Skip to content

Commit

Permalink
Add well-known IRSA policy for the EBS CSI driver
Browse files Browse the repository at this point in the history 
Add well-known IAM policy support for EBS CSI driver/controller IAM role
service accounts.
  • Loading branch information
@jalaziz
jalaziz committed Apr 4, 2021
1 parent 34f77ed commit b56343a
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 5 deletions.
9 changes: 8 additions & 1 deletion pkg/apis/eksctl.io/v1alpha5/assets/schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2007,6 +2007,12 @@
"x-intellij-html-description": "adds cert-manager policies. See <a href=\"https://cert-manager.io/docs/configuration/acme/dns01/route53\">cert-manager docs</a>.",
"default": "false"
},
"ebsCSIController": {
"type": "boolean",
"description": "adds policies for using the ebs-csi-controller. See [aws-ebs-csi-driver docs](https://github.com/kubernetes-sigs/aws-ebs-csi-driver#set-up-driver-permission).",
"x-intellij-html-description": "adds policies for using the ebs-csi-controller. See <a href=\"https://github.com/kubernetes-sigs/aws-ebs-csi-driver#set-up-driver-permission\">aws-ebs-csi-driver docs</a>.",
"default": "false"
},
"externalDNS": {
"type": "boolean",
"description": "adds external-dns policies for Amazon Route 53. See [external-dns docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md).",
Expand All @@ -2025,7 +2031,8 @@
"autoScaler",
"awsLoadBalancerController",
"externalDNS",
"certManager"
"certManager",
"ebsCSIController"
],
"additionalProperties": false,
"description": "for attaching common IAM policies",
Expand Down
6 changes: 3 additions & 3 deletions pkg/apis/eksctl.io/v1alpha5/schema.go
View file

Large diffs are not rendered by default.

6 changes: 5 additions & 1 deletion pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@ type WellKnownPolicies struct {
// CertManager adds cert-manager policies. See [cert-manager
// docs](https://cert-manager.io/docs/configuration/acme/dns01/route53).
CertManager bool `json:"certManager,inline"`
// EBSCSIController adds policies for using the
// ebs-csi-controller. See [aws-ebs-csi-driver
// docs](https://github.com/kubernetes-sigs/aws-ebs-csi-driver#set-up-driver-permission).
EBSCSIController bool `json:"ebsCSIController,inline"`
}

func (p *WellKnownPolicies) HasPolicy() bool {
return p.ImageBuilder || p.AutoScaler || p.AWSLoadBalancerController || p.ExternalDNS || p.CertManager
return p.ImageBuilder || p.AutoScaler || p.AWSLoadBalancerController || p.ExternalDNS || p.CertManager || p.EBSCSIController
}
5 changes: 5 additions & 0 deletions pkg/cfn/builder/iam_helper.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,11 @@ func createWellKnownPolicies(wellKnownPolicies api.WellKnownPolicies) ([]managed
}...,
)
}
if wellKnownPolicies.EBSCSIController {
customPolicies = append(customPolicies,
customPolicyForRole{Name: "PolicyEBSCSIController", Statements: ebsStatements()},
)
}
return managedPolicies, customPolicies
}

Expand Down

0 comments on commit b56343a

Please sign in to comment.