bug; karpenter controller policy is missing required instance profile persmissions introduced in karpenter v0.32

Question

bug; karpenter controller policy is missing required instance profile persmissions introduced in karpenter v0.32

abrabah opened this issue 10 months ago · 2 comments

Description

Karpenter will auto-generate instance profiles as of version v0.32. The karpenter_controller policy in modules/iam-role-for-service-accounts-eks/policies.tf does not currently include statements for manipulating instance profiles.

Updated karpenter policy can be found in the karpenter repository

✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version [Required]: v5.30.1
Terraform version: 1.6.3
Provider version(s): hashicorp/aws 5.25.0

Reproduction Code [Required]

Run the karpenter_controller_irsa_role module under terraform-aws-iam/examples/iam-role-for-service-accounts-eks ;

module "karpenter_controller_irsa_role" {
  source = "../../modules/iam-role-for-service-accounts-eks"

  role_name                          = "karpenter-controller"
  attach_karpenter_controller_policy = true

  karpenter_controller_cluster_name       = module.eks.cluster_name
  karpenter_controller_node_iam_role_arns = [module.eks.eks_managed_node_groups["default"].iam_role_arn]

  oidc_providers = {
    ex = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["karpenter:karpenter"]
    }
  }

  tags = local.tags
}

Steps to reproduce the behavior:

Create a module from iam-role-for-service-accounts-eks with attach_karpenter_controller_policy = true
Apply changes with terraform
Inspect resulting karpenter IAM policy. The policy is missing required instance profile actions

Expected behavior

Expected a series of instance profile actions to be added to the karpenter role

Actual behavior

Found no instance profile actions associated with the karpenter role/policy

Additional context

Related Karpenter policy for the terraform module can be found here

Related Karpenter v0.32 policy can be found here

Answer 1 · 2023-11-17T16:01:06.000Z

This issue has been resolved in version 5.32.0 🎉

Answer 2 · 2023-12-18T02:06:54.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.