Add Crossplane IAM roles, policies, and instance profiles for worker nodes

Author: fiunchinho

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add Crossplane IAM Roles, policies and instance profiles for the worker nodes. Instead of having an IAM Role per node pool, now we'll use the same for all node pools. *This change will roll the worker nodes*.
+
 ### Changed
 
 - Tidy up dependencies on `azs-getter`.

helm/cluster-aws/README.md

@@ -32,7 +32,6 @@ Properties within the `.global.providerSpecific` object
 | `global.providerSpecific.irsaCrossplane` | **Use Crossplane to provision IRSA infrastructure** - Defaults to true. Crossplane will adopt all the resources created by IRSA Operator. If set to false, the IRSA Operator will take over the infrastructure again.|**Type:** `[boolean]`<br/>**Default:** `true`|
 | `global.providerSpecific.nodePoolAmi` | **Amazon machine image (AMI) for node pools** - If specified, this image will be used to provision EC2 instances for node pools.|**Type:** `[string]`<br/>|
 | `global.providerSpecific.nodeTerminationHandlerEnabled` | **Use the AWS Node Termination Handler app** - Defaults to true. Whether or not to enable the Auto Scaling Groups lifecycle hooks and use the node-termination-handler app (NTH) to manage the termination of EC2 instances.|**Type:** `[boolean]`<br/>**Default:** `true`|
-| `global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers` | **Use reduced IAM permissions on worker nodes instance profile** - Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.|**Type:** `[boolean]`<br/>**Default:** `true`|
 | `global.providerSpecific.region` | **Region**|**Type:** `[string]`<br/>|
 
 ### Apps

helm/cluster-aws/templates/_aws_cluster.tpl

@@ -258,8 +258,6 @@ spec:
     controlPlaneIAMInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
     name: {{ include "aws-region" . }}-capa-{{ include "resource.default.name" $ }}
     nodesIAMInstanceProfiles:
-    {{- range $name, $value := .Values.global.nodePools | default .Values.cluster.providerIntegration.workers.defaultNodePools }}
-    - nodes-{{ $name }}-{{ include "resource.default.name" $ }}
-    {{- end }}
+    - {{ include "resource.default.name" $ }}-worker
   region: {{ include "aws-region" . }}
 {{ end }}

helm/cluster-aws/templates/_control_plane.tpl

@@ -31,7 +31,7 @@ nonRootVolumes:
 rootVolume:
   size: {{ .Values.global.controlPlane.rootVolumeSizeGB }}
   type: gp3
-iamInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
+iamInstanceProfile: {{ include "resource.default.name" $ }}-control-plane
 {{- if .Values.global.controlPlane.additionalSecurityGroups }}
 additionalSecurityGroups:
 {{- toYaml .Values.global.controlPlane.additionalSecurityGroups | nindent 2 }}

helm/cluster-aws/templates/_karpenter_machine_pools.tpl

@@ -7,9 +7,6 @@ metadata:
   labels:
     giantswarm.io/machine-pool: {{ include "resource.default.name" $ }}-{{ $name }}
     {{- include "labels.common" $ | nindent 4 }}
-    {{- if $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers }}
-    alpha.aws.giantswarm.io/reduced-instance-permissions-workers: "true"
-    {{- end }}
     app.kubernetes.io/version: {{ $.Chart.Version | quote }}
   name: {{ include "resource.default.name" $ }}-{{ $name }}
   namespace: {{ $.Release.Namespace }}
@@ -38,6 +35,7 @@ spec:
         volumeType: gp3
         deleteOnTermination: true
     instanceProfile: nodes-{{ $name }}-{{ include "resource.default.name" $ }}
+    instanceProfile: {{ include "resource.default.name" $ }}-worker
     metadataOptions:
       {{- if eq $.Values.global.connectivity.cilium.ipamMode "eni" }}
       httpPutResponseHopLimit: 2

