Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce IAM Policy Size #3181

Open
Giaco9NN opened this issue Oct 18, 2024 · 2 comments
Open

Reduce IAM Policy Size #3181

Giaco9NN opened this issue Oct 18, 2024 · 2 comments
Labels
question stale

Comments

@Giaco9NN
Copy link

Giaco9NN commented Oct 18, 2024
edited
Loading

Is your request related to a problem? Please describe.

During the upgrade from v0.37.x to v.1.0.0, the IAM permissions required by karpenter changed, so the policy changed. By adding the parameter enable_v1_permissions = true, deploying the module throws the following error:

│ Error: updating IAM Policy (arn:aws-us-gov:iam::043318617890:policy/KarpenterController-20240212160616829700000005): operation error IAM: CreatePolicyVersion, https response error StatusCode: 409, RequestID: 5488c390-778f-4495-b6e0-1145b1564ca4, LimitExceeded: Cannot exceed quota for PolicySize: 6144

I'm deploying the module in the us-gov-east-1 region, and the cluster name is "gov-east-1-data-engineering-cluster-1-31" (which can't be changed). I'm attaching the generated policy, which is 6269 characters long.

terraform-aws-eks-3181.txt

Describe the solution you'd like.

I think there are a few alternatives without compromising the permissions
We could reduce the sides. In total, they are 482 characters.
Another option would be to split the policies into a couple of managed policies.
The last option I can think of is to give the user the possibility to customise the policy by exposing the document as output and deciding whether to create it. In this way, the user can instrument the module to not create the managed policy but to customize the document and create the policy themselves.

In my opinion, considering it is not possible to customize the policy, we could just reduce the SIDS.
I would like to help with the implementation of the solution you pick :)

Describe alternatives you've considered.

In my environments, I set the parameter enable_v1_permissions = false and created the policy by reducing SIDS sizes.

Additional context

Here is how I'm using the module:

module "karpenter" {
  source                          = "terraform-aws-modules/eks/aws//modules/karpenter"
  version                         = "20.26.0"
  cluster_name                    = module.eks.cluster_name
  enable_pod_identity             = false
  enable_irsa                     = true
  create_iam_role                 = true
  iam_role_name                   = "KarpenterController"
  iam_role_use_name_prefix        = false
  irsa_oidc_provider_arn          = module.eks.oidc_provider_arn
  ami_id_ssm_parameter_arns       = ["arn:*:ssm:*:*:parameter/aws/service/*"]
  irsa_namespace_service_accounts = ["kube-system:karpenter"]
  create_instance_profile         = false
  create_node_iam_role            = false
  create_access_entry             = false
  node_iam_role_arn               = local.workers_node_group_role_arn
  enable_v1_permissions           = false
  enable_spot_termination         = true
  tags                            = var.tags
}
@bryantbiggs
Copy link
Member

these match the upstream policy

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @Giaco9NN