Use reduced IAM permissions on worker nodes instance profile

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Use reduced IAM permissions on worker nodes instance profile
+
 ## [2.5.0] - 2024-12-13
 
 ### Added

helm/cluster-aws/README.md

@@ -29,6 +29,7 @@ Properties within the `.global.providerSpecific` object
 | `global.providerSpecific.instanceMetadataOptions` | **Instance metadata options** - Instance metadata options for the EC2 instances in the cluster.|**Type:** `object`<br/>|
 | `global.providerSpecific.instanceMetadataOptions.httpTokens` | **HTTP tokens** - The state of token usage for your instance metadata requests. If you set this parameter to `optional`, you can use either IMDSv1 or IMDSv2. If you set this parameter to `required`, you must use a IMDSv2 to access the instance metadata endpoint. Learn more at [What’s new in IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).|**Type:** `string`<br/>**Default:** `"required"`|
 | `global.providerSpecific.nodePoolAmi` | **Amazon machine image (AMI) for node pools** - If specified, this image will be used to provision EC2 instances for node pools.|**Type:** `string`<br/>|
+| `global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers` | **Use reduced IAM permissions on worker nodes instance profile** - Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.|**Type:** `boolean`<br/>**Default:** `true`|
 | `global.providerSpecific.region` | **Region**|**Type:** `string`<br/>|
 
 ### Apps

helm/cluster-aws/templates/_machine_pools.tpl

@@ -6,6 +6,9 @@ metadata:
   labels:
     giantswarm.io/machine-pool: {{ include "resource.default.name" $ }}-{{ $name }}
     {{- include "labels.common" $ | nindent 4 }}
+    {{- if (required "global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers is required" $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers) }}
+    alpha.aws.giantswarm.io/reduced-instance-permissions-workers: "true"
+    {{- end }}
     app.kubernetes.io/version: {{ $.Chart.Version | quote }}
   name: {{ include "resource.default.name" $ }}-{{ $name }}
   namespace: {{ $.Release.Namespace }}

helm/cluster-aws/values.schema.json

@@ -1804,6 +1804,12 @@
                             "title": "Amazon machine image (AMI) for node pools",
                             "description": "If specified, this image will be used to provision EC2 instances for node pools."
                         },
+                        "reducedInstanceProfileIamPermissionsForWorkers": {
+                            "type": "boolean",
+                            "title": "Use reduced IAM permissions on worker nodes instance profile",
+                            "description": "Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.",
+                            "default": true
+                        },
                         "region": {
                             "type": "string",
                             "title": "Region"

helm/cluster-aws/values.yaml

@@ -383,5 +383,6 @@ global:
     flatcarAwsAccount: "706635527432"
     instanceMetadataOptions:
       httpTokens: required
+    reducedInstanceProfileIamPermissionsForWorkers: true
   release: {}
 internal: {}