Support custom IAM management in AWS registration

bhperry · bhperry · commit 2599ffcc7f81 · 2025-07-09T12:39:10.000-05:00
Signed-off-by: Ben Perry &lt;bhperry94@gmail.com&gt;
diff --git a/deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml b/deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml
@@ -380,6 +380,12 @@ spec:
                               items:
                                 type: string
                               type: array
+                            disableManagedIam:
+                              description: |-
+                                DisableManagedIam disables creation and management of IAM roles and policies on the hub.
+                                If true, all AWS permissions for awsirsa registration must be managed manually by the administrator.
+                                Used in cases where IAM permissions cannot be granted to OCM, or to run an EKS hub with non-aws spoke clusters.
+                              type: boolean
                             hubClusterArn:
                               description: |-
                                 This represents the hub cluster ARN
diff --git a/deploy/cluster-manager/config/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml b/deploy/cluster-manager/config/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml
@@ -380,6 +380,12 @@ spec:
                               items:
                                 type: string
                               type: array
+                            disableManagedIam:
+                              description: |-
+                                DisableManagedIam disables creation and management of IAM roles and policies on the hub.
+                                If true, all AWS permissions for awsirsa registration must be managed manually by the administrator.
+                                Used in cases where IAM permissions cannot be granted to OCM, or to run an EKS hub with non-aws spoke clusters.
+                              type: boolean
                             hubClusterArn:
                               description: |-
                                 This represents the hub cluster ARN
diff --git a/deploy/cluster-manager/olm-catalog/latest/manifests/operator.open-cluster-management.io_clustermanagers.yaml b/deploy/cluster-manager/olm-catalog/latest/manifests/operator.open-cluster-management.io_clustermanagers.yaml
@@ -344,6 +344,11 @@ spec:
                               items:
                                 type: string
                               type: array
+                            disableManagedIam:
+                              description: |-
+                                DisableManagedIAM disables IAM role management in the hub. All required IAM roles
+                                must be created by the administrator.
+                              type: boolean
                             hubClusterArn:
                               description: |-
                                 This represents the hub cluster ARN
diff --git a/deploy/klusterlet/chart/klusterlet/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/deploy/klusterlet/chart/klusterlet/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml
@@ -341,17 +341,20 @@ spec:
                             minLength: 1
                             pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                             type: string
+                          iamConfigSecret:
+                            description: |-
+                              IamConfigSecret is the name of a secret containing "config" and/or "credentials" files mounted to ~/.aws/config and ~/.aws/credentials respectively.
+                              More Info: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
+                            type: string
                           managedClusterArn:
                             description: |-
-                              The arn of the managed cluster (ie: an EKS cluster). This will be required to generate the md5hash which will be used as a suffix to create IAM role on hub
+                              The arn of the managed cluster (ie: an EKS cluster). This will be used when managed IAM is enabled to generate the md5hash as a suffix to create IAM role on hub
                               as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup.
                               Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1.
-                            minLength: 1
                             pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                             type: string
                         required:
                         - hubClusterArn
-                        - managedClusterArn
                         type: object
                     required:
                     - authType
diff --git a/deploy/klusterlet/config/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/deploy/klusterlet/config/crds/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml
@@ -341,17 +341,20 @@ spec:
                             minLength: 1
                             pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                             type: string
+                          iamConfigSecret:
+                            description: |-
+                              IamConfigSecret is the name of a secret containing "config" and/or "credentials" files mounted to ~/.aws/config and ~/.aws/credentials respectively.
+                              More Info: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
+                            type: string
                           managedClusterArn:
                             description: |-
-                              The arn of the managed cluster (ie: an EKS cluster). This will be required to generate the md5hash which will be used as a suffix to create IAM role on hub
+                              The arn of the managed cluster (ie: an EKS cluster). This will be used when managed IAM is enabled to generate the md5hash as a suffix to create IAM role on hub
                               as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup.
                               Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1.
-                            minLength: 1
                             pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                             type: string
                         required:
                         - hubClusterArn
-                        - managedClusterArn
                         type: object
                     required:
                     - authType
diff --git a/go.mod b/go.mod
@@ -2,8 +2,8 @@ module open-cluster-management.io/ocm
 
