Closed jonathanbeber closed 6 months ago
@jonathanbeber thanks for raising this. Similar to the issue linked I based the IAM policy on the CloudFormation example from the Karpenter docs. Looking at https://github.com/aws/karpenter-provider-aws/pull/5290 it seems like we need to add a few conditional actions. I will try to get this sorted shortly.
@jonathanbeber in that issue that I raised, I found that there are two copies, for version 0.33.0, of the IAM policy - one is a standalone file as part of the v1beta update process.
However the policy is also provided in the CloudFormation code. When I compared the standalone 0.33.0 policy with the policy in the 0.33.0 version of the CloudFormation code, they are not the same.
I don't use CloudFormation, I use Terraform. So the fix on my part was to take the policy from CloudFormation (and drop the standalone file) and convert it to Terraform and ignore that standalone file I found.
In the https://github.com/aws/karpenter-provider-aws/issues/5270 I tried to call out that having the policy in two places, with different content, but with the same version number is detrimental, however I'm not sure that I was able to effect any change there.
Hopefully this helps.
The project is missing the
ec2:CreateTags
permission in here. Without it, deploying Karpentev0.33.0
results in an error when trying to launch spot instances:I could solve it by manually adding the
ec2:CreateTags
in line 481.Seems similar to https://github.com/aws/karpenter-provider-aws/issues/5270 and I don't fully get what was the solution in there, since it seems like @jls-appfire had to patch the role manually.