helm/cluster-aws/templates/_machine_pools.tpl

@@ -7,9 +7,6 @@ metadata:
   labels:
     giantswarm.io/machine-pool: {{ include "resource.default.name" $ }}-{{ $name }}
     {{- include "labels.common" $ | nindent 4 }}
-    {{- if $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers }}
-    alpha.aws.giantswarm.io/reduced-instance-permissions-workers: "true"
-    {{- end }}
     {{- if eq $.Values.global.connectivity.cilium.ipamMode "eni" }}
     alpha.aws.giantswarm.io/ipam-mode: "eni"
     {{- end }}
@@ -50,7 +47,7 @@ spec:
     {{- else }}
     {{- include "imageLookupParameters" $ | nindent 4 }}
     {{- end }}
-    iamInstanceProfile: nodes-{{ $name }}-{{ include "resource.default.name" $ }}
+    iamInstanceProfile: {{ include "resource.default.name" $ }}-worker
     instanceType: {{ $value.instanceType | default "r6i.xlarge" }}
     rootVolume:
       size: {{ $value.rootVolumeSizeGB | default 8 }}

helm/cluster-aws/templates/required.yaml

@@ -3,4 +3,3 @@
 {{- $_ := required "global.connectivity.cilium.ipamMode is required"  .Values.global.connectivity.cilium.ipamMode }}
 {{- $_ := required "global.connectivity.network.pods.cidrBlocks is required" .Values.global.connectivity.network.pods.cidrBlocks }}
 {{- $_ := required "You must provide an existing organization name in .global.metadata.organization" .Values.global.metadata.organization }}
-{{- $_ := required "global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers is required" $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers }}

helm/cluster-aws/templates/workers-crossplane-iam-role.yaml

@@ -0,0 +1,119 @@
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: Role
+metadata:
+  name: {{ include "resource.default.name" $ }}-worker
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    assumeRolePolicy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "ec2.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+          }
+        ]
+      }
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: RolePolicy
+metadata:
+  name: {{ include "resource.default.name" $ }}-worker
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    roleRef:
+      name: {{ include "resource.default.name" $ }}-worker
+    policy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+        {{- if eq .Values.global.connectivity.cilium.ipamMode "eni" }}
+          {
+            "Action": [
+              "ec2:AssignPrivateIpAddresses",
+              "ec2:AttachNetworkInterface",
+              "ec2:CreateNetworkInterface",
+              "ec2:CreateTags",
+              "ec2:DeleteNetworkInterface",
+              "ec2:DescribeInstances",
+              "ec2:DescribeInstanceTypes",
+              "ec2:DescribeNetworkInterfaces",
+              "ec2:DescribeRouteTables",
+              "ec2:DescribeSecurityGroups",
+              "ec2:DescribeSubnets",
+              "ec2:DescribeTags",
+              "ec2:DescribeVpcs",
+              "ec2:ModifyNetworkInterfaceAttribute",
+              "ec2:UnassignPrivateIpAddresses"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+        {{- end }}
+          {
+            "Action": [
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:BatchGetImage",
+              "ecr:DescribeRepositories",
+              "ecr:GetAuthorizationToken",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:GetRepositoryPolicy",
+              "ecr:ListImages"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          }
+        ]
+      }
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: InstanceProfile
+metadata:
+  name: {{ include "resource.default.name" $ }}-worker
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: RolePolicyAttachment
+metadata:
+  name: {{ include "resource.default.name" $ }}-worker
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    roleRef:
+      name: {{ include "resource.default.name" $ }}-worker
+    instanceProfileRef:
+      name: {{ include "resource.default.name" $ }}-worker
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}

helm/cluster-aws/values.schema.json

@@ -2433,12 +2433,6 @@
                             "description": "Defaults to true. Whether or not to enable the Auto Scaling Groups lifecycle hooks and use the node-termination-handler app (NTH) to manage the termination of EC2 instances.",
                             "default": true
                         },
-                        "reducedInstanceProfileIamPermissionsForWorkers": {
-                            "type": "boolean",
-                            "title": "Use reduced IAM permissions on worker nodes instance profile",
-                            "description": "Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.",
-                            "default": true
-                        },
                         "region": {
                             "type": "string",
                             "title": "Region"

helm/cluster-aws/values.yaml

@@ -401,6 +401,5 @@ global:
       httpTokens: required
     irsaCrossplane: true
     nodeTerminationHandlerEnabled: true
-    reducedInstanceProfileIamPermissionsForWorkers: true
   release: {}
 internal: {}