From 407da12aebaec4fd02c7c8fbce2ec9ee739890a0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 9 Nov 2023 13:00:15 +0100 Subject: [PATCH 1/5] Update module github.com/giantswarm/microerror to v0.4.1 (#222) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f8a2d998..1cba8b80 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/aws/aws-sdk-go v1.47.7 github.com/benbjohnson/clock v1.3.0 // indirect - github.com/giantswarm/microerror v0.4.0 + github.com/giantswarm/microerror v0.4.1 github.com/go-logr/logr v1.3.0 github.com/golang/mock v1.6.0 github.com/google/uuid v1.4.0 diff --git a/go.sum b/go.sum index 1ea244a5..eaa242ed 100644 --- a/go.sum +++ b/go.sum @@ -389,8 +389,8 @@ github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSy github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/giantswarm/microerror v0.4.0 h1:QeU+UZL0rRlVXKqYOHMxS0L7g8UD+dn84NT7myWVh4U= -github.com/giantswarm/microerror v0.4.0/go.mod h1:Ju1YdC6TX/8witv7fIlkgiRr5FQUNyq3f4TX2QYnO7c= +github.com/giantswarm/microerror v0.4.1 h1:WMiD7HQASoUA9lZzPlPK+erCEOJ0uT4cyo18VfCXHD0= +github.com/giantswarm/microerror v0.4.1/go.mod h1:URFj0gFCmZihjya6saQCXxslBrgctXb4NsXYHB5JdrI= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= From 6867901c46bcd290486aa38bb52b6b9007022f00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nick=20J=C3=BCttner?= Date: Fri, 10 Nov 2023 11:29:22 +0100 Subject: [PATCH 2/5] Add IAM permissions for describing scaling activities (#219) * add IAM permissions for describing scaling activities * add IAM role for cluster-autoscaler * add IAM role for cluster-autoscaler * add IAM role for cluster-autoscaler * fix tests * fix * fix --- CHANGELOG.md | 4 ++ .../awsmachinetemplate_controller_test.go | 1 + controllers/common_test.go | 56 +++++++++++++++++++ pkg/iam/cluster_autoscaler_template.go | 31 ++++++++++ pkg/iam/iam.go | 23 ++++---- pkg/iam/template.go | 4 ++ 6 files changed, 109 insertions(+), 10 deletions(-) create mode 100644 pkg/iam/cluster_autoscaler_template.go diff --git a/CHANGELOG.md b/CHANGELOG.md index c9402b45..6183bf9d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- Add new IAM role for cluster-autoscaler. + ## [0.12.0] - 2023-11-02 ### Added diff --git a/controllers/awsmachinetemplate_controller_test.go b/controllers/awsmachinetemplate_controller_test.go index ffe9bad2..dba7c878 100644 --- a/controllers/awsmachinetemplate_controller_test.go +++ b/controllers/awsmachinetemplate_controller_test.go @@ -332,6 +332,7 @@ var _ = Describe("AWSMachineTemplateReconciler", func() { certManagerRoleInfo, ALBControllerRoleInfo, ebsCsiDriverRoleInfo, + clusterAutoscalerRoleInfo, } expectedIAMTags := []*iam.Tag{ diff --git a/controllers/common_test.go b/controllers/common_test.go index 7e499f82..6ce771d6 100644 --- a/controllers/common_test.go +++ b/controllers/common_test.go @@ -534,3 +534,59 @@ var ebsCsiDriverRoleInfo = RoleInfo{ ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ebs-csi-driver", } + +var clusterAutoscalerRoleInfo = RoleInfo{ + ExpectedName: "test-cluster-cluster-autoscaler-role", + + ExpectedAssumeRolePolicyDocument: `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::012345678901:oidc-provider/irsa.test.gaws.gigantic.io" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "irsa.test.gaws.gigantic.io:sub": "system:serviceaccount:kube-system:cluster-autoscaler" + } + } + } + ] +} +`, + + ExpectedPolicyName: "control-plane-test-cluster-policy", + ExpectedPolicyDocument: `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeScalingActivities", + "autoscaling:DescribeTags", + "ec2:DescribeInstanceTypes", + "ec2:DescribeLaunchTemplateVersions", + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "ec2:DescribeImages", + "ec2:GetInstanceTypesFromInstanceRequirements", + "eks:DescribeNodegroup" + ], + "Resource": "*" + } + ] +}`, + + ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-cluster-autoscaler", +} diff --git a/pkg/iam/cluster_autoscaler_template.go b/pkg/iam/cluster_autoscaler_template.go new file mode 100644 index 00000000..84d89bc8 --- /dev/null +++ b/pkg/iam/cluster_autoscaler_template.go @@ -0,0 +1,31 @@ +package iam + +const clusterAutoscalerPolicyTemplate = `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeScalingActivities", + "autoscaling:DescribeTags", + "ec2:DescribeInstanceTypes", + "ec2:DescribeLaunchTemplateVersions", + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "ec2:DescribeImages", + "ec2:GetInstanceTypesFromInstanceRequirements", + "eks:DescribeNodegroup" + ], + "Resource": "*" + } + ] +}` diff --git a/pkg/iam/iam.go b/pkg/iam/iam.go index 11426d1b..40547b93 100644 --- a/pkg/iam/iam.go +++ b/pkg/iam/iam.go @@ -16,15 +16,16 @@ import ( ) const ( - BastionRole = "bastion" - ControlPlaneRole = "control-plane" // also used as part of finalizer name - NodesRole = "nodes" // also used as part of finalizer name - Route53Role = "route53-role" - KIAMRole = "kiam-role" - IRSARole = "irsa-role" - CertManagerRole = "cert-manager-role" - ALBConrollerRole = "ALBController-Role" - EBSCSIDriverRole = "ebs-csi-driver-role" + BastionRole = "bastion" + ControlPlaneRole = "control-plane" // also used as part of finalizer name + NodesRole = "nodes" // also used as part of finalizer name + Route53Role = "route53-role" + KIAMRole = "kiam-role" + IRSARole = "irsa-role" + CertManagerRole = "cert-manager-role" + ALBConrollerRole = "ALBController-Role" + EBSCSIDriverRole = "ebs-csi-driver-role" + ClusterAutoscalerRole = "cluster-autoscaler-role" IAMControllerOwnedTag = "capi-iam-controller/owned" ClusterIDTag = "sigs.k8s.io/cluster-api-provider-aws/cluster/%s" @@ -157,7 +158,7 @@ func (s *IAMService) ReconcileKiamRole() error { func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error { s.log.Info("reconciling IAM roles for IRSA") - for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole} { + for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole, ClusterAutoscalerRole} { var params Route53RoleParams params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain) if err != nil { @@ -670,6 +671,8 @@ func getServiceAccount(role string) (string, error) { return "aws-load-balancer-controller", nil } else if role == EBSCSIDriverRole { return "ebs-csi-controller-sa", nil + } else if role == ClusterAutoscalerRole { + return "cluster-autoscaler", nil } return "", fmt.Errorf("cannot get service account for specified role - %s", role) diff --git a/pkg/iam/template.go b/pkg/iam/template.go index b568cfc3..cf2458a7 100644 --- a/pkg/iam/template.go +++ b/pkg/iam/template.go @@ -55,6 +55,8 @@ func getInlinePolicyTemplate(roleType string) string { return ALBControllerPolicyTemplate case EBSCSIDriverRole: return EBSCSIDriverPolicyTemplate + case ClusterAutoscalerRole: + return clusterAutoscalerPolicyTemplate default: return "" } @@ -80,6 +82,8 @@ func getTrustPolicyTemplate(roleType string) string { return trustIdentityPolicyKIAMAndIRSA case EBSCSIDriverRole: return trustIdentityPolicyKIAMAndIRSA + case ClusterAutoscalerRole: + return trustIdentityPolicyKIAMAndIRSA default: return "" From cf59acfe66220e532ab9759aedc1a65bbd9b5a5e Mon Sep 17 00:00:00 2001 From: Taylor Bot Date: Fri, 10 Nov 2023 13:57:46 +0100 Subject: [PATCH 3/5] Release v0.13.0 (#224) --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6183bf9d..5b4ba68a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.13.0] - 2023-11-10 + ### Added - Add new IAM role for cluster-autoscaler. @@ -154,7 +156,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Implement `AWSMachineTemplate` reconciler. - Implement `AWSMachinePool` reconciler. -[Unreleased]: https://github.com/giantswarm/capa-iam-operator/compare/v0.12.0...HEAD +[Unreleased]: https://github.com/giantswarm/capa-iam-operator/compare/v0.13.0...HEAD +[0.13.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.12.0...v0.13.0 [0.12.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.11.0...v0.12.0 [0.11.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.10.0...v0.11.0 [0.10.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.9.0...v0.10.0 From 38b970aaa6d6a16b62ed4f8b980c38c011757155 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nick=20J=C3=BCttner?= Date: Fri, 10 Nov 2023 14:34:36 +0100 Subject: [PATCH 4/5] Fix malformed cluster-autoscaler policy (#225) * fix malformed cluster-autoscaler policy * fix malformed cluster-autoscaler policy --- CHANGELOG.md | 4 ++++ controllers/common_test.go | 2 +- pkg/iam/cluster_autoscaler_template.go | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b4ba68a..498f9221 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed + +- Fix malformed cluster-autoscaler policy. + ## [0.13.0] - 2023-11-10 ### Added diff --git a/controllers/common_test.go b/controllers/common_test.go index 6ce771d6..1e247587 100644 --- a/controllers/common_test.go +++ b/controllers/common_test.go @@ -570,7 +570,7 @@ var clusterAutoscalerRoleInfo = RoleInfo{ "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", "ec2:DescribeInstanceTypes", - "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*" }, diff --git a/pkg/iam/cluster_autoscaler_template.go b/pkg/iam/cluster_autoscaler_template.go index 84d89bc8..84b83229 100644 --- a/pkg/iam/cluster_autoscaler_template.go +++ b/pkg/iam/cluster_autoscaler_template.go @@ -12,7 +12,7 @@ const clusterAutoscalerPolicyTemplate = `{ "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", "ec2:DescribeInstanceTypes", - "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*" }, From 02399c3f499ec02eff35f8bc71610e6e38c038db Mon Sep 17 00:00:00 2001 From: Taylor Bot Date: Fri, 10 Nov 2023 14:39:38 +0100 Subject: [PATCH 5/5] Release v0.13.1 (#226) --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 498f9221..221d9207 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.13.1] - 2023-11-10 + ### Fixed - Fix malformed cluster-autoscaler policy. @@ -160,7 +162,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Implement `AWSMachineTemplate` reconciler. - Implement `AWSMachinePool` reconciler. -[Unreleased]: https://github.com/giantswarm/capa-iam-operator/compare/v0.13.0...HEAD +[Unreleased]: https://github.com/giantswarm/capa-iam-operator/compare/v0.13.1...HEAD +[0.13.1]: https://github.com/giantswarm/capa-iam-operator/compare/v0.13.0...v0.13.1 [0.13.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.12.0...v0.13.0 [0.12.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.11.0...v0.12.0 [0.11.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.10.0...v0.11.0