From 3989e399ba585a69b2f2d956c3d1538690582ab4 Mon Sep 17 00:00:00 2001 From: toby-archer-tr <149683518+toby-archer-tr@users.noreply.github.com> Date: Sun, 19 Jan 2025 16:47:54 +0100 Subject: [PATCH 1/3] Update cluster_api_controller.go --- .../bootstrap/cluster_api_controller.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index 049de10431..f6c2a53ee5 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -409,6 +409,20 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { }) } + if !t.Spec.EKS.ManagedMachinePools.Disabled { + statements = append(statements, iamv1.StatementEntry{ + Action: iamv1.Actions{ + "iam:GetPolicy", + }, + Resources: iamv1.Resources{ + "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + } + Effect: iamv1.EffectAllow + }) + } + statements = append(statements, []iamv1.StatementEntry{ { Action: allowedIAMActions, From a7309944030965c1333bcc8d7bb97e790fc47d15 Mon Sep 17 00:00:00 2001 From: toby-archer-tr <149683518+toby-archer-tr@users.noreply.github.com> Date: Thu, 23 Jan 2025 11:13:14 +0100 Subject: [PATCH 2/3] Update cluster_api_controller.go --- .../cloudformation/bootstrap/cluster_api_controller.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index f6c2a53ee5..cf78b89486 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -418,8 +418,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", - } - Effect: iamv1.EffectAllow + }, + Effect: iamv1.EffectAllow, }) } From a19efa10977ed473c047b603235dd957b1501015 Mon Sep 17 00:00:00 2001 From: Toby Archer Date: Fri, 7 Feb 2025 16:12:30 +0100 Subject: [PATCH 3/3] Fix managedmachinepool additional roles --- .../cloudformation/bootstrap/cluster_api_controller.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index cf78b89486..1c91b1486a 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -409,14 +409,14 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument { }) } - if !t.Spec.EKS.ManagedMachinePools.Disabled { + if !t.Spec.EKS.ManagedMachinePool.Disable { statements = append(statements, iamv1.StatementEntry{ Action: iamv1.Actions{ "iam:GetPolicy", }, - Resources: iamv1.Resources{ + Resource: iamv1.Resources{ "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", }, Effect: iamv1.EffectAllow,