Skip to content

Commit 9de2b87

Browse files
ConnorJC3ConnorJC3
authored
Migrate EBS CSI policy to AmazonEBSCSIDriverPolicy managed policy (#8422)
1 parent 88a1dc5 commit 9de2b87

6 files changed

Lines changed: 17 additions & 294 deletions

File tree

pkg/actions/addon/create_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -979,7 +979,7 @@ var _ = Describe("Create", func() {
979979
Expect(rsr).To(BeAssignableToTypeOf(&builder.IAMRoleResourceSet{}))
980980
output, err := rsr.(*builder.IAMRoleResourceSet).RenderJSON()
981981
Expect(err).NotTo(HaveOccurred())
982-
Expect(string(output)).To(ContainSubstring("PolicyEBSCSIController"))
982+
Expect(string(output)).To(ContainSubstring("service-role/AmazonEBSCSIDriverPolicy"))
983983
rsr.(*builder.IAMRoleResourceSet).OutputRole = "arn:aws:iam::111122223333:role/role-name-1"
984984
return nil
985985
}

pkg/cfn/builder/iam.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ const (
3030
iamPolicyAmazonEC2ContainerRegistryPullOnly = "AmazonEC2ContainerRegistryPullOnly"
3131
iamPolicyCloudWatchAgentServerPolicy = "CloudWatchAgentServerPolicy"
3232
iamPolicyAmazonSSMManagedInstanceCore = "AmazonSSMManagedInstanceCore"
33+
iamPolicyAmazonEBSCSIDriverPolicy = "service-role/AmazonEBSCSIDriverPolicy"
3334

3435
iamPolicyAmazonEKSFargatePodExecutionRolePolicy = "AmazonEKSFargatePodExecutionRolePolicy"
3536
)

pkg/cfn/builder/iam_helper.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -65,8 +65,8 @@ func createWellKnownPolicies(wellKnownPolicies api.WellKnownPolicies) ([]managed
6565
)
6666
}
6767
if wellKnownPolicies.EBSCSIController {
68-
customPolicies = append(customPolicies,
69-
customPolicyForRole{Name: "PolicyEBSCSIController", Statements: ebsStatements()},
68+
managedPolicies = append(managedPolicies,
69+
managedPolicyForRole{name: iamPolicyAmazonEBSCSIDriverPolicy},
7070
)
7171
}
7272
if wellKnownPolicies.EFSCSIController {
@@ -125,10 +125,6 @@ func createRole(cfnTemplate cfnTemplate, clusterIAMConfig *api.ClusterIAM, iamCo
125125
cfnTemplate.attachAllowPolicy("PolicyAppMeshPreview", refIR, appMeshStatements("appmesh-preview:*"))
126126
}
127127

128-
if api.IsEnabled(iamConfig.WithAddonPolicies.EBS) {
129-
cfnTemplate.attachAllowPolicy("PolicyEBS", refIR, ebsStatements())
130-
}
131-
132128
if api.IsEnabled(iamConfig.WithAddonPolicies.FSX) {
133129
cfnTemplate.attachAllowPolicy("PolicyFSX", refIR, fsxStatements())
134130
cfnTemplate.attachAllowPolicy("PolicyServiceLinkRole", refIR, serviceLinkRoleStatements())
@@ -178,6 +174,10 @@ func makeManagedPolicies(iamCluster *api.ClusterIAM, iamConfig *api.NodeGroupIAM
178174
managedPolicyNames.Insert(iamPolicyCloudWatchAgentServerPolicy)
179175
}
180176

177+
if api.IsEnabled(iamConfig.WithAddonPolicies.EBS) {
178+
managedPolicyNames.Insert(iamPolicyAmazonEBSCSIDriverPolicy)
179+
}
180+
181181
for _, policyARN := range iamConfig.AttachPolicyARNs {
182182
parsedARN, err := arn.Parse(policyARN)
183183
if err != nil {

pkg/cfn/builder/iam_test.go

Lines changed: 6 additions & 146 deletions
Original file line numberDiff line numberDiff line change
@@ -283,20 +283,22 @@ var _ = Describe("template builder for IAM", func() {
283283

284284
Expect(t.Description).To(Equal("IAM role for serviceaccount \"default/sa-1\" [created and managed by eksctl]"))
285285

286-
Expect(t.Resources).To(HaveLen(10))
286+
Expect(t.Resources).To(HaveLen(9))
287287
Expect(t.Outputs).To(HaveLen(1))
288288

289289
Expect(t).To(HaveResource(outputs.IAMServiceAccountRoleName, "AWS::IAM::Role"))
290290

291291
Expect(t).To(HaveResourceWithPropertyValue(outputs.IAMServiceAccountRoleName, "AssumeRolePolicyDocument", expectedServiceAccountAssumeRolePolicyDocument))
292292
Expect(t).To(HaveResourceWithPropertyValue(outputs.IAMServiceAccountRoleName, "ManagedPolicyArns", `[
293-
{
293+
{
294294
"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
295-
}
295+
},
296+
{
297+
"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
298+
}
296299
]`))
297300
Expect(t).To(HaveOutputWithValue(outputs.IAMServiceAccountRoleName, `{ "Fn::GetAtt": "Role1.Arn" }`))
298301
Expect(t).To(HaveResourceWithPropertyValue("PolicyAWSLoadBalancerController", "PolicyDocument", expectedAWSLoadBalancerControllerPolicyDocument))
299-
Expect(t).To(HaveResourceWithPropertyValue("PolicyEBSCSIController", "PolicyDocument", expectedEbsPolicyDocument))
300302
})
301303

