Add Crossplane IAM roles, policies, and instance profiles for worker nodes

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- *This change will roll the nodes* Add Crossplane IAM Roles, policies and instance profiles for worker and control plane nodes. Instead of having an IAM Role per node pool, now we'll use the same for all node pools.
+
+### Removed
+
+- Removed `reducedInstanceProfileIamPermissionsForWorkers` value, as that's the default behavior now.
+
 ## [6.4.0] - 2025-10-28
 
 ### Added

helm/cluster-aws/README.md

@@ -32,7 +32,6 @@ Properties within the `.global.providerSpecific` object
 | `global.providerSpecific.irsaCrossplane` | **Use Crossplane to provision IRSA infrastructure** - Defaults to true. Crossplane will adopt all the resources created by IRSA Operator. If set to false, the IRSA Operator will take over the infrastructure again.|**Type:** `[boolean]`<br/>**Default:** `true`|
 | `global.providerSpecific.nodePoolAmi` | **Amazon machine image (AMI) for node pools** - If specified, this image will be used to provision EC2 instances for node pools.|**Type:** `[string]`<br/>|
 | `global.providerSpecific.nodeTerminationHandlerEnabled` | **Use the AWS Node Termination Handler app** - Defaults to true. Whether or not to enable the Auto Scaling Groups lifecycle hooks and use the node-termination-handler app (NTH) to manage the termination of EC2 instances.|**Type:** `[boolean]`<br/>**Default:** `true`|
-| `global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers` | **Use reduced IAM permissions on worker nodes instance profile** - Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.|**Type:** `[boolean]`<br/>**Default:** `true`|
 | `global.providerSpecific.region` | **Region**|**Type:** `[string]`<br/>|
 
 ### Apps

helm/cluster-aws/templates/_aws_cluster.tpl

@@ -255,11 +255,9 @@ spec:
     {{- end }}
   sshKeyName: ssh-key
   s3Bucket:
-    controlPlaneIAMInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
+    controlPlaneIAMInstanceProfile: {{ include "resource.default.name" $ }}-control-plane
     name: {{ include "aws-region" . }}-capa-{{ include "resource.default.name" $ }}
     nodesIAMInstanceProfiles:
-    {{- range $name, $value := .Values.global.nodePools | default .Values.cluster.providerIntegration.workers.defaultNodePools }}
-    - nodes-{{ $name }}-{{ include "resource.default.name" $ }}
-    {{- end }}
+    - {{ include "resource.default.name" $ }}-worker
   region: {{ include "aws-region" . }}
 {{ end }}

helm/cluster-aws/templates/_control_plane.tpl

@@ -31,7 +31,7 @@ nonRootVolumes:
 rootVolume:
   size: {{ .Values.global.controlPlane.rootVolumeSizeGB }}
   type: gp3
-iamInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
+iamInstanceProfile: {{ include "resource.default.name" $ }}-control-plane
 {{- if .Values.global.controlPlane.additionalSecurityGroups }}
 additionalSecurityGroups:
 {{- toYaml .Values.global.controlPlane.additionalSecurityGroups | nindent 2 }}

helm/cluster-aws/templates/_karpenter_machine_pools.tpl

@@ -7,9 +7,6 @@ metadata:
   labels:
     giantswarm.io/machine-pool: {{ include "resource.default.name" $ }}-{{ $name }}
     {{- include "labels.common" $ | nindent 4 }}
-    {{- if $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers }}
-    alpha.aws.giantswarm.io/reduced-instance-permissions-workers: "true"
-    {{- end }}
     app.kubernetes.io/version: {{ $.Chart.Version | quote }}
   name: {{ include "resource.default.name" $ }}-{{ $name }}
   namespace: {{ $.Release.Namespace }}
@@ -37,7 +34,7 @@ spec:
         volumeSize: {{ $value.logVolumeSizeGB | default 30}}Gi
         volumeType: gp3
         deleteOnTermination: true
-    instanceProfile: nodes-{{ $name }}-{{ include "resource.default.name" $ }}
+    instanceProfile: {{ include "resource.default.name" $ }}-worker
     metadataOptions:
       {{- if eq $.Values.global.connectivity.cilium.ipamMode "eni" }}
       httpPutResponseHopLimit: 2

helm/cluster-aws/templates/_machine_pools.tpl

@@ -7,9 +7,6 @@ metadata:
   labels:
     giantswarm.io/machine-pool: {{ include "resource.default.name" $ }}-{{ $name }}
     {{- include "labels.common" $ | nindent 4 }}
-    {{- if $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers }}
-    alpha.aws.giantswarm.io/reduced-instance-permissions-workers: "true"
-    {{- end }}
     {{- if eq $.Values.global.connectivity.cilium.ipamMode "eni" }}
     alpha.aws.giantswarm.io/ipam-mode: "eni"
     {{- end }}
@@ -50,7 +47,7 @@ spec:
     {{- else }}
     {{- include "imageLookupParameters" $ | nindent 4 }}
     {{- end }}
-    iamInstanceProfile: nodes-{{ $name }}-{{ include "resource.default.name" $ }}
+    iamInstanceProfile: {{ include "resource.default.name" $ }}-worker
     instanceType: {{ $value.instanceType | default "r6i.xlarge" }}
     rootVolume:
       size: {{ $value.rootVolumeSizeGB | default 8 }}

