[Bug] IAM permissions are not required for "vpc-cni" addon; any IRSA configuration or pod identity associations will be ignored

[DawnElixir]

What were you trying to accomplish?

Create VPC CNI addon with IRSA following https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html

What happened?

eksctl will report the following logs and not create IRSA for VPC CNI addon: not required for "vpc-cni" addon; any IRSA configuration or pod identity associations will be ignored The created VPC CNI addon do not have IRSA