Add VPCResourceController policy and opt-out (eksctl-io#2610)

laurovenancio · Sep 3, 2020 · fe364e1 · fe364e1
1 parent d9a8451
commit fe364e1
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 9 deletions.
diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json
@@ -182,6 +182,12 @@
           "description": "permissions boundary for all identity-based entities created by eksctl. See [AWS Permission Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)",
           "x-intellij-html-description": "permissions boundary for all identity-based entities created by eksctl. See <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html\">AWS Permission Boundary</a>"
         },
+        "vpcResourceControllerPolicy": {
+          "type": "boolean",
+          "description": "attaches the IAM policy necessary to run the VPC controller in the control plane",
+          "x-intellij-html-description": "attaches the IAM policy necessary to run the VPC controller in the control plane",
+          "default": true
+        },
         "withOIDC": {
           "type": "boolean",
           "description": "enables the IAM OIDC provider",
@@ -194,7 +200,8 @@
         "fargatePodExecutionRoleARN",
         "fargatePodExecutionRolePermissionsBoundary",
         "withOIDC",
-        "serviceAccounts"
+        "serviceAccounts",
+        "vpcResourceControllerPolicy"
       ],
       "additionalProperties": false,
       "description": "holds all IAM attributes of a cluster",

diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults.go b/pkg/apis/eksctl.io/v1alpha5/defaults.go
@@ -16,6 +16,10 @@ func SetClusterConfigDefaults(cfg *ClusterConfig) {
 		cfg.IAM.WithOIDC = Disabled()
 	}
 
+	if cfg.IAM.VPCResourceControllerPolicy == nil {
+		cfg.IAM.VPCResourceControllerPolicy = Enabled()
+	}
+
 	for _, sa := range cfg.IAM.ServiceAccounts {
 		if sa.Namespace == "" {
 			sa.Namespace = metav1.NamespaceDefault

diff --git a/pkg/apis/eksctl.io/v1alpha5/iam.go b/pkg/apis/eksctl.io/v1alpha5/iam.go
@@ -39,6 +39,11 @@ type ClusterIAM struct {
 	// See [IAM Service Accounts](/iamserviceaccounts/#usage-with-config-files)
 	// +optional
 	ServiceAccounts []*ClusterIAMServiceAccount `json:"serviceAccounts,omitempty"`
+
+	// VPCResourceControllerPolicy attaches the IAM policy
+	// necessary to run the VPC controller in the control plane
+	// Defaults to `true`
+	VPCResourceControllerPolicy *bool `json:"vpcResourceControllerPolicy,omitempty"`
 }
 
 // ClusterIAMMeta holds information we can use to create ObjectMeta for service

diff --git a/pkg/apis/eksctl.io/v1alpha5/schema.go b/pkg/apis/eksctl.io/v1alpha5/schema.go
diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go
diff --git a/pkg/cfn/builder/api_test.go b/pkg/cfn/builder/api_test.go
@@ -2517,7 +2517,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 			Expect(clusterTemplate.Resources["ServiceRole"].Properties).ToNot(BeNil())
 
 			Expect(clusterTemplate.Resources["ServiceRole"].Properties.ManagedPolicyArns).To(Equal(
-				makePolicyARNRef("AmazonEKSClusterPolicy")),
+				makePolicyARNRef("AmazonEKSClusterPolicy", "AmazonEKSVPCResourceController")),
 			)
 
 			checkARPD([]string{"EKS", "EKSFargatePods"}, clusterTemplate.Resources["ServiceRole"].Properties.AssumeRolePolicyDocument)

diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
@@ -15,7 +15,8 @@ import (
 )
 
 const (
-	iamPolicyAmazonEKSClusterPolicy = "AmazonEKSClusterPolicy"
+	iamPolicyAmazonEKSClusterPolicy         = "AmazonEKSClusterPolicy"
+	iamPolicyAmazonEKSVPCResourceController = "AmazonEKSVPCResourceController"
 
 	iamPolicyAmazonEKSWorkerNodePolicy           = "AmazonEKSWorkerNodePolicy"
 	iamPolicyAmazonEKSCNIPolicy                  = "AmazonEKS_CNI_Policy"
@@ -71,16 +72,21 @@ func (c *ClusterResourceSet) addResourcesForIAM() {
 
 	c.rs.withIAM = true
 
+	managedPolicyArns := []string{
+		iamPolicyAmazonEKSClusterPolicy,
+	}
+	if !api.IsDisabled(c.spec.IAM.VPCResourceControllerPolicy) {
+		managedPolicyArns = append(managedPolicyArns, iamPolicyAmazonEKSVPCResourceController)
+	}
+
 	role := &gfniam.Role{
 		AssumeRolePolicyDocument: cft.MakeAssumeRolePolicyDocumentForServices(
 			MakeServiceRef("EKS"),
 			// Ensure that EKS can schedule pods onto Fargate, should the user
 			// define so-called "Fargate profiles" in order to do so:
 			MakeServiceRef("EKSFargatePods"),
 		),
-		ManagedPolicyArns: gfnt.NewSlice(makePolicyARNs(
-			iamPolicyAmazonEKSClusterPolicy,
-		)...),
+		ManagedPolicyArns: gfnt.NewSlice(makePolicyARNs(managedPolicyArns...)...),
 	}
 	if api.IsSetAndNonEmptyString(c.spec.IAM.ServiceRolePermissionsBoundary) {
 		role.PermissionsBoundary = gfnt.NewString(*c.spec.IAM.ServiceRolePermissionsBoundary)