Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use reduced IAM permissions on worker nodes instance profile #991

Merged
merged 3 commits into from
Jan 23, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Chart: Reduce default etcd volume size to 50 GB.
- Explicitly set Ignition user data storage type to S3 bucket objects for machine pools
- Use reduced IAM permissions on worker nodes instance profile. This can be toggled back with `global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers`.

## [2.5.0] - 2024-12-13

1 change: 1 addition & 0 deletions helm/cluster-aws/README.md
Original file line number Diff line number Diff line change
@@ -29,6 +29,7 @@ Properties within the `.global.providerSpecific` object
| `global.providerSpecific.instanceMetadataOptions` | **Instance metadata options** - Instance metadata options for the EC2 instances in the cluster.|**Type:** `object`<br/>|
| `global.providerSpecific.instanceMetadataOptions.httpTokens` | **HTTP tokens** - The state of token usage for your instance metadata requests. If you set this parameter to `optional`, you can use either IMDSv1 or IMDSv2. If you set this parameter to `required`, you must use a IMDSv2 to access the instance metadata endpoint. Learn more at [What’s new in IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).|**Type:** `string`<br/>**Default:** `"required"`|
| `global.providerSpecific.nodePoolAmi` | **Amazon machine image (AMI) for node pools** - If specified, this image will be used to provision EC2 instances for node pools.|**Type:** `string`<br/>|
| `global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers` | **Use reduced IAM permissions on worker nodes instance profile** - Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.|**Type:** `boolean`<br/>**Default:** `true`|
| `global.providerSpecific.region` | **Region**|**Type:** `string`<br/>|

### Apps
6 changes: 6 additions & 0 deletions helm/cluster-aws/templates/_machine_pools.tpl
Original file line number Diff line number Diff line change
@@ -6,6 +6,12 @@ metadata:
labels:
giantswarm.io/machine-pool: {{ include "resource.default.name" $ }}-{{ $name }}
{{- include "labels.common" $ | nindent 4 }}
{{- if (required "global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers is required" $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers) }}
alpha.aws.giantswarm.io/reduced-instance-permissions-workers: "true"
{{- end }}
{{- if eq (required "global.connectivity.cilium.ipamMode is required" $.Values.global.connectivity.cilium.ipamMode) "eni" }}
alpha.aws.giantswarm.io/ipam-mode: "eni"
{{- end }}
app.kubernetes.io/version: {{ $.Chart.Version | quote }}
name: {{ include "resource.default.name" $ }}-{{ $name }}
namespace: {{ $.Release.Namespace }}
6 changes: 6 additions & 0 deletions helm/cluster-aws/values.schema.json
Original file line number Diff line number Diff line change
@@ -1804,6 +1804,12 @@
"title": "Amazon machine image (AMI) for node pools",
"description": "If specified, this image will be used to provision EC2 instances for node pools."
},
"reducedInstanceProfileIamPermissionsForWorkers": {
"type": "boolean",
"title": "Use reduced IAM permissions on worker nodes instance profile",
"description": "Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.",
"default": true
},
"region": {
"type": "string",
"title": "Region"
1 change: 1 addition & 0 deletions helm/cluster-aws/values.yaml
Original file line number Diff line number Diff line change
@@ -383,5 +383,6 @@ global:
flatcarAwsAccount: "706635527432"
instanceMetadataOptions:
httpTokens: required
reducedInstanceProfileIamPermissionsForWorkers: true
release: {}
internal: {}