Add IAM permissions for describing scaling activities (#219)

* add IAM permissions for describing scaling activities

* add IAM role for cluster-autoscaler

* add IAM role for cluster-autoscaler

* add IAM role for cluster-autoscaler

* fix tests

* fix

* fix

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add new IAM role for cluster-autoscaler.
+
 ## [0.12.0] - 2023-11-02
 
 ### Added

controllers/awsmachinetemplate_controller_test.go

@@ -332,6 +332,7 @@ var _ = Describe("AWSMachineTemplateReconciler", func() {
 		certManagerRoleInfo,
 		ALBControllerRoleInfo,
 		ebsCsiDriverRoleInfo,
+		clusterAutoscalerRoleInfo,
 	}
 
 	expectedIAMTags := []*iam.Tag{

controllers/common_test.go

@@ -534,3 +534,59 @@ var ebsCsiDriverRoleInfo = RoleInfo{
 
 	ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ebs-csi-driver",
 }
+
+var clusterAutoscalerRoleInfo = RoleInfo{
+	ExpectedName: "test-cluster-cluster-autoscaler-role",
+
+	ExpectedAssumeRolePolicyDocument: `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::012345678901:oidc-provider/irsa.test.gaws.gigantic.io"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "irsa.test.gaws.gigantic.io:sub": "system:serviceaccount:kube-system:cluster-autoscaler"
+        }
+      }
+    }
+  ]
+}
+`,
+
+	ExpectedPolicyName: "control-plane-test-cluster-policy",
+	ExpectedPolicyDocument: `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeAutoScalingInstances",
+        "autoscaling:DescribeLaunchConfigurations",
+        "autoscaling:DescribeScalingActivities",
+        "autoscaling:DescribeTags",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeLaunchTemplateVersions",
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:SetDesiredCapacity",
+        "autoscaling:TerminateInstanceInAutoScalingGroup",
+        "ec2:DescribeImages",
+        "ec2:GetInstanceTypesFromInstanceRequirements",
+        "eks:DescribeNodegroup"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+
+	ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-cluster-autoscaler",
+}

pkg/iam/cluster_autoscaler_template.go

@@ -0,0 +1,31 @@
+package iam
+
+const clusterAutoscalerPolicyTemplate = `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeAutoScalingInstances",
+        "autoscaling:DescribeLaunchConfigurations",
+        "autoscaling:DescribeScalingActivities",
+        "autoscaling:DescribeTags",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeLaunchTemplateVersions",
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:SetDesiredCapacity",
+        "autoscaling:TerminateInstanceInAutoScalingGroup",
+        "ec2:DescribeImages",
+        "ec2:GetInstanceTypesFromInstanceRequirements",
+        "eks:DescribeNodegroup"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`

pkg/iam/iam.go

@@ -16,15 +16,16 @@ import (
 )
 
 const (
-	BastionRole      = "bastion"
-	ControlPlaneRole = "control-plane" // also used as part of finalizer name
-	NodesRole        = "nodes"         // also used as part of finalizer name
-	Route53Role      = "route53-role"
-	KIAMRole         = "kiam-role"
-	IRSARole         = "irsa-role"
-	CertManagerRole  = "cert-manager-role"
-	ALBConrollerRole = "ALBController-Role"
-	EBSCSIDriverRole = "ebs-csi-driver-role"
+	BastionRole           = "bastion"
+	ControlPlaneRole      = "control-plane" // also used as part of finalizer name
+	NodesRole             = "nodes"         // also used as part of finalizer name
+	Route53Role           = "route53-role"
+	KIAMRole              = "kiam-role"
+	IRSARole              = "irsa-role"
+	CertManagerRole       = "cert-manager-role"
+	ALBConrollerRole      = "ALBController-Role"
+	EBSCSIDriverRole      = "ebs-csi-driver-role"
+	ClusterAutoscalerRole = "cluster-autoscaler-role"
 
 	IAMControllerOwnedTag = "capi-iam-controller/owned"
 	ClusterIDTag          = "sigs.k8s.io/cluster-api-provider-aws/cluster/%s"
@@ -157,7 +158,7 @@ func (s *IAMService) ReconcileKiamRole() error {
 func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
 	s.log.Info("reconciling IAM roles for IRSA")
 
-	for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole} {
+	for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole, ClusterAutoscalerRole} {
 		var params Route53RoleParams
 		params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
 		if err != nil {
@@ -670,6 +671,8 @@ func getServiceAccount(role string) (string, error) {
 		return "aws-load-balancer-controller", nil
 	} else if role == EBSCSIDriverRole {
 		return "ebs-csi-controller-sa", nil
+	} else if role == ClusterAutoscalerRole {
+		return "cluster-autoscaler", nil
 	}
 
 	return "", fmt.Errorf("cannot get service account for specified role - %s", role)

pkg/iam/template.go

@@ -55,6 +55,8 @@ func getInlinePolicyTemplate(roleType string) string {
 		return ALBControllerPolicyTemplate
 	case EBSCSIDriverRole:
 		return EBSCSIDriverPolicyTemplate
+	case ClusterAutoscalerRole:
+		return clusterAutoscalerPolicyTemplate
 	default:
 		return ""
 	}
@@ -80,6 +82,8 @@ func getTrustPolicyTemplate(roleType string) string {
 		return trustIdentityPolicyKIAMAndIRSA
 	case EBSCSIDriverRole:
 		return trustIdentityPolicyKIAMAndIRSA
+	case ClusterAutoscalerRole:
+		return trustIdentityPolicyKIAMAndIRSA
 
 	default:
 		return ""