From e1b6516614c8517ea1aba306cf8299045c193f3f Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Wed, 8 Nov 2023 09:11:35 -0700 Subject: [PATCH 1/4] docs: more context about IAM policies for AWS --- .../public-cloud/aws/required-iam-policies.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md index bf627ba61b..1cb790a739 100644 --- a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md +++ b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md @@ -860,3 +860,34 @@ roleName: "custom-ng-role" roleAdditionalPolicies: - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" ``` + + +## Roles and Policies for EKS + +When you deploy an EKS cluster using Palette, two IAM roles are created automatically. One IAM role is for the cluster, and the other IAM role for the worker node group. + +The cluster's IAM role is named in the following syntax, `[cluster-name]-iam-service-role`, and the node group's IAM role is named as `ng-role_worker-pool-[random-string]`. These two IAM roles have customer-managed and AWS-managed IAM policies. You can attach more IAM policies to any of these IAM roles if needed. The following table lists the IAM policies attached to the cluster's IAM role and the node group's IAM role. + +|**Policy name**|**Type**|Attached to the cluster's IAM role?|Attached to the node group's IAM role?| +|---|---|---|---| +|PaletteBackupRestore| Customer-managed|✅ |✅ | +|PaletteControlPlanePolicy| Customer-managed|✅ |✅ | +|PaletteControllerPolicy| Customer-managed|✅ |✅ | +|PaletteDeploymentPolicy| Customer-managed|✅ |✅ | +|PaletteNodesPolicy| Customer-managed|✅ |✅ | +|AmazonEKSClusterPolicy|AWS managed|✅ | ❌ | +|AmazonEBSCSIDriverPolicy|AWS managed|✅ |✅ | +|AmazonEC2ContainerRegistryReadOnly|AWS managed| ❌ |✅ | +|AmazonEKS_CNI_Policy|AWS managed| ❌ |✅ | +|AmazonEKSWorkerNodePolicy|AWS managed| ❌ |✅ | +|AmazonSSMManagedInstanceCore|AWS managed| ❌ |✅ | + + +In addition to the policies listed above, if you specified other IAM policies during the AWS account registration, those policies are also attached to the cluster's IAM role and the node group's IAM role. Be aware that AWS has a default limit of 10 policies per role. If you exceed this limit, the cluster deployment may fail due to the IAM role policy limit. + + +:::info + +The AmazonEBSCSIDriverPolicy policy is attached if you selected the Amazon CSI pack in your cluster profile. This IAM policy allows the CSI driver service account to make API calls to the AWS EC2 service. + +::: From 57fd5ac486e45a0b9719f157633a15e6fedb3c51 Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Wed, 8 Nov 2023 11:18:10 -0700 Subject: [PATCH 2/4] docs: updated IAM permissions document --- .../public-cloud/aws/required-iam-policies.md | 64 +++++++++++++------ 1 file changed, 46 insertions(+), 18 deletions(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md index 1cb790a739..111e26f101 100644 --- a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md +++ b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md @@ -847,7 +847,7 @@ The following are important points to be aware of. ::: -## Global Role Additional Policies: +## Global Role Additional Policies There may be situations where additional node-level policies must be added to your deployment. For instance, when you create a host cluster with the **AWS EBS CSI** storage layer, ensure **AmazonEBSCSIDriverPolicy** is included. To add additional node-level policies, switch to the **Tenant Admin** project, and click on the **Tenant Settings** on the **Main Menu**. Click on **Cloud Accounts**. Add an account if one does not exists. After validation of the AWS credentials, ensure `Add IAM policies` are enabled. You can specify additional amazon resource names (ARN) to be attached. The attached policies will be included to all the clusters launched with this specific AWS cloud Account. @@ -862,32 +862,60 @@ roleName: "custom-ng-role" ``` -## Roles and Policies for EKS +## Roles and Policies + +Palette creates and attaches