 go 1.23.6
 
-// TEMPORARY while waiting for upstream tag – must be removed before merge
-replace open-cluster-management.io/api => github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0
+// TODO: Remove before merge
+replace open-cluster-management.io/api => github.com/bhperry/ocm-api v0.0.0-20250709173341-f336f4574c03
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.36.3
diff --git a/go.sum b/go.sum
@@ -58,8 +58,8 @@ github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
 github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0 h1:BGB/xHmOWNgwbuz6vqFBk+hf+dXhcSI5IBbRwim3CjA=
-github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0/go.mod h1:/OeqXycNBZQoe3WG6ghuWsMgsKGuMZrK8ZpsU6gWL0Y=
+github.com/bhperry/ocm-api v0.0.0-20250709173341-f336f4574c03 h1:6fRvZreOtZAmxUAQopCsdhWlLk4lorhZEhB1E+839Zo=
+github.com/bhperry/ocm-api v0.0.0-20250709173341-f336f4574c03/go.mod h1:/OeqXycNBZQoe3WG6ghuWsMgsKGuMZrK8ZpsU6gWL0Y=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bwmarrin/snowflake v0.3.0 h1:xm67bEhkKh6ij1790JB83OujPR5CzNe8QuQqAgISZN0=
diff --git a/manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml b/manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml
@@ -92,6 +92,9 @@ spec:
           {{if .AwsResourceTags}}
           - "--aws-resource-tags={{ .AwsResourceTags }}"
           {{end}}
+          {{ if .DisableManagedIam }}
+          - "--disable-managed-iam"
+          {{ end }}
         env:
           - name: POD_NAME
             valueFrom:
diff --git a/manifests/config.go b/manifests/config.go
@@ -39,6 +39,7 @@ type HubConfig struct {
 	ResourceRequirements              []byte
 	ManagedClusterIdentityCreatorRole string
 	HubClusterArn                     string
+	DisableManagedIam                 bool
 	EnabledRegistrationDrivers        string
 	AutoApprovedCSRUsers              string
 	AutoApprovedARNPatterns           string
diff --git a/manifests/klusterlet/management/klusterlet-agent-deployment.yaml b/manifests/klusterlet/management/klusterlet-agent-deployment.yaml
@@ -230,8 +230,14 @@ spec:
       - name: tmpdir
         emptyDir: { }
       {{if eq .RegistrationDriver.AuthType "awsirsa"}}
+      {{if and .RegistrationDriver.AwsIrsa .RegistrationDriver.AwsIrsa.IamConfigSecret }}
+      - name: dot-aws
+        secret:
+          secretName: {{ .RegistrationDriver.AwsIrsa.IamConfigSecret }}
+      {{else}}
       - name: dot-aws
         emptyDir: { }
+      {{end}}
       - name: awscli
         emptyDir: { }
       {{end}}
diff --git a/manifests/klusterlet/management/klusterlet-registration-deployment.yaml b/manifests/klusterlet/management/klusterlet-registration-deployment.yaml
@@ -208,8 +208,14 @@ spec:
       - name: tmpdir
         emptyDir: { }
       {{if eq .RegistrationDriver.AuthType "awsirsa"}}
+      {{if and .RegistrationDriver.AwsIrsa .RegistrationDriver.AwsIrsa.IamConfigSecret }}
+      - name: dot-aws
+        secret:
+          secretName: {{ .RegistrationDriver.AwsIrsa.IamConfigSecret }}
+      {{else}}
       - name: dot-aws
         emptyDir: { }
+      {{end}}
       - name: awscli
         emptyDir: { }
       {{end}}
diff --git a/manifests/klusterlet/management/klusterlet-work-deployment.yaml b/manifests/klusterlet/management/klusterlet-work-deployment.yaml
@@ -174,8 +174,14 @@ spec:
       - name: tmpdir
         emptyDir: { }
       {{if eq .RegistrationDriver.AuthType "awsirsa"}}
+      {{if and .RegistrationDriver.AwsIrsa .RegistrationDriver.AwsIrsa.IamConfigSecret }}
+      - name: dot-aws
+        secret:
+          secretName: {{ .RegistrationDriver.AwsIrsa.IamConfigSecret }}
+      {{else}}
       - name: dot-aws
         emptyDir: { }
+      {{end}}
       - name: awscli
         emptyDir: { }
       {{end}}
diff --git a/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go b/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go
@@ -470,6 +470,9 @@ func getIdentityCreatorRoleAndTags(cm operatorapiv1.ClusterManager) string {
 	if cm.Spec.RegistrationConfiguration != nil {
 		for _, registrationDriver := range cm.Spec.RegistrationConfiguration.RegistrationDrivers {
 			if registrationDriver.AuthType == commonhelper.AwsIrsaAuthType && registrationDriver.AwsIrsa != nil {
+				if registrationDriver.AwsIrsa.DisableManagedIam {
+					return ""
+				}
 				hubClusterArn := registrationDriver.AwsIrsa.HubClusterArn
 				hubClusterAccountId, hubClusterName := commonhelper.GetAwsAccountIdAndClusterName(hubClusterArn)
 				return "arn:aws:iam::" + hubClusterAccountId + ":role/" + hubClusterName + "_managed-cluster-identity-creator"
diff --git a/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_runtime_reconcile.go b/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_runtime_reconcile.go
@@ -82,6 +82,7 @@ func (c *runtimeReconcile) reconcile(ctx context.Context, cm *operatorapiv1.Clus
 				config.HubClusterArn = registrationDriver.AwsIrsa.HubClusterArn
 				config.AutoApprovedARNPatterns = strings.Join(registrationDriver.AwsIrsa.AutoApprovedIdentities, ",")
 				config.AwsResourceTags = strings.Join(registrationDriver.AwsIrsa.Tags, ",")
+				config.DisableManagedIam = registrationDriver.AwsIrsa.DisableManagedIam
 			} else if registrationDriver.AuthType == commonhelpers.CSRAuthType && registrationDriver.CSR != nil {
 				config.AutoApprovedCSRUsers = strings.Join(registrationDriver.CSR.AutoApprovedIdentities, ",")
 			}
diff --git a/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go b/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go
@@ -115,6 +115,7 @@ func NewKlusterletController(
 type AwsIrsa struct {
 	HubClusterArn     string
 	ManagedClusterArn string
+	IamConfigSecret   string
 }
 