helm/cluster-aws/templates/crossplane-iam-role-control-plane.yaml

@@ -0,0 +1,203 @@
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: Role
+metadata:
+  name: {{ include "resource.default.name" $ }}-control-plane
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    assumeRolePolicy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "ec2.amazonaws.com{{- if hasPrefix "cn-" (include "aws-region" .) }}.cn{{- end }}"
+            },
+            "Action": "sts:AssumeRole"
+          }
+        ]
+      }
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: RolePolicy
+metadata:
+  name: {{ include "resource.default.name" $ }}-control-plane
+  labels:
+    cluster.x-k8s.io/cluster-name: {{ include "resource.default.name" $ }}
+spec:
+  forProvider:
+    roleRef:
+      name: {{ include "resource.default.name" $ }}-control-plane
+    policy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Action": "elasticloadbalancing:*",
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "autoscaling:DescribeAutoScalingGroups",
+              "autoscaling:DescribeAutoScalingInstances",
+              "autoscaling:DescribeTags",
+              "autoscaling:DescribeLaunchConfigurations",
+              "ec2:DescribeLaunchTemplateVersions"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "ecr:GetAuthorizationToken",
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:GetRepositoryPolicy",
+              "ecr:DescribeRepositories",
+              "ecr:ListImages",
+              "ecr:BatchGetImage"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "ec2:AssignPrivateIpAddresses",
+              "ec2:AttachNetworkInterface",
+              "ec2:CreateNetworkInterface",
+              "ec2:DeleteNetworkInterface",
+              "ec2:DescribeInstances",
+              "ec2:DescribeInstanceTypes",
+              "ec2:DescribeTags",
+              "ec2:DescribeNetworkInterfaces",
+              "ec2:DetachNetworkInterface",
+              "ec2:ModifyNetworkInterfaceAttribute",
+              "ec2:UnassignPrivateIpAddresses"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "autoscaling:DescribeAutoScalingGroups",
+              "autoscaling:DescribeLaunchConfigurations",
+              "autoscaling:DescribeTags",
+              "ec2:DescribeAvailabilityZones",
+              "ec2:DescribeInstances",
+              "ec2:DescribeImages",
+              "ec2:DescribeRegions",
+              "ec2:DescribeRouteTables",
+              "ec2:DescribeSecurityGroups",
+              "ec2:DescribeSubnets",
+              "ec2:DescribeVolumes",
+              "ec2:CreateSecurityGroup",
+              "ec2:CreateTags",
+              "ec2:CreateVolume",
+              "ec2:ModifyInstanceAttribute",
+              "ec2:ModifyVolume",
+              "ec2:AttachVolume",
+              "ec2:DescribeVolumesModifications",
+              "ec2:AuthorizeSecurityGroupIngress",
+              "ec2:CreateRoute",
+              "ec2:DeleteRoute",
+              "ec2:DeleteSecurityGroup",
+              "ec2:DeleteVolume",
+              "ec2:DetachVolume",
+              "ec2:RevokeSecurityGroupIngress",
+              "ec2:DescribeVpcs",
+              "elasticloadbalancing:AddTags",
+              "elasticloadbalancing:AttachLoadBalancerToSubnets",
+              "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+              "elasticloadbalancing:CreateLoadBalancer",
+              "elasticloadbalancing:CreateLoadBalancerPolicy",
+              "elasticloadbalancing:CreateLoadBalancerListeners",
+              "elasticloadbalancing:ConfigureHealthCheck",
+              "elasticloadbalancing:DeleteLoadBalancer",
+              "elasticloadbalancing:DeleteLoadBalancerListeners",
+              "elasticloadbalancing:DescribeLoadBalancers",
+              "elasticloadbalancing:DescribeLoadBalancerAttributes",
+              "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+              "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+              "elasticloadbalancing:ModifyLoadBalancerAttributes",
+              "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+              "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
+              "elasticloadbalancing:AddTags",
+              "elasticloadbalancing:CreateListener",
+              "elasticloadbalancing:CreateTargetGroup",
+              "elasticloadbalancing:DeleteListener",
+              "elasticloadbalancing:DeleteTargetGroup",
+              "elasticloadbalancing:DescribeListeners",
+              "elasticloadbalancing:DescribeLoadBalancerPolicies",
+              "elasticloadbalancing:DescribeTargetGroups",
+              "elasticloadbalancing:DescribeTargetHealth",
+              "elasticloadbalancing:ModifyListener",
+              "elasticloadbalancing:ModifyTargetGroup",
+              "elasticloadbalancing:RegisterTargets",
+              "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
+              "iam:CreateServiceLinkedRole",
+              "kms:DescribeKey"
+            ],
+            "Resource": [
+              "*"
+            ],
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "secretsmanager:GetSecretValue",
+              "secretsmanager:DeleteSecret"
+            ],
+            "Resource": "arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*",
+            "Effect": "Allow"
+          }
+        ]
+      }
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: RolePolicyAttachment
+metadata:
+  name: {{ include "resource.default.name" $ }}-control-plane
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    roleRef:
+      name: {{ include "resource.default.name" $ }}-control-plane
+    policyArnRef:
+      name: {{ include "resource.default.name" $ }}-control-plane
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: InstanceProfile
+metadata:
+  name: {{ include "resource.default.name" $ }}-control-plane
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    role: {{ include "resource.default.name" $ }}-control-plane
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}