IAM roles and policies to the clusters it deploys. Depending on which type of cluster you deploy, either AWS EKS or IaaS (using EC2 instances), Palette creates and attaches different IAM roles and policies. + +Select the tab below to review the IAM roles and policies attached to the cluster's IAM role and the node group's IAM role. + + + + When you deploy an EKS cluster using Palette, two IAM roles are created automatically. One IAM role is for the cluster, and the other IAM role for the worker node group. The cluster's IAM role is named in the following syntax, `[cluster-name]-iam-service-role`, and the node group's IAM role is named as `ng-role_worker-pool-[random-string]`. These two IAM roles have customer-managed and AWS-managed IAM policies. You can attach more IAM policies to any of these IAM roles if needed. The following table lists the IAM policies attached to the cluster's IAM role and the node group's IAM role. -|**Policy name**|**Type**|Attached to the cluster's IAM role?|Attached to the node group's IAM role?| -|---|---|---|---| -|PaletteBackupRestore| Customer-managed|✅ |✅ | -|PaletteControlPlanePolicy| Customer-managed|✅ |✅ | -|PaletteControllerPolicy| Customer-managed|✅ |✅ | -|PaletteDeploymentPolicy| Customer-managed|✅ |✅ | -|PaletteNodesPolicy| Customer-managed|✅ |✅ | -|AmazonEKSClusterPolicy|AWS managed|✅ | ❌ | -|AmazonEBSCSIDriverPolicy|AWS managed|✅ |✅ | -|AmazonEC2ContainerRegistryReadOnly|AWS managed| ❌ |✅ | -|AmazonEKS_CNI_Policy|AWS managed| ❌ |✅ | -|AmazonEKSWorkerNodePolicy|AWS managed| ❌ |✅ | -|AmazonSSMManagedInstanceCore|AWS managed| ❌ |✅ | +|**Policy Name**|**Type**|**Attached to the cluster's IAM role?**|**Attached to the node group's IAM role?**| **Description** | +|---|---|---|---|---| +|AmazonEKSClusterPolicy|AWS managed|✅ | ❌ | Provides the cluster permissision to manage compute resources. | +|AmazonEC2ContainerRegistryReadOnly|AWS managed| ❌ |✅ | Provides the node group permission to pull images from Amazon ECR. | +|AmazonEKS_CNI_Policy|AWS managed| ❌ |✅ | Provides the node group permission to manage network resources. | +|AmazonEKSWorkerNodePolicy|AWS managed| ❌ |✅ | This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters.| +|AmazonSSMManagedInstanceCore|AWS managed| ❌ |✅ | The policy for Amazon EC2 Role to enable AWS Systems Manager service core functionality. | In addition to the policies listed above, if you specified other IAM policies during the AWS account registration, those policies are also attached to the cluster's IAM role and the node group's IAM role. Be aware that AWS has a default limit of 10 policies per role. If you exceed this limit, the cluster deployment may fail due to the IAM role policy limit. -:::info + + -The AmazonEBSCSIDriverPolicy policy is attached if you selected the Amazon CSI pack in your cluster profile. This IAM policy allows the CSI driver service account to make API calls to the AWS EC2 service. -::: +When you deploy an IaaS cluster using Palette, two IAM roles are created automatically. One IAM role is for the cluster control nodes, and the other IAM role for the worker nodes. + +The control plane nodes IAM role is named `control-plane.cluster-api-provider-aws.sigs.k8s.io`, and the node group's IAM role is named as `nodes.cluster-api-provider-aws.sigs.k8s.io`. These two IAM roles have customer-managed and AWS-managed IAM policies. You can attach more IAM policies to any of these IAM roles if needed. The following table lists the IAM policies attached to the cluster's IAM role and the node group's IAM role. + +|**Policy name**|**Type**|**Attached to the control plane IAM role?**|**Attached to the node group's IAM role?**| **Description** | +|---|---|---|---|--| +| control-plane.cluster-api-provider-aws.sigs.k8s.io | Customer-managed|✅ | ❌ | Provides the control plane nodes access to compute services such as EC, autoscaling, and more.| +| controllers-eks.cluster-api-provider-aws.sigs.k8s.io | Customer-managed|✅ | ❌ | Provides the control plane nodes access to EKS services and AWS SSM.