Merge pull request #13532 from seh/augment-cluster-autoscaler-iam-per…

…missions-conditionally Allow cluster autoscaler to read EC2 instance types to build catalog dynamically
kubernetes · Apr 20, 2022 · 3242dc3 · 3242dc3
2 parents 755f8f5 + de1ecd8
commit 3242dc3
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/pkg/model/components/addonmanifests/clusterautoscaler/iam.go b/pkg/model/components/addonmanifests/clusterautoscaler/iam.go
@@ -19,9 +19,10 @@ package clusterautoscaler
 import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kops/pkg/model/iam"
+	"k8s.io/kops/upup/pkg/fi"
 )
 
-// ServiceAccount represents the service-account used by the dns-controller.
+// ServiceAccount represents the service account used by the cluster autoscaler.
 // It implements iam.Subject to get AWS IAM permissions.
 type ServiceAccount struct{}
 
@@ -32,7 +33,11 @@ func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, erro
 	clusterName := b.Cluster.ObjectMeta.Name
 	p := iam.NewPolicy(clusterName, b.Partition)
 
-	iam.AddClusterAutoscalerPermissions(p)
+	var useStaticInstanceList bool
+	if ca := b.Cluster.Spec.ClusterAutoscaler; ca != nil && fi.BoolValue(ca.AWSUseStaticInstanceList) {
+		useStaticInstanceList = true
+	}
+	iam.AddClusterAutoscalerPermissions(p, useStaticInstanceList)
 
 	return p, nil
 }

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -427,7 +427,12 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) {
 			AddAWSLoadbalancerControllerPermissions(p)
 		}
-		AddClusterAutoscalerPermissions(p)
+
+		var useStaticInstanceList bool
+		if ca := b.Cluster.Spec.ClusterAutoscaler; ca != nil && fi.BoolValue(ca.AWSUseStaticInstanceList) {
+			useStaticInstanceList = true
+		}
+		AddClusterAutoscalerPermissions(p, useStaticInstanceList)
 
 		nth := b.Cluster.Spec.NodeTerminationHandler
 		if nth != nil && fi.BoolValue(nth.Enabled) && fi.BoolValue(nth.EnableSQSTerminationDraining) {
@@ -1013,7 +1018,7 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy) {
 	)
 }
 
-func AddClusterAutoscalerPermissions(p *Policy) {
+func AddClusterAutoscalerPermissions(p *Policy, useStaticInstanceList bool) {
 	p.clusterTaggedAction.Insert(
 		"autoscaling:SetDesiredCapacity",
 		"autoscaling:TerminateInstanceInAutoScalingGroup",
@@ -1024,6 +1029,11 @@ func AddClusterAutoscalerPermissions(p *Policy) {
 		"autoscaling:DescribeLaunchConfigurations",
 		"ec2:DescribeLaunchTemplateVersions",
 	)
+	if !useStaticInstanceList {
+		p.unconditionalAction.Insert(
+			"ec2:DescribeInstanceTypes",
+		)
+	}
 }
 
 // AddAWSEBSCSIDriverPermissions appens policy statements that the AWS EBS CSI Driver needs to operate.

diff --git a/...rsa/data/aws_iam_role_policy_cluster-autoscaler.kube-system.sa.minimal.example.com_policy b/...rsa/data/aws_iam_role_policy_cluster-autoscaler.kube-system.sa.minimal.example.com_policy
@@ -5,6 +5,7 @@
         "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribeAutoScalingInstances",
         "autoscaling:DescribeLaunchConfigurations",
+        "ec2:DescribeInstanceTypes",
         "ec2:DescribeLaunchTemplateVersions"
       ],
       "Effect": "Allow",

diff --git a/...a23/data/aws_iam_role_policy_cluster-autoscaler.kube-system.sa.minimal.example.com_policy b/...a23/data/aws_iam_role_policy_cluster-autoscaler.kube-system.sa.minimal.example.com_policy
@@ -5,6 +5,7 @@
         "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribeAutoScalingInstances",
         "autoscaling:DescribeLaunchConfigurations",
+        "ec2:DescribeInstanceTypes",
         "ec2:DescribeLaunchTemplateVersions"
       ],
       "Effect": "Allow",