302304
It("can parse an iamserviceaccount addon template", func() {
@@ -744,145 +746,3 @@ const expectedAWSLoadBalancerControllerPolicyDocument = `{
744746
],
745747
"Version": "2012-10-17"
746748
}`
747-
748-
const expectedEbsPolicyDocument = `{
749-
"Statement": [
750-
{
751-
"Action": [
752-
"ec2:CreateSnapshot",
753-
"ec2:AttachVolume",
754-
"ec2:DetachVolume",
755-
"ec2:ModifyVolume",
756-
"ec2:DescribeAvailabilityZones",
757-
"ec2:DescribeInstances",
758-
"ec2:DescribeSnapshots",
759-
"ec2:DescribeTags",
760-
"ec2:DescribeVolumes",
761-
"ec2:DescribeVolumesModifications"
762-
],
763-
"Effect": "Allow",
764-
"Resource": "*"
765-
},
766-
{
767-
"Action": [
768-
"ec2:CreateTags"
769-
],
770-
"Condition": {
771-
"StringEquals": {
772-
"ec2:CreateAction": [
773-
"CreateVolume",
774-
"CreateSnapshot"
775-
]
776-
}
777-
},
778-
"Effect": "Allow",
779-
"Resource": [
780-
{
781-
"Fn::Sub": "arn:${AWS::Partition}:ec2:*:*:volume/*"
782-
},
783-
{
784-
"Fn::Sub": "arn:${AWS::Partition}:ec2:*:*:snapshot/*"
785-
}
786-
]
787-
},
788-
{
789-
"Action": [
790-
"ec2:DeleteTags"
791-
],
792-
"Effect": "Allow",
793-
"Resource": [
794-
{
795-
"Fn::Sub": "arn:${AWS::Partition}:ec2:*:*:volume/*"
796-
},
797-
{
798-
"Fn::Sub": "arn:${AWS::Partition}:ec2:*:*:snapshot/*"
799-
}
800-
]
801-
},
802-
{
803-
"Action": [
804-
"ec2:CreateVolume"
805-
],
806-
"Condition": {
807-
"StringLike": {
808-
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
809-
}
810-
},
811-
"Effect": "Allow",
812-
"Resource": "*"
813-
},
814-
{
815-
"Action": [
816-
"ec2:CreateVolume"
817-
],
818-
"Condition": {
819-
"StringLike": {
820-
"aws:RequestTag/CSIVolumeName": "*"
821-
}
822-
},
823-
"Effect": "Allow",
824-
"Resource": "*"
825-
},
826-
{
827-
"Action": [
828-
"ec2:DeleteVolume"
829-
],
830-
"Condition": {
831-
"StringLike": {
832-
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
833-
}
834-
},
835-
"Effect": "Allow",
836-
"Resource": "*"
837-
},
838-
{
839-
"Action": [
840-
"ec2:DeleteVolume"
841-
],
842-
"Condition": {
843-
"StringLike": {
844-
"ec2:ResourceTag/CSIVolumeName": "*"
845-
}
846-
},
847-
"Effect": "Allow",
848-
"Resource": "*"
849-
},
850-
{
851-
"Action": [
852-
"ec2:DeleteVolume"
853-
],
854-
"Condition": {
855-
"StringLike": {
856-
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
857-
}
858-
},
859-
"Effect": "Allow",
860-
"Resource": "*"
861-
},
862-
{
863-
"Action": [
864-
"ec2:DeleteSnapshot"
865-
],
866-
"Condition": {
867-
"StringLike": {
868-
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
869-
}
870-
},
871-
"Effect": "Allow",
872-
"Resource": "*"
873-
},
874-
{
875-
"Action": [
876-
"ec2:DeleteSnapshot"
877-
],
878-
"Condition": {
879-
"StringLike": {
880-
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
881-
}
882-
},
883-
"Effect": "Allow",
884-
"Resource": "*"
885-
}
886-
],
887-
"Version": "2012-10-17"
888-
}`

pkg/cfn/builder/nodegroup_test.go

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -467,11 +467,9 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
467467
ng.IAM.WithAddonPolicies.EBS = aws.Bool(true)
468468
})
469469

