Skip to content

Commit 9fb14db

Browse files
engedaamengedaam
authored
Merge branch 'main' into drop-v1beta1-docs
2 parents 590e747 + acbcf54 commit 9fb14db

File tree

3 files changed

+1129
-1
lines changed

3 files changed

+1129
-1
lines changed

website/content/en/v1.0/upgrading/v1beta1-controller-policy.json

Lines changed: 228 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,228 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "AllowScopedEC2InstanceActions",
6+
"Effect": "Allow",
7+
"Resource": [
8+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}::image/*",
9+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}::snapshot/*",
10+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:spot-instances-request/*",
11+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:security-group/*",
12+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:subnet/*",
13+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
14+
],
15+
"Action": [
16+
"ec2:RunInstances",
17+
"ec2:CreateFleet"
18+
]
19+
},
20+
{
21+
"Sid": "AllowScopedEC2InstanceActionsWithTags",
22+
"Effect": "Allow",
23+
"Resource": [
24+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*",
25+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
26+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*",
27+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*",
28+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
29+
],
30+
"Action": [
31+
"ec2:RunInstances",
32+
"ec2:CreateFleet",
33+
"ec2:CreateLaunchTemplate"
34+
],
35+
"Condition": {
36+
"StringEquals": {
37+
"aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned"
38+
},
39+
"StringLike": {
40+
"aws:RequestTag/karpenter.sh/nodepool": "*"
41+
}
42+
}
43+
},
44+
{
45+
"Sid": "AllowScopedResourceCreationTagging",
46+
"Effect": "Allow",
47+
"Resource": [
48+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*",
49+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
50+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*",
51+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*",
52+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
53+
],
54+
"Action": "ec2:CreateTags",
55+
"Condition": {
56+
"StringEquals": {
57+
"aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned",
58+
"ec2:CreateAction": [
59+
"RunInstances",
60+
"CreateFleet",
61+
"CreateLaunchTemplate"
62+
]
63+
},
64+
"StringLike": {
65+
"aws:RequestTag/karpenter.sh/nodepool": "*"
66+
}
67+
}
68+
},
69+
{
70+
"Sid": "AllowScopedResourceTagging",
71+
"Effect": "Allow",
72+
"Resource": "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
73+
"Action": "ec2:CreateTags",
74+
"Condition": {
75+
"StringEquals": {
76+
"aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned"
77+
},
78+
"StringLike": {
79+
"aws:ResourceTag/karpenter.sh/nodepool": "*"
80+
},
81+
"ForAllValues:StringEquals": {
82+
"aws:TagKeys": [
83+
"karpenter.sh/nodeclaim",
84+
"Name"
85+
]
86+
}
87+
}
88+
},
89+
{
90+
"Sid": "AllowScopedDeletion",
91+
"Effect": "Allow",
92+
"Resource": [
93+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
94+
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
95+
],
96+
"Action": [
97+
"ec2:TerminateInstances",
98+
"ec2:DeleteLaunchTemplate"
99+
],
100+
"Condition": {
101+
"StringEquals": {
102+
"aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned"
103+
},
104+
"StringLike": {
105+
"aws:ResourceTag/karpenter.sh/nodepool": "*"
106+
}
107+
}
108+
},
109+
{
110+
"Sid": "AllowRegionalReadActions",
111+
"Effect": "Allow",
112+
"Resource": "*",
113+
"Action": [
114+
"ec2:DescribeAvailabilityZones",
115+
"ec2:DescribeImages",
116+
"ec2:DescribeInstances",
117+
"ec2:DescribeInstanceTypeOfferings",
118+
"ec2:DescribeInstanceTypes",
119+
"ec2:DescribeLaunchTemplates",
120+
"ec2:DescribeSecurityGroups",
121+
"ec2:DescribeSpotPriceHistory",
122+
"ec2:DescribeSubnets"
123+
],
124+
"Condition": {
125+
"StringEquals": {
126+
"aws:RequestedRegion": "${AWS_REGION}"
127+
}
128+
}
129+
},
130+
{
131+
"Sid": "AllowSSMReadActions",
132+
"Effect": "Allow",
133+
"Resource": "arn:${AWS_PARTITION}:ssm:${AWS_REGION}::parameter/aws/service/*",
134+
"Action": "ssm:GetParameter"
135+
},
136+
{
137+
"Sid": "AllowPricingReadActions",
138+
"Effect": "Allow",
139+
"Resource": "*",
140+
"Action": "pricing:GetProducts"
141+
},
142+
{
143+
"Sid": "AllowInterruptionQueueActions",
144+
"Effect": "Allow",
145+
"Resource": "arn:${AWS_PARTITION}:sqs:${AWS_REGION}:${AWS_ACCOUNT_ID}:${CLUSTER_NAME}",
146+
"Action": [
147+
"sqs:DeleteMessage",
148+
"sqs:GetQueueUrl",
149+
"sqs:ReceiveMessage"
150+
]
151+
},
152+
{
153+
"Sid": "AllowPassingInstanceRole",
154+
"Effect": "Allow",
155+
"Resource": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}",
156+
"Action": "iam:PassRole",
157+
"Condition": {
158+
"StringEquals": {
159+
"iam:PassedToService": "ec2.amazonaws.com"
160+
}
161+
}
162+
},
163+
{
164+
"Sid": "AllowScopedInstanceProfileCreationActions",
165+
"Effect": "Allow",
166+
"Resource": "*",
167+
"Action": "iam:CreateInstanceProfile",
168+
"Condition": {
169+
"StringEquals": {
170+
"aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned",
171+
"aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}"
172+
},
173+
"StringLike": {
174+
"aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*"
175+
}
176+
}
177+
},
178+
{
179+
"Sid": "AllowScopedInstanceProfileTagActions",
180+
"Effect": "Allow",
181+
"Resource": "*",
182+
"Action": "iam:TagInstanceProfile",
183+
"Condition": {
184+
"StringEquals": {
185+
"aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned",
186+
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}",
187+
"aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned",
188+
"aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}"
189+
},
190+
"StringLike": {
191+
"aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*",
192+
"aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*"
193+
}
194+
}
195+
},
196+
{
197+
"Sid": "AllowScopedInstanceProfileActions",
198+
"Effect": "Allow",
199+
"Resource": "*",
200+
"Action": [
201+
"iam:AddRoleToInstanceProfile",
202+
"iam:RemoveRoleFromInstanceProfile",
203+
"iam:DeleteInstanceProfile"
204+
],
205+
"Condition": {
206+
"StringEquals": {
207+
"aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned",
208+
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}"
209+
},
210+
"StringLike": {
211+
"aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*"
212+
}
213+
}
214+
},
215+
{
216+
"Sid": "AllowInstanceProfileReadActions",
217+
"Effect": "Allow",
218+
"Resource": "*",
219+
"Action": "iam:GetInstanceProfile"
220+
},
221+
{
222+
"Sid": "AllowAPIServerEndpointDiscovery",
223+
"Effect": "Allow",
224+
"Resource": "arn:${AWS_PARTITION}:eks:${AWS_REGION}:${AWS_ACCOUNT_ID}:cluster/${CLUSTER_NAME}",
225+
"Action": "eks:DescribeCluster"
226+
}
227+
]
228+
}

0 commit comments

Comments
 (0)