 type RegistrationDriver struct {
@@ -127,6 +128,9 @@ type ManagedClusterIamRole struct {
 }
 
 func (managedClusterIamRole *ManagedClusterIamRole) arn() string {
+	if managedClusterIamRole.AwsIrsa.ManagedClusterArn == "" {
+		return ""
+	}
 	managedClusterAccountId, managedClusterName := commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.ManagedClusterArn)
 	hubClusterAccountId, hubClusterName := commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.HubClusterArn)
 	md5HashUniqueIdentifier := commonhelpers.Md5HashSuffix(hubClusterAccountId, hubClusterName, managedClusterAccountId, managedClusterName)
@@ -355,19 +359,27 @@ func (n *klusterletController) sync(ctx context.Context, controllerContext facto
 
 			hubClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.HubClusterArn
 			managedClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.ManagedClusterArn
+			iamConfigSecret := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.IamConfigSecret
 
 			config.RegistrationDriver = RegistrationDriver{
 				AuthType: klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AuthType,
 				AwsIrsa: &AwsIrsa{
 					HubClusterArn:     hubClusterArn,
 					ManagedClusterArn: managedClusterArn,
+					IamConfigSecret:   iamConfigSecret,
 				},
 			}
 			managedClusterIamRole := ManagedClusterIamRole{
 				AwsIrsa: config.RegistrationDriver.AwsIrsa,
 			}
 			config.ManagedClusterRoleArn = managedClusterIamRole.arn()
-			managedClusterAccountId, managedClusterName := commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.ManagedClusterArn)
+			var managedClusterAccountId, managedClusterName string
+			if managedClusterIamRole.AwsIrsa.ManagedClusterArn != "" {
+				managedClusterAccountId, managedClusterName = commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.ManagedClusterArn)
+			} else {
+				// Klusterlet running in non-AWS cluster, no account ID
+				managedClusterName = config.ClusterName
+			}
 			hubClusterAccountId, hubClusterName := commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.HubClusterArn)
 			config.ManagedClusterRoleSuffix = commonhelpers.Md5HashSuffix(hubClusterAccountId, hubClusterName, managedClusterAccountId, managedClusterName)
 		} else {
diff --git a/pkg/registration/hub/manager.go b/pkg/registration/hub/manager.go
@@ -59,6 +59,7 @@ type HubManagerOptions struct {
 	AutoApprovedCSRUsers       []string
 	AutoApprovedARNPatterns    []string
 	AwsResourceTags            []string
+	DisableManagedIam          bool
 	Labels                     string
 	GRPCCAFile                 string
 	GRPCCAKeyFile              string
@@ -89,6 +90,7 @@ func (m *HubManagerOptions) AddFlags(fs *pflag.FlagSet) {
 			"The flag works only when ResourceCleanup feature gate is enable.")
 	fs.StringVar(&m.HubClusterArn, "hub-cluster-arn", m.HubClusterArn,
 		"Hub Cluster Arn required to connect to Hub and create IAM Roles and Policies")
+	fs.BoolVar(&m.DisableManagedIam, "disable-managed-iam", m.DisableManagedIam, "Disable IAM role and access entry management for spoke clusters")