| +| controllers.cluster-api-provider-aws.sigs.k8s.io | Customer-managed | ✅ | ❌ | Provides the control plane nodes access to network resources, S3, and other services. | +| nodes.cluster-api-provider-aws.sigs.k8s.io | Customer-managed | ✅ | ✅ | Provides access to services EC2 and ECR. | +|AmazonEKSWorkerNodePolicy|AWS managed| ❌ |✅ | This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters.| + + + +In addition to the policies listed above, if you specified other IAM policies during the AWS account registration, those policies are also attached to the cluster's IAM role and the node group's IAM role. Other policies may also be attached to the IAM roles depending on the storage layer and network layer pack you choose. + + + + + + + +:::caution + +Be aware that AWS has a default limit of 10 policies per role. If you exceed this limit, the cluster deployment may fail due to the IAM role policy limit. Request a [service quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) for the AWS account to increase the limit. + +::: \ No newline at end of file From fab4cfb01f8820b5ba3d48e3f76f51544154c31d Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Wed, 8 Nov 2023 13:33:34 -0700 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- .../clusters/public-cloud/aws/required-iam-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md index 111e26f101..c56bac021d 100644 --- a/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md +++ b/docs/docs-content/clusters/public-cloud/aws/required-iam-policies.md @@ -885,7 +885,7 @@ The cluster's IAM role is named in the following syntax, `[cluster-name]-iam-ser |AmazonSSMManagedInstanceCore|AWS managed| ❌ |✅ | The policy for Amazon EC2 Role to enable AWS Systems Manager service core functionality. | -In addition to the policies listed above, if you specified other IAM policies during the AWS account registration, those policies are also attached to the cluster's IAM role and the node group's IAM role. Be aware that AWS has a default limit of 10 policies per role. If you exceed this limit, the cluster deployment may fail due to the IAM role policy limit. +In addition to the policies listed above, if you specified other IAM policies during the AWS account registration, those policies are also attached to the cluster's IAM role and the node group's IAM role. From 8b0e42dc2b09380ace872bce455baef6f31836dd Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Wed, 8 Nov 2023 13:41:19 -0700 Subject: [PATCH 4/4] docs: merge master --- docs/docs-content/clusters/public-cloud/aws/architecture.md | 1 + docs/docs-content/clusters/public-cloud/aws/aws.md | 3 +++ 2 files changed, 4 insertions(+) diff --git a/docs/docs-content/clusters/public-cloud/aws/architecture.md b/docs/docs-content/clusters/public-cloud/aws/architecture.md index 027aa8b170..3b27c09729 100644 --- a/docs/docs-content/clusters/public-cloud/aws/architecture.md +++ b/docs/docs-content/clusters/public-cloud/aws/architecture.md @@ -46,6 +46,7 @@ Palette also supports deploying and managing AWS Elastic Kubernetes Service (EKS You can disable the OIDC associate provider if the service provider restricts the cluster deployment with the OIDC associate provider in the enabled state. Customize the EKS Kubernetes pack YAML values with the following option: ```yaml +managedControlPlane: disableAssociateOIDCProvider: true ``` diff --git a/docs/docs-content/clusters/public-cloud/aws/aws.md b/docs/docs-content/clusters/public-cloud/aws/aws.md index eb5d08a757..4094e3fa46 100644 --- a/docs/docs-content/clusters/public-cloud/aws/aws.md +++ b/docs/docs-content/clusters/public-cloud/aws/aws.md @@ -29,6 +29,9 @@ To learn more about Palette and AWS clusters, check out the following resources: - [Create and Manage AWS EKS Cluster](eks.md) +- [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) + + - [Cluster Management Day Two Operations](../../cluster-management/cluster-management.md)