Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add new page and identify role and policies #1419

Closed
wants to merge 1 commit into from
Closed

docs: add new page and identify role and policies #1419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion content/docs/04-clusters/01-public-cloud/01-aws/10-required-iam-policies.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: "Required IAM Policies"
metaTitle: "Required IAM Policies or Palette"
metaTitle: "Required IAM Policies for Palette"
metaDescription: "A list of required IAM policies that Palette requires."
hideToC: false
fullWidth: false
Expand Down
97 changes: 97 additions & 0 deletions content/docs/04-clusters/01-public-cloud/01-aws/11-cluster-policies
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
---
title: "Cluster IAM Roles and Policies"
metaTitle: "Cluster IAM Roles and Policies"
metaDescription: "A list of IAM roles that Palette attaches to the Cluster."
hideToC: false
fullWidth: false
---

import Tabs from 'shared/components/ui/Tabs';
import WarningBox from 'shared/components/WarningBox';
import InfoBox from 'shared/components/InfoBox';
import PointsOfInterest from 'shared/components/common/PointOfInterest';

## Roles and Policies for an EKS Cluster

When you deploy an EKS cluster using Palette, Palette creates two IAM roles automatically - one for the cluster and another for the node group.

The cluster's IAM role is named in the following syntax, `[cluster-name]-iam-service-role`, and the node group's IAM role is named as `ng-role_worker-pool-[random-string]`. These IAM roles are made up of customer-managed as well as AWS-managed IAM policies, as outlined in the table below. You can, however, attach more IAM policies to any of these IAM roles per your specific requirements.

|**Policy name**|**Type**|Attached to the cluster's IAM role?|Attached to the node group's IAM role?|
|---|---|---|---|
|PaletteBackupRestore| Customer-managed|✅ |✅ |
|PaletteControlPlanePolicy| Customer-managed|✅ |✅ |
|PaletteControllerPolicy| Customer-managed|✅ |✅ |
|PaletteDeploymentPolicy| Customer-managed|✅ |✅ |
|PaletteNodesPolicy| Customer-managed|✅ |✅ |
|AmazonEKSClusterPolicy|AWS managed|✅ |--|
|AmazonEBSCSIDriverPolicy^^|AWS managed|✅ |✅ |
|AmazonEC2ContainerRegistryReadOnly|AWS managed|--|✅ |
|AmazonEKS_CNI_Policy|AWS managed|--|✅ |
|AmazonEKSWorkerNodePolicy|AWS managed|--|✅ |
|AmazonSSMManagedInstanceCore|AWS managed|--|✅ |


^^ This policy will get attached if you have chosen Amazon CSI layer in your cluster profile. This IAM Policy will allows the CSI driver service account to make calls to related services such as EC2 on your behalf.


## Roles and Policies for an EKS Cluster

**control-plane.cluster-api-provider-aws.sigs.k8s.io**

control-plane.cluster-api-provider-aws.sigs.k8s.io Customer managed
For the Kubernetes Cloud Provider AWS Control Plane

controllers-eks.cluster-api-provider-aws.sigs.k8s.io Customer managed
For the Kubernetes Cluster API Provider AWS Controllers

controllers.cluster-api-provider-aws.sigs.k8s.io Customer managed
For the Kubernetes Cluster API Provider AWS Controllers

nodes.cluster-api-provider-aws.sigs.k8s.io Customer managed
For the Kubernetes Cloud Provider AWS nodes

PaletteBackupRestore Customer managed

PaletteControllerPolicy Customer managed

PaletteControlPlanePolicy Customer managed

PaletteDeploymentPolicy Customer managed

PaletteEBSPolicy Customer managed

PaletteKMSPolicy Customer managed

PaletteNodesPolicy Customer managed

AmazonEBSCSIDriverPolicy AWS managed


**nodes.cluster-api-provider-aws.sigs.k8s.io**

nodes.cluster-api-provider-aws.sigs.k8s.io Customer managed
For the Kubernetes Cloud Provider AWS nodes

PaletteBackupRestore Customer managed

PaletteControllerPolicy Customer managed

PaletteControlPlanePolicy Customer managed

PaletteDeploymentPolicy Customer managed

PaletteEBSPolicy Customer managed

PaletteKMSPolicy Customer managed

PaletteNodesPolicy Customer managed

AmazonEKS_CNI_Policy AWS managed
This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set allows the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. More information on the AWS VPC CNI Plugin is available here: https://github.com/aws/amazon-vpc-cni-k8s

AmazonEKSWorkerNodePolicy AWS managed
This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters.

AmazonEBSCSIDriverPolicy AWS managed
IAM Policy that allows the CSI driver service account to make calls to related services such as EC2 on your behalf.