 	fs.StringSliceVar(&m.AutoApprovedCSRUsers, "auto-approved-csr-users", m.AutoApprovedCSRUsers,
 		"A bootstrap user list whose cluster registration requests can be automatically approved.")
 	fs.StringSliceVar(&m.AutoApprovedARNPatterns, "auto-approved-arn-patterns", m.AutoApprovedARNPatterns,
@@ -195,7 +197,7 @@ func (m *HubManagerOptions) RunControllerManagerWithInformers(
 			}
 			drivers = append(drivers, csrDriver)
 		case commonhelpers.AwsIrsaAuthType:
-			awsIRSAHubDriver, err := awsirsa.NewAWSIRSAHubDriver(ctx, m.HubClusterArn, m.AutoApprovedARNPatterns, m.AwsResourceTags)
+			awsIRSAHubDriver, err := awsirsa.NewAWSIRSAHubDriver(ctx, m.HubClusterArn, m.AutoApprovedARNPatterns, m.AwsResourceTags, m.DisableManagedIam)
 			if err != nil {
 				return err
 			}
diff --git a/pkg/registration/register/aws_irsa/aws_irsa.go b/pkg/registration/register/aws_irsa/aws_irsa.go
@@ -93,7 +93,9 @@ func (c *AWSIRSADriver) ManagedClusterDecorator(cluster *clusterv1.ManagedCluste
 	if cluster.Annotations == nil {
 		cluster.Annotations = make(map[string]string)
 	}
-	cluster.Annotations[operatorv1.ClusterAnnotationsKeyPrefix+"/"+ManagedClusterArn] = c.managedClusterArn
+	if c.managedClusterArn != "" {
+		cluster.Annotations[operatorv1.ClusterAnnotationsKeyPrefix+"/"+ManagedClusterArn] = c.managedClusterArn
+	}
 	cluster.Annotations[operatorv1.ClusterAnnotationsKeyPrefix+"/"+ManagedClusterIAMRoleSuffix] = c.managedClusterRoleSuffix
 	return cluster
 }
diff --git a/pkg/registration/register/aws_irsa/hub_driver.go b/pkg/registration/register/aws_irsa/hub_driver.go
@@ -39,6 +39,7 @@ type AWSIRSAHubDriver struct {
 	cfg                     aws.Config
 	autoApprovedARNPatterns []*regexp.Regexp
 	awsResourceTags         []string
+	disableManagedIam       bool
 }
 
 func (a *AWSIRSAHubDriver) Accept(cluster *clusterv1.ManagedCluster) bool {
@@ -61,12 +62,16 @@ func (a *AWSIRSAHubDriver) Accept(cluster *clusterv1.ManagedCluster) bool {
 
 // Cleanup is run when the cluster is deleting or hubAcceptClient is set false
 func (c *AWSIRSAHubDriver) Cleanup(ctx context.Context, managedCluster *clusterv1.ManagedCluster) error {
+	logger := klog.FromContext(ctx)
+	if c.disableManagedIam {
+		logger.V(4).Info("No Op Cleanup since IAM management is disabled for awsirsa")
+		return nil
+	}
+
 	_, isManagedClusterIamRoleSuffixPresent :=
 		managedCluster.Annotations[operatorv1.ClusterAnnotationsKeyPrefix+"/"+ManagedClusterIAMRoleSuffix]
 	_, isManagedClusterArnPresent := managedCluster.Annotations[operatorv1.ClusterAnnotationsKeyPrefix+"/"+ManagedClusterArn]
 
-	logger := klog.FromContext(ctx)
-
 	if !isManagedClusterArnPresent && !isManagedClusterIamRoleSuffixPresent {
 		logger.V(4).Info("No Op Cleanup since managedcluster annotations are not present for awsirsa.")
 		return nil
@@ -110,6 +115,11 @@ func (a *AWSIRSAHubDriver) CreatePermissions(ctx context.Context, cluster *clust
 	}
 	logger.V(4).Info("ManagedCluster is joined using aws-irsa registration-auth", "ManagedCluster", cluster.Name)
 
