Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug; karpenter controller policy is missing required instance profile persmissions introduced in karpenter v0.32 #433

Closed
1 task done
abrabah opened this issue Nov 10, 2023 · 2 comments · Fixed by #434
Closed
1 task done

bug; karpenter controller policy is missing required instance profile persmissions introduced in karpenter v0.32 #433

abrabah opened this issue Nov 10, 2023 · 2 comments · Fixed by #434

Comments

@abrabah
Copy link
Contributor

abrabah commented Nov 10, 2023
edited

Description

Karpenter will auto-generate instance profiles as of version v0.32. The karpenter_controller policy in modules/iam-role-for-service-accounts-eks/policies.tf does not currently include statements for manipulating instance profiles.

Updated karpenter policy can be found in the karpenter repository

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: v5.30.1
  • Terraform version: 1.6.3
  • Provider version(s): hashicorp/aws 5.25.0

Reproduction Code [Required]

Run the karpenter_controller_irsa_role module under terraform-aws-iam/examples/iam-role-for-service-accounts-eks ;

module "karpenter_controller_irsa_role" {
  source = "../../modules/iam-role-for-service-accounts-eks"

  role_name                          = "karpenter-controller"
  attach_karpenter_controller_policy = true

  karpenter_controller_cluster_name       = module.eks.cluster_name
  karpenter_controller_node_iam_role_arns = [module.eks.eks_managed_node_groups["default"].iam_role_arn]

  oidc_providers = {
    ex = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["karpenter:karpenter"]
    }
  }

  tags = local.tags
}

Steps to reproduce the behavior:

  • Create a module from iam-role-for-service-accounts-eks with attach_karpenter_controller_policy = true
  • Apply changes with terraform
  • Inspect resulting karpenter IAM policy. The policy is missing required instance profile actions

Expected behavior

Expected a series of instance profile actions to be added to the karpenter role

Actual behavior

Found no instance profile actions associated with the karpenter role/policy

Additional context

Related Karpenter policy for the terraform module can be found here

Related Karpenter v0.32 policy can be found here
@abrabah abrabah changed the title bug; karpenter controller policy is missing required InstancePriofile persmissions indroduced in karpenter v0.32 bug; karpenter controller policy is missing required InstancePriofile persmissions introduced in karpenter v0.32 Nov 10, 2023
@abrabah abrabah changed the title bug; karpenter controller policy is missing required InstancePriofile persmissions introduced in karpenter v0.32 bug; karpenter controller policy is missing required instance profile persmissions introduced in karpenter v0.32 Nov 10, 2023
@abrabah abrabah mentioned this issue Nov 10, 2023
Merged
bryantbiggs added a commit that referenced this issue Nov 17, 2023
@abrabah @bryantbiggs
feat: Add instance profile permissions to Karpenter IRSA policy (#434)
50348dd 
* fix: add instance profile permissions to karpenter policy

fixes #433

Signed-off-by: Abraham Bah <2195667+abrabah@users.noreply.github.com>

* fix; use dynamic block instead of repeating StringEquals condition for iam:CreateInstanceProfile statement in karpenter policy

* fixup! remove unnecessary whitespace

Signed-off-by: Abraham Bah <2195667+abrabah@users.noreply.github.com>

* fix: Make instance profile creation an opt-in

* fix: Update docs

---------

Signed-off-by: Abraham Bah <2195667+abrabah@users.noreply.github.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
antonbabenko pushed a commit that referenced this issue Nov 17, 2023
@semantic-release-bot
chore(release): version 5.32.0 [skip ci]
91c8dbd 
## [5.32.0](v5.31.0...v5.32.0) (2023-11-17)

### Features

* Add instance profile permissions to Karpenter IRSA policy ([#434](#434)) ([50348dd](50348dd)), closes [#433](#433)
@antonbabenko
Copy link
Member

This issue has been resolved in version 5.32.0 🎉

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add instance profile permissions to Karpenter IRSA policy
2 participants
@antonbabenko @abrabah