPolicyArns).To(ContainElements(makePolicyARNRef("AmazonEKSClusterPolicy"), makePolicyARNRef("AmazonEKSVPCResourceController")))
-
-			cwPolicy := clusterTemplate.Resources["PolicyCloudWatchMetrics"].Properties
-			Expect(isRefTo(cwPolicy.Roles[0], "ServiceRole")).To(BeTrue())
-			elbPolicy := clusterTemplate.Resources["PolicyELBPermissions"].Properties
-			Expect(isRefTo(elbPolicy.Roles[0], "ServiceRole")).To(BeTrue())
 		})
 
 		It("should add iam outputs", func() {

diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
@@ -105,13 +105,7 @@ func (c *ClusterResourceSet) addResourcesForIAM() {
 	if api.IsSetAndNonEmptyString(c.spec.IAM.ServiceRolePermissionsBoundary) {
 		role.PermissionsBoundary = gfnt.NewString(*c.spec.IAM.ServiceRolePermissionsBoundary)
 	}
-	refSR := c.newResource("ServiceRole", role)
-	c.rs.attachAllowPolicy("PolicyCloudWatchMetrics", refSR, cloudWatchMetricsStatements())
-	// These are potentially required for creating load balancers but aren't included in the
-	// AmazonEKSClusterPolicy
-	// See https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-api-permissions.html#required-permissions-v2
-	// and weaveworks/eksctl#2488
-	c.rs.attachAllowPolicy("PolicyELBPermissions", refSR, elbStatements())
+	c.newResource("ServiceRole", role)
 
 	c.rs.defineOutputFromAtt(outputs.ClusterServiceRoleARN, "ServiceRole", "Arn", true, func(v string) error {
 		c.spec.IAM.ServiceRoleARN = &v

diff --git a/pkg/cfn/builder/statement.go b/pkg/cfn/builder/statement.go
@@ -250,32 +250,6 @@ func loadBalancerControllerStatements() []cft.MapOfInterfaces {
 	}
 }
 
-func elbStatements() []cft.MapOfInterfaces {
-	return []cft.MapOfInterfaces{
-		{
-			"Effect":   effectAllow,
-			"Resource": resourceAll,
-			"Action": []string{
-				"ec2:DescribeAccountAttributes",
-				"ec2:DescribeAddresses",
-				"ec2:DescribeInternetGateways",
-			},
-		},
-	}
-}
-
-func cloudWatchMetricsStatements() []cft.MapOfInterfaces {
-	return []cft.MapOfInterfaces{
-		{
-			"Effect":   effectAllow,
-			"Resource": resourceAll,
-			"Action": []string{
-				"cloudwatch:PutMetricData",
-			},
-		},
-	}
-}
-
 func certManagerHostedZonesStatements() []cft.MapOfInterfaces {
 	return []cft.MapOfInterfaces{
 		{