diff --git a/content/docs/04-clusters/01-public-cloud/01-aws/09-eks.md b/content/docs/04-clusters/01-public-cloud/01-aws/09-eks.md
index a3fe875593..21c921187a 100644
--- a/content/docs/04-clusters/01-public-cloud/01-aws/09-eks.md
+++ b/content/docs/04-clusters/01-public-cloud/01-aws/09-eks.md
@@ -84,7 +84,7 @@ Use the following steps to provision a new AWS EKS cluster:
|**Region** | Choose the preferred AWS region where you would like the clusters to be provisioned.|
|**SSH Key Pair Name** | Choose the desired SSH Key pair. SSH key pairs need to be pre-configured on AWS for the desired regions. The selected key is inserted into the VMs provisioned.|
|**Cluster Endpoint Access**:| Select Private or Public or Private & Public, based on how the customer want to establish the communication with the endpoint for the managed Kubernetes API server and your cluster.
- |**Public Access CIDR**: |For Public or Private & Public end point access, give the CIDR values.|
+ |**Public Access CIDR**: |This setting controls which IP addresse CIDR range can access the cluster. Leaving this setting blank will follow the provider default behavior, which may allow unrestricted access depending on your network configuration. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide.|
|**Enable Encryption**|The user can enable secret encryption by toggling **Enable Encryption**. Provide the provider KMS key ARN to complete the wizard. Review [EKS Cluster Encryption](/clusters/public-cloud/aws/eks/#eksclustersecretsencryption) for more details.|
|**Worker Pool Update**|Optionally enable the option to update the worker pool in parallel.|
diff --git a/content/docs/04-clusters/01-public-cloud/01-aws/10-required-iam-policies.md b/content/docs/04-clusters/01-public-cloud/01-aws/10-required-iam-policies.md
index e4eb1fc3c2..7a23ed335c 100644
--- a/content/docs/04-clusters/01-public-cloud/01-aws/10-required-iam-policies.md
+++ b/content/docs/04-clusters/01-public-cloud/01-aws/10-required-iam-policies.md
@@ -17,18 +17,18 @@ Palette requires proper Amazon Web Services (AWS) permissions to operate and per
The following policies include all the permissions needed for cluster provisioning with Palette.
-* `PaletteControllersPolicy`
+* **PaletteControllersPolicy**
-* `PaletteControlPlanePolicy`
+* **PaletteControlPlanePolicy**
-* `PaletteNodesPolicy`
+* **PaletteNodesPolicy**
-* `PaletteDeploymentPolicy`
+* **PaletteDeploymentPolicy**
-Additional IAM policies may be required depending on the use case. For example, AWS Elastic Kubernetes Service (EKS) requires the *PaletteControllersEKSPolicy*.
+Additional IAM policies may be required depending on the use case. For example, AWS Elastic Kubernetes Service (EKS) requires the **PaletteControllersEKSPolicy**. Check out the [Controllers EKS Policy](/clusters/public-cloud/aws/required-iam-policies#controllersekspolicy) section to review the IAM policy.
@@ -228,182 +228,6 @@ You can learn more about AWS IAM limits in the [IAM Quotas](https://docs.aws.ama
-
-
-**Last Update**: April 20, 2023
-
-```json
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Action": [
- "ssm:GetParameter"
- ],
- "Resource": [
- "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*"
- ],
- "Effect": "Allow"
- },
- {
- "Condition": {
- "StringLike": {
- "iam:AWSServiceName": "eks.amazonaws.com"
- }
- },
- "Action": [
- "iam:CreateServiceLinkedRole"
- ],
- "Resource": [
- "arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS"
- ],
- "Effect": "Allow"
- },
- {
- "Condition": {
- "StringLike": {
- "iam:AWSServiceName": "eks-nodegroup.amazonaws.com"
- }
- },
- "Action": [
- "iam:CreateServiceLinkedRole"
- ],
- "Resource": [
- "arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
- ],
- "Effect": "Allow"
- },
- {
- "Condition": {
- "StringLike": {
- "iam:AWSServiceName": "eks-fargate.amazonaws.com"
- }
- },
- "Action": [
- "iam:CreateServiceLinkedRole"
- ],
- "Resource": [
- "arn:*:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "iam:AddClientIDToOpenIDConnectProvider",
- "iam:CreateOpenIDConnectProvider",
- "iam:DeleteOpenIDConnectProvider""iam:ListOpenIDConnectProviders",
- "iam:UpdateOpenIDConnectProviderThumbprint",
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "iam:GetRole",
- "iam:ListAttachedRolePolicies",
- "iam:DetachRolePolicy",
- "iam:DeleteRole",
- "iam:CreateRole",
- "iam:TagRole",
- "iam:AttachRolePolicy"
- ],
- "Resource": [
- "arn:*:iam::*:role/*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "iam:GetPolicy"
- ],
- "Resource": [
- "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "eks:DescribeCluster",
- "eks:ListClusters",
- "eks:CreateCluster",
- "eks:TagResource",
- "eks:UpdateClusterVersion",
- "eks:DeleteCluster",
- "eks:UpdateClusterConfig",
- "eks:UntagResource",
- "eks:UpdateNodegroupVersion",
- "eks:DescribeNodegroup",
- "eks:DeleteNodegroup",
- "eks:UpdateNodegroupConfig",
- "eks:CreateNodegroup",
- "eks:AssociateEncryptionConfig",
- "eks:ListIdentityProviderConfigs",
- "eks:AssociateIdentityProviderConfig",
- "eks:DescribeIdentityProviderConfig",
- "eks:DisassociateIdentityProviderConfig"
- ],
- "Resource": [
- "arn:*:eks:*:*:cluster/*",
- "arn:*:eks:*:*:nodegroup/*/*/*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "ec2:AssociateVpcCidrBlock",
- "ec2:DisassociateVpcCidrBlock",
- "eks:ListAddons",
- "eks:CreateAddon",
- "eks:DescribeAddonVersions",
- "eks:DescribeAddon",
- "eks:DeleteAddon",
- "eks:UpdateAddon",
- "eks:TagResource",
- "eks:DescribeFargateProfile",
- "eks:CreateFargateProfile",
- "eks:DeleteFargateProfile"
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- },
- {
- "Condition": {
- "StringEquals": {
- "iam:PassedToService": "eks.amazonaws.com"
- }
- },
- "Action": [
- "iam:PassRole"
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- },
- {
- "Condition": {
- "ForAnyValue:StringLike": {
- "kms:ResourceAliases": "alias/cluster-api-provider-aws-*"
- }
- },
- "Action": [
- "kms:CreateGrant",
- "kms:DescribeKey"
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- }
- ]
-}
-```
-
-
**Last Update**: April 20, 2023
@@ -579,6 +403,185 @@ You can learn more about AWS IAM limits in the [IAM Quotas](https://docs.aws.ama
+
+## Controllers EKS Policy
+
+If you plan to deploy host clusters to AWS EKS, make sure to attach the **PaletteControllersEKSPolicy**.