+	if a.disableManagedIam {
+		logger.V(4).Info("IAM management disabled, no roles or access entries created", "ManagedCluster", cluster.Name)
+		return nil
+	}
+
 	// Create an EKS client
 	eksClient := eks.NewFromConfig(a.cfg)
 	hubClusterName, roleArn, err := createIAMRoleAndPolicy(ctx, a.hubClusterArn, cluster, a.cfg, a.awsResourceTags)
@@ -146,7 +156,6 @@ func createIAMRoleAndPolicy(ctx context.Context, hubClusterArn string, managedCl
 	managedClusterArn, isManagedClusterArnPresent := managedCluster.Annotations[operatorv1.ClusterAnnotationsKeyPrefix+"/"+ManagedClusterArn]
 
 	hubAccountId, hubClusterName = commonhelpers.GetAwsAccountIdAndClusterName(hubClusterArn)
-	managedClusterAccountId, managedClusterName = commonhelpers.GetAwsAccountIdAndClusterName(managedClusterArn)
 
 	roleName, roleArn, err := getRoleNameAndArn(ctx, managedCluster, cfg)
 	if err != nil {
@@ -155,6 +164,7 @@ func createIAMRoleAndPolicy(ctx context.Context, hubClusterArn string, managedCl
 	}
 
 	if hubClusterArn != "" && isManagedClusterIamRoleSuffixPresent && isManagedClusterArnPresent {
+		managedClusterAccountId, managedClusterName = commonhelpers.GetAwsAccountIdAndClusterName(managedClusterArn)
 
 		// Check if hash is the same
 		hash := commonhelpers.Md5HashSuffix(hubAccountId, hubClusterName, managedClusterAccountId, managedClusterName)
@@ -360,7 +370,7 @@ func parseTagsForRolesAndPolicies(tags []string) ([]iamtypes.Tag, error) {
 }
 
 func NewAWSIRSAHubDriver(ctx context.Context, hubClusterArn string, autoApprovedIdentityPatterns []string,
-	awsResourceTags []string) (register.HubDriver, error) {
+	awsResourceTags []string, disableManagedIam bool) (register.HubDriver, error) {
 	logger := klog.FromContext(ctx)
 	cfg, err := config.LoadDefaultConfig(ctx)
 	if err != nil {
@@ -382,6 +392,7 @@ func NewAWSIRSAHubDriver(ctx context.Context, hubClusterArn string, autoApproved
 		cfg:                     cfg,
 		autoApprovedARNPatterns: compiledPatterns,
 		awsResourceTags:         awsResourceTags,
+		disableManagedIam:       disableManagedIam,
 	}
 
 	return awsIRSADriverForHub, nil
diff --git a/pkg/registration/register/aws_irsa/hub_driver_test.go b/pkg/registration/register/aws_irsa/hub_driver_test.go
@@ -126,6 +126,7 @@ func TestAccept(t *testing.T) {
 			"arn:aws:eks:us-west-2:123456789012:cluster/.*",
 			"arn:aws:eks:us-west-1:123456789012:cluster/.*",
 		}, []string{},
+		false,
 	)
 
 	if err != nil {
@@ -146,7 +147,7 @@ func TestNewDriverValidation(t *testing.T) {
 	// Test with an invalid manager cluster approval pattern
 	_, err := NewAWSIRSAHubDriver(context.Background(), "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster", []string{
 		"arn:(aws:eks:us-west-2:123456789012:cluster/.*", // bad pattern
-	}, []string{})
+	}, []string{}, false)
 	if err == nil {
 		t.Errorf("Error expected")
 	}
@@ -485,7 +486,7 @@ func TestCleanup(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			awsIrsaHubDriver, err := NewAWSIRSAHubDriver(context.Background(), "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster", []string{}, []string{})
+			awsIrsaHubDriver, err := NewAWSIRSAHubDriver(context.Background(), "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster", []string{}, []string{}, false)
 			if err != nil {
 				t.Errorf("error creating AWSIRSAHubDriver")
 				return
diff --git a/vendor/modules.txt b/vendor/modules.txt
diff --git a/vendor/open-cluster-management.io/api/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/vendor/open-cluster-management.io/api/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml
diff --git a/vendor/open-cluster-management.io/api/operator/v1/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml b/vendor/open-cluster-management.io/api/operator/v1/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml
diff --git a/vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go b/vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go
diff --git a/vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go b/vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go
diff --git a/vendor/open-cluster-management.io/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/open-cluster-management.io/api/operator/v1/zz_generated.swagger_doc_generated.go
