Skip to content

Commit

Permalink
add IAM role for cluster-autoscaler
Browse files Browse the repository at this point in the history
  • Loading branch information
njuettner committed Nov 8, 2023
1 parent b0cf191 commit a65075f
Show file tree
Hide file tree
Showing 7 changed files with 112 additions and 12 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Added

- Add addition IAM permission for cluster-autoscaler to describe scaling activities.
- Add new IAM role for cluster-autoscaler.

## [0.12.0] - 2023-11-02

Expand Down
1 change: 1 addition & 0 deletions controllers/awsmachinetemplate_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,7 @@ var _ = Describe("AWSMachineTemplateReconciler", func() {
certManagerRoleInfo,
ALBControllerRoleInfo,
ebsCsiDriverRoleInfo,
clusterAutoscalerRoleInfo,
}

expectedIAMTags := []*iam.Tag{
Expand Down
56 changes: 56 additions & 0 deletions controllers/common_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -534,3 +534,59 @@ var ebsCsiDriverRoleInfo = RoleInfo{

ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ebs-csi-driver",
}

var clusterAutoscalerRoleInfo = RoleInfo{
ExpectedName: "test-cluster-cluster-autoscaler-role",

ExpectedAssumeRolePolicyDocument: `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::012345678901:oidc-provider/irsa.test.gaws.gigantic.io"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"irsa.test.gaws.gigantic.io:sub": "system:serviceaccount:kube-system:cluster-autoscaler"
}
}
}
]
}
`,

ExpectedPolicyName: "control-plane-test-cluster-policy",
ExpectedPolicyDocument: `{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplateVersions",
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeImages",
"ec2:GetInstanceTypesFromInstanceRequirements",
"eks:DescribeNodegroup"
],
"Resource": "*",
"Effect": "Allow"
}
]
}`,

ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-cluster-autoscaler",
}
31 changes: 31 additions & 0 deletions pkg/iam/cluster_autoscaler_template.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package iam

const clusterAutoscalerPolicyTemplate = `{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplateVersions",
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeImages",
"ec2:GetInstanceTypesFromInstanceRequirements",
"eks:DescribeNodegroup"
],
"Resource": "*",
"Effect": "Allow"
}
]
}`
29 changes: 19 additions & 10 deletions pkg/iam/iam.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,16 @@ import (
)

const (
BastionRole = "bastion"
ControlPlaneRole = "control-plane" // also used as part of finalizer name
NodesRole = "nodes" // also used as part of finalizer name
Route53Role = "route53-role"
KIAMRole = "kiam-role"
IRSARole = "irsa-role"
CertManagerRole = "cert-manager-role"
ALBConrollerRole = "ALBController-Role"
EBSCSIDriverRole = "ebs-csi-driver-role"
BastionRole = "bastion"
ControlPlaneRole = "control-plane" // also used as part of finalizer name
NodesRole = "nodes" // also used as part of finalizer name
Route53Role = "route53-role"
KIAMRole = "kiam-role"
IRSARole = "irsa-role"
CertManagerRole = "cert-manager-role"
ALBConrollerRole = "ALBController-Role"
EBSCSIDriverRole = "ebs-csi-driver-role"
ClusterAutoscalerRole = "cluster-autoscaler-role"

IAMControllerOwnedTag = "capi-iam-controller/owned"
ClusterIDTag = "sigs.k8s.io/cluster-api-provider-aws/cluster/%s"
Expand Down Expand Up @@ -157,7 +158,7 @@ func (s *IAMService) ReconcileKiamRole() error {
func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
s.log.Info("reconciling IAM roles for IRSA")

for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole} {
for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole, ClusterAutoscalerRole} {
var params Route53RoleParams
params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
if err != nil {
Expand Down Expand Up @@ -457,6 +458,12 @@ func (s *IAMService) DeleteRolesForIRSA() error {
return err
}

// delete cluster-autoscaler role
err = s.deleteRole(roleName(ClusterAutoscalerRole, s.clusterName))
if err != nil {
return err
}

s.log.Info("finished deleting IAM roles for IRSA")
return nil
}
Expand Down Expand Up @@ -670,6 +677,8 @@ func getServiceAccount(role string) (string, error) {
return "aws-load-balancer-controller", nil
} else if role == EBSCSIDriverRole {
return "ebs-csi-controller-sa", nil
} else if role == ClusterAutoscalerRole {
return "cluster-autoscaler", nil
}

return "", fmt.Errorf("cannot get service account for specified role - %s", role)
Expand Down
1 change: 0 additions & 1 deletion pkg/iam/nodes_template.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ const nodesTemplate = `{
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeTags",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"ec2:DescribeLaunchTemplateVersions"
],
Expand Down
4 changes: 4 additions & 0 deletions pkg/iam/template.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ func getInlinePolicyTemplate(roleType string) string {
return ALBControllerPolicyTemplate
case EBSCSIDriverRole:
return EBSCSIDriverPolicyTemplate
case ClusterAutoscalerRole:
return clusterAutoscalerPolicyTemplate
default:
return ""
}
Expand All @@ -80,6 +82,8 @@ func getTrustPolicyTemplate(roleType string) string {
return trustIdentityPolicyKIAMAndIRSA
case EBSCSIDriverRole:
return trustIdentityPolicyKIAMAndIRSA
case ClusterAutoscalerRole:
return trustIdentityPolicyKIAMAndIRSA

default:
return ""
Expand Down

0 comments on commit a65075f

Please sign in to comment.