+
+**Last Update**: April 20, 2023
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": [
+ "ssm:GetParameter"
+ ],
+ "Resource": [
+ "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Condition": {
+ "StringLike": {
+ "iam:AWSServiceName": "eks.amazonaws.com"
+ }
+ },
+ "Action": [
+ "iam:CreateServiceLinkedRole"
+ ],
+ "Resource": [
+ "arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Condition": {
+ "StringLike": {
+ "iam:AWSServiceName": "eks-nodegroup.amazonaws.com"
+ }
+ },
+ "Action": [
+ "iam:CreateServiceLinkedRole"
+ ],
+ "Resource": [
+ "arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Condition": {
+ "StringLike": {
+ "iam:AWSServiceName": "eks-fargate.amazonaws.com"
+ }
+ },
+ "Action": [
+ "iam:CreateServiceLinkedRole"
+ ],
+ "Resource": [
+ "arn:*:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Action": [
+ "iam:AddClientIDToOpenIDConnectProvider",
+ "iam:CreateOpenIDConnectProvider",
+ "iam:DeleteOpenIDConnectProvider",
+ "iam:ListOpenIDConnectProviders",
+ "iam:UpdateOpenIDConnectProviderThumbprint",
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Action": [
+ "iam:GetRole",
+ "iam:ListAttachedRolePolicies",
+ "iam:DetachRolePolicy",
+ "iam:DeleteRole",
+ "iam:CreateRole",
+ "iam:TagRole",
+ "iam:AttachRolePolicy"
+ ],
+ "Resource": [
+ "arn:*:iam::*:role/*"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Action": [
+ "iam:GetPolicy"
+ ],
+ "Resource": [
+ "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Action": [
+ "eks:DescribeCluster",
+ "eks:ListClusters",
+ "eks:CreateCluster",
+ "eks:TagResource",
+ "eks:UpdateClusterVersion",
+ "eks:DeleteCluster",
+ "eks:UpdateClusterConfig",
+ "eks:UntagResource",
+ "eks:UpdateNodegroupVersion",
+ "eks:DescribeNodegroup",
+ "eks:DeleteNodegroup",
+ "eks:UpdateNodegroupConfig",
+ "eks:CreateNodegroup",
+ "eks:AssociateEncryptionConfig",
+ "eks:ListIdentityProviderConfigs",
+ "eks:AssociateIdentityProviderConfig",
+ "eks:DescribeIdentityProviderConfig",
+ "eks:DisassociateIdentityProviderConfig"
+ ],
+ "Resource": [
+ "arn:*:eks:*:*:cluster/*",
+ "arn:*:eks:*:*:nodegroup/*/*/*"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Action": [
+ "ec2:AssociateVpcCidrBlock",
+ "ec2:DisassociateVpcCidrBlock",
+ "eks:ListAddons",
+ "eks:CreateAddon",
+ "eks:DescribeAddonVersions",
+ "eks:DescribeAddon",
+ "eks:DeleteAddon",
+ "eks:UpdateAddon",
+ "eks:TagResource",
+ "eks:DescribeFargateProfile",
+ "eks:CreateFargateProfile",
+ "eks:DeleteFargateProfile"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Condition": {
+ "StringEquals": {
+ "iam:PassedToService": "eks.amazonaws.com"
+ }
+ },
+ "Action": [
+ "iam:PassRole"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Effect": "Allow"
+ },
+ {
+ "Condition": {
+ "ForAnyValue:StringLike": {
+ "kms:ResourceAliases": "alias/cluster-api-provider-aws-*"
+ }
+ },
+ "Action": [
+ "kms:CreateGrant",
+ "kms:DescribeKey"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Effect": "Allow"
+ }
+ ]
+}
+```
+
# Restricting Palette VPC Permissions
You can choose to have Palette operate in a static or dynamic environment. You can configure Palette to perform an AWS cluster creation into an existing VPC. The following policy allows Palette to operate but restricts its access to the [Principle of Least Privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).