From 60a4653cf1708355d6affa0778d77865dbe4bfb4 Mon Sep 17 00:00:00 2001
From: Andreas Sommer <andreas@giantswarm.io>
Date: Tue, 14 Jan 2025 15:06:00 +0100
Subject: [PATCH] Use reduced IAM permissions on worker nodes instance profile

---
 CHANGELOG.md                                  | 4 ++++
 helm/cluster-aws/README.md                    | 1 +
 helm/cluster-aws/templates/_machine_pools.tpl | 3 +++
 helm/cluster-aws/values.schema.json           | 6 ++++++
 helm/cluster-aws/values.yaml                  | 1 +
 5 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 52ab3e1d..ef0eff09 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Use reduced IAM permissions on worker nodes instance profile
+
 ## [2.5.0] - 2024-12-13
 
 ### Added
diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md
index ac8eb313..89139598 100644
--- a/helm/cluster-aws/README.md
+++ b/helm/cluster-aws/README.md
@@ -29,6 +29,7 @@ Properties within the `.global.providerSpecific` object
 | `global.providerSpecific.instanceMetadataOptions` | **Instance metadata options** - Instance metadata options for the EC2 instances in the cluster.|**Type:** `object`<br/>|
 | `global.providerSpecific.instanceMetadataOptions.httpTokens` | **HTTP tokens** - The state of token usage for your instance metadata requests. If you set this parameter to `optional`, you can use either IMDSv1 or IMDSv2. If you set this parameter to `required`, you must use a IMDSv2 to access the instance metadata endpoint. Learn more at [What’s new in IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).|**Type:** `string`<br/>**Default:** `"required"`|
 | `global.providerSpecific.nodePoolAmi` | **Amazon machine image (AMI) for node pools** - If specified, this image will be used to provision EC2 instances for node pools.|**Type:** `string`<br/>|
+| `global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers` | **Use reduced IAM permissions on worker nodes instance profile** - Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.|**Type:** `boolean`<br/>**Default:** `true`|
 | `global.providerSpecific.region` | **Region**|**Type:** `string`<br/>|
 
 ### Apps
diff --git a/helm/cluster-aws/templates/_machine_pools.tpl b/helm/cluster-aws/templates/_machine_pools.tpl
index fa2b4d1a..f7072b56 100644
--- a/helm/cluster-aws/templates/_machine_pools.tpl
+++ b/helm/cluster-aws/templates/_machine_pools.tpl
@@ -6,6 +6,9 @@ metadata:
   labels:
     giantswarm.io/machine-pool: {{ include "resource.default.name" $ }}-{{ $name }}
     {{- include "labels.common" $ | nindent 4 }}
+    {{- if (required "global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers is required" $.Values.global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers) }}
+    alpha.aws.giantswarm.io/reduced-instance-permissions-workers: "true"
+    {{- end }}
     app.kubernetes.io/version: {{ $.Chart.Version | quote }}
   name: {{ include "resource.default.name" $ }}-{{ $name }}
   namespace: {{ $.Release.Namespace }}
diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json
index 4736d14a..91d79b9e 100644
--- a/helm/cluster-aws/values.schema.json
+++ b/helm/cluster-aws/values.schema.json
@@ -1804,6 +1804,12 @@
                             "title": "Amazon machine image (AMI) for node pools",
                             "description": "If specified, this image will be used to provision EC2 instances for node pools."
                         },
+                        "reducedInstanceProfileIamPermissionsForWorkers": {
+                            "type": "boolean",
+                            "title": "Use reduced IAM permissions on worker nodes instance profile",
+                            "description": "Defaults to true. If something breaks, this can temporarily be disabled in order to bring certain IAM permissions (e.g. EC2) back for the worker nodes' IAM instance profile. Applications must use [IRSA](https://docs.giantswarm.io/tutorials/access-management/iam-roles-for-service-accounts/) to authenticate with the AWS API instead of falling back to the instance profile.",
+                            "default": true
+                        },
                         "region": {
                             "type": "string",
                             "title": "Region"
diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml
index 2825ef57..fe9370f6 100644
--- a/helm/cluster-aws/values.yaml
+++ b/helm/cluster-aws/values.yaml
@@ -383,5 +383,6 @@ global:
     flatcarAwsAccount: "706635527432"
     instanceMetadataOptions:
       httpTokens: required
+    reducedInstanceProfileIamPermissionsForWorkers: true
   release: {}
 internal: {}