Add support for well known policies with IRSA

[michaelbeaumont]

Description

Fixes #2837
I've only added these 5 for now. I want to confirm the rest of the existing addonPolicies make sense with IRSA

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Added labels for change area (e.g. area/nodegroup), target version (e.g. version/0.12.0) and kind (e.g. kind/improvement)
• Make sure the title of the PR is a good description that can go into the release notes

[aclevername]

can an example yaml be added please 😄

[TBBle]

This can't be hit, because we're in an else after if wellKnownPolicies.ExternalDNS above. (Which is a good reminder that I don't see any tests for this new feature yet...)

[michaelbeaumont]

Yes, missed when going from handling elements of a list of policies to handling this struct.

[TBBle]

I see this has been updated, but I think the logic has drifted slightly.

My understanding of the similar code in createRole is roughly:

• If CertManager or ExternalDNS, changeSetStatements
• If Certmanager, certManagerGetChangeStatements
• If CertManager and ExternalDNS, certManagerHostedZonesStatements + a couple of things ExternalDNS needs that aren't in that
• If CertManager but not ExternalDNS, certManagerHostedZonesStatements
• If ExternalDNS but not CertManager, externalDNSHostedZonesStatements.

This logic is currently

• If CertManager or ExternalDNS, changeSetStatements
• If CertManager, certManagerGetChangeStatements
• If CertManager and ExternalDNS, certManagerHostedZonesStatements + a couple of things ExternalDNS needs that aren't in that
• If CertManager and not ExternalDNS, certManagerHostedZonesStatements
• If ExternalDNS, externalDNSHostedZonesStatements <== Applied even if CertManager.

externalDNSHostedZonesStatements and certManagerHostedZonesStatements both contain route53:ListResourceRecordSets, and the "couple of things" above are the other two statements from externalDNSHostedZonesStatements. So externalDNSHostedZonesStatements is a strict subset of "certManagerHostedZonesStatements + a couple of things ExternalDNS needs that aren't in that", so the former should only if the latter has not been applied.

To be fair, I don't know why the effort is made to avoid the overlap, unless there's an actual failure on the AWS API when a policy contains multiple statements for the same Effect/Resource/Action tuple? It just makes it harder to read and reason about.

[michaelbeaumont]

I've simplified that code now.

[michaelbeaumont]

@TBBle please do take a look over the changes if you get a chance

[TBBle]

I'm not clear why this is changed. Is it just because we're smuggling the return value from makePolicyARN out of (rs *IAMServiceAccountResourceSet) AddAllResources() inside this slice? Would it make sense to just stringify the value before adding it to ManagedPolicyArns instead?

(I'm not clear on what this gfn business is all about, so maybe this comment doesn't make sense.)

[michaelbeaumont]

Yes it's kind of a less than ideal situation because we do some cloud formation using our own types and some using goformation. It's here that they're being mixed. makePolicyARN uses Cloudformation intrinsics, which aren't serialized as strings. Although in this case it's probably not strictly necessary to use the intrinsic.

[michaelbeaumont]

I'm going to leave the intrinsics because we use them elsewhere (with makePolicyArns) (and interface{} is sort of how things are done in cfn/template right now)

[aclevername]

would attachWellKnownPolicies be better? I'm still open for WellKnownPolicies to change, but I think having attach prefixed helps to describe the intent

[TBBle]

I think it's a little odd that this is would be a verb, when the general idea of declarative config suggests using nouns instead, to describe the resulting state, not how you get there.

attachedWellKnownPolicies perhaps, but that's pretty verbose, and only subtly different, so likely to lead to muscle-memory mistakes.

I think the various uses of attach in eksctl config stand out as verbs in a sea of nouns, but I guess using attach specifically is consistent here, e.g., we also have securityGroups.attachIDs, not securityGroups.attachedIDs.

[michaelbeaumont]

Yes, I was trying to avoid a verb but maybe withWellKnownPolicies?

[Callisto13]

Would I be at risk of ruining everything by saying I am not a fan of WellKnown? withCommonPolicies?

[michaelbeaumont]

the one problem with "common" is that it has two meanings, one "well known", the other "shared"...

[Callisto13]

yeh that's totally right. withNamedPolicies? although I suppose all policies have names.

[aclevername]

Struggling to find a better alternative to WellKnownPolicies so I'm happy to stick with that. I'm still unsure about with vs attach. I know that using the word attach isn't technically correct, but IMO its worth using it to remain consistent with the other fields.

[aclevername]

LGTM