feat: eks pod identity support for controllers

richardcase · richardcase · commit 16d65b1db57e · 2025-04-24T16:01:13.000+01:00
This adds support for using EKS pod identity for the CAPA controller
when the management cluster is an EKS cluster

Signed-off-by: Richard Case &lt;richard.case@outlook.com&gt;
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
@@ -51,8 +51,8 @@ func (t Template) controllersPolicyRoleAttachments() []string {
 	return attachments
 }
 
-func (t Template) controllersTrustPolicy() *iamv1.PolicyDocument {
-	policyDocument := ec2AssumeRolePolicy()
+func (t Template) controllersTrustPolicy(eksEnabled bool) *iamv1.PolicyDocument {
+	policyDocument := ec2AssumeRolePolicy(eksEnabled)
 	policyDocument.Statement = append(policyDocument.Statement, t.Spec.ClusterAPIControllers.TrustStatements...)
 	return policyDocument
 }
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go b/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go
@@ -40,7 +40,7 @@ func (t Template) controlPlanePolicies() []cfn_iam.Role_Policy {
 }
 
 func (t Template) controlPlaneTrustPolicy() *iamv1.PolicyDocument {
-	policyDocument := ec2AssumeRolePolicy()
+	policyDocument := ec2AssumeRolePolicy(false)
 	policyDocument.Statement = append(policyDocument.Statement, t.Spec.ControlPlane.TrustStatements...)
 	return policyDocument
 }
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml
@@ -412,6 +412,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -429,6 +430,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.custom-suffix.com
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml
@@ -412,6 +412,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -429,6 +430,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml
@@ -425,6 +425,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -442,6 +443,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml
@@ -417,6 +417,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -434,6 +435,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml
@@ -420,6 +420,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -437,6 +438,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml
@@ -420,6 +420,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -437,6 +438,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml
@@ -412,6 +412,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -429,6 +430,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml
@@ -432,6 +432,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -449,6 +450,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml
@@ -412,6 +412,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -429,6 +430,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml
@@ -412,6 +412,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -429,6 +430,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml
@@ -420,6 +420,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -447,6 +448,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       Policies:
       - PolicyDocument:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml
@@ -423,6 +423,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -440,6 +441,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml
@@ -412,6 +412,7 @@ Resources:
         Statement:
         - Action:
           - sts:AssumeRole
+          - sts:TagSession
           Effect: Allow
           Principal:
             Service:
@@ -429,6 +430,7 @@ Resources:
           Principal:
             Service:
             - ec2.amazonaws.com
+            - pods.eks.amazonaws.com
         Version: 2012-10-17
       RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io
     Type: AWS::IAM::Role
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/node.go b/cmd/clusterawsadm/cloudformation/bootstrap/node.go
@@ -39,7 +39,7 @@ func (t Template) nodePolicies() []cfn_iam.Role_Policy {
 }
 
 func (t Template) nodeTrustPolicy() *iamv1.PolicyDocument {
-	policyDocument := ec2AssumeRolePolicy()
+	policyDocument := ec2AssumeRolePolicy(false)
 	policyDocument.Statement = append(policyDocument.Statement, t.Spec.Nodes.TrustStatements...)
 	return policyDocument
 }
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/template.go b/cmd/clusterawsadm/cloudformation/bootstrap/template.go
@@ -148,8 +148,7 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 
 	template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("controllers"),
-		Path:                     t.Spec.ControlPlane.Path,
-		AssumeRolePolicyDocument: t.controllersTrustPolicy(),
+		AssumeRolePolicyDocument: t.controllersTrustPolicy(!t.Spec.EKS.Disable),
 		Policies:                 t.controllersRolePolicy(),
 		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags),
@@ -224,8 +223,12 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 	return template
 }
 
-func ec2AssumeRolePolicy() *iamv1.PolicyDocument {
-	return AssumeRolePolicy(iamv1.PrincipalService, []string{"ec2.amazonaws.com"})
+func ec2AssumeRolePolicy(withEKS bool) *iamv1.PolicyDocument {
+	principalIDs := []string{"ec2.amazonaws.com"}
+	if withEKS {
+		principalIDs = append(principalIDs, "pods.eks.amazonaws.com")
+	}
+	return AssumeRolePolicy(iamv1.PrincipalService, principalIDs)
 }
 
 // AWSArnAssumeRolePolicy will assume Policies using PolicyArns.
@@ -246,7 +249,7 @@ func AssumeRolePolicy(identityType iamv1.PrincipalType, principalIDs []string) *
 			{
 				Effect:    iamv1.EffectAllow,
 				Principal: iamv1.Principals{identityType: principalIDs},
-				Action:    iamv1.Actions{"sts:AssumeRole"},
+				Action:    iamv1.Actions{"sts:AssumeRole", "sts:TagSession"},
 			},
 		},
 	}
diff --git a/cmd/clusterawsadm/cmd/controller/controller.go b/cmd/clusterawsadm/cmd/controller/controller.go
@@ -44,6 +44,7 @@ func RootCmd() *cobra.Command {
 	newCmd.AddCommand(credentials.UpdateCredentialsCmd())
 	newCmd.AddCommand(credentials.PrintCredentialsCmd())
 	newCmd.AddCommand(rollout.RolloutControllersCmd())
+	newCmd.AddCommand(credentials.UseEKSPodIdentityCmd())
 
 	return newCmd
 }
diff --git a/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go b/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go
diff --git a/docs/book/src/topics/eks/eks-pod-identity.md b/docs/book/src/topics/eks/eks-pod-identity.md
diff --git a/docs/book/src/topics/eks/index.md b/docs/book/src/topics/eks/index.md

Original file line number	Diff line number	Diff line change
`@@ -51,8 +51,8 @@ func (t Template) controllersPolicyRoleAttachments() []string {`
`51`	`51`	`return attachments`
`52`	`52`	`}`
`53`	`53`
`54`		`-func (t Template) controllersTrustPolicy() *iamv1.PolicyDocument {`
`55`		`- policyDocument := ec2AssumeRolePolicy()`
	`54`	`+func (t Template) controllersTrustPolicy(eksEnabled bool) *iamv1.PolicyDocument {`
	`55`	`+ policyDocument := ec2AssumeRolePolicy(eksEnabled)`
`56`	`56`	`policyDocument.Statement = append(policyDocument.Statement, t.Spec.ClusterAPIControllers.TrustStatements...)`
`57`	`57`	`return policyDocument`
`58`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func (t Template) controlPlanePolicies() []cfn_iam.Role_Policy {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`func (t Template) controlPlaneTrustPolicy() *iamv1.PolicyDocument {`
`43`		`- policyDocument := ec2AssumeRolePolicy()`
	`43`	`+ policyDocument := ec2AssumeRolePolicy(false)`
`44`	`44`	`policyDocument.Statement = append(policyDocument.Statement, t.Spec.ControlPlane.TrustStatements...)`
`45`	`45`	`return policyDocument`
`46`	`46`	`}`