470-
It("adds PolicyEBS to the role", func() {
471-
Expect(ngTemplate.Resources).To(HaveKey("PolicyEBS"))
472-
473-
Expect(ngTemplate.Resources["PolicyEBS"].Properties.Roles).To(HaveLen(1))
474-
Expect(isRefTo(ngTemplate.Resources["PolicyEBS"].Properties.Roles[0], "NodeInstanceRole")).To(BeTrue())
470+
It("adds the AmazonEBSCSIDriverPolicy managed policy to the role", func() {
471+
Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(HaveLen(5))
472+
Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("service-role/AmazonEBSCSIDriverPolicy")))
475473
})
476474
})
477475

pkg/cfn/builder/statement.go

Lines changed: 0 additions & 136 deletions
Original file line numberDiff line numberDiff line change
@@ -368,142 +368,6 @@ func appMeshStatements(appendAction string) []cft.MapOfInterfaces {
368368
}
369369
}
370370

371-
func ebsStatements() []cft.MapOfInterfaces {
372-
return []cft.MapOfInterfaces{
373-
{
374-
"Effect": "Allow",
375-
"Action": []string{
376-
"ec2:CreateSnapshot",
377-
"ec2:AttachVolume",
378-
"ec2:DetachVolume",
379-
"ec2:ModifyVolume",
380-
"ec2:DescribeAvailabilityZones",
381-
"ec2:DescribeInstances",
382-
"ec2:DescribeSnapshots",
383-
"ec2:DescribeTags",
384-
"ec2:DescribeVolumes",
385-
"ec2:DescribeVolumesModifications",
386-
},
387-
"Resource": "*",
388-
},
389-
{
390-
"Effect": "Allow",
391-
"Action": []string{
392-
"ec2:CreateTags",
393-
},
394-
"Resource": []*gfnt.Value{
395-
addARNPartitionPrefix("ec2:*:*:volume/*"),
396-
addARNPartitionPrefix("ec2:*:*:snapshot/*"),
397-
},
398-
"Condition": cft.MapOfInterfaces{
399-
"StringEquals": cft.MapOfInterfaces{
400-
"ec2:CreateAction": []string{
401-
"CreateVolume",
402-
"CreateSnapshot",
403-
},
404-
},
405-
},
406-
},
407-
{
408-
"Effect": "Allow",
409-
"Action": []string{
410-
"ec2:DeleteTags",
411-
},
412-
"Resource": []*gfnt.Value{
413-
addARNPartitionPrefix("ec2:*:*:volume/*"),
414-
addARNPartitionPrefix("ec2:*:*:snapshot/*"),
415-
},
416-
},
417-
{
418-
"Effect": "Allow",
419-
420-
"Action": []string{
421-
422-
"ec2:CreateVolume",
423-
},
424-
"Resource": "*",
425-
"Condition": cft.MapOfInterfaces{
426-
"StringLike": cft.MapOfInterfaces{
427-
"aws:RequestTag/ebs.csi.aws.com/cluster": "true",
428-
},
429-
},
430-
},
431-
{
432-
"Effect": "Allow",
433-
"Action": []string{
434-
"ec2:CreateVolume",
435-
},
436-
"Resource": "*",
437-
"Condition": cft.MapOfInterfaces{
438-
"StringLike": cft.MapOfInterfaces{
439-
"aws:RequestTag/CSIVolumeName": "*",
440-
},
441-
},
442-
},
443-
{
444-
"Effect": "Allow",
445-
"Action": []string{
446-
"ec2:DeleteVolume",
447-
},
448-
"Resource": "*",
449-
"Condition": cft.MapOfInterfaces{
450-
"StringLike": cft.MapOfInterfaces{
451-
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true",
452-
},
453-
},
454-
},
455-
{
456-
"Effect": "Allow",
457-
458-
"Action": []string{
459-
"ec2:DeleteVolume",
460-
},
461-
"Resource": "*",
462-
"Condition": cft.MapOfInterfaces{
463-
"StringLike": cft.MapOfInterfaces{
464-
"ec2:ResourceTag/CSIVolumeName": "*",
465-
},
466-
},
467-
},
468-
{
469-
"Effect": "Allow",
470-
"Action": []string{
471-
"ec2:DeleteVolume",
472-
},
473-
"Resource": "*",
474-
"Condition": cft.MapOfInterfaces{
475-
"StringLike": cft.MapOfInterfaces{
476-
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*",
477-
},
478-
},
479-
},
480-
{
481-
"Effect": "Allow",
482-
"Action": []string{
483-
"ec2:DeleteSnapshot",
484-
},
485-
"Resource": "*",
486-
"Condition": cft.MapOfInterfaces{
487-
"StringLike": cft.MapOfInterfaces{
488-
"ec2:ResourceTag/CSIVolumeSnapshotName": "*",
489-
},
490-
},
491-
},
492-
{
493-
"Effect": "Allow",
494-
"Action": []string{
495-
"ec2:DeleteSnapshot",
496-
},
497-
"Resource": "*",
498-
"Condition": cft.MapOfInterfaces{
499-
"StringLike": cft.MapOfInterfaces{
500-
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true",
501-
},
502-
},
503-
},
504-
}
505-
}
506-
507371
func serviceLinkRoleStatements() []cft.MapOfInterfaces {
508372
return []cft.MapOfInterfaces{
509373
{

0 commit comments

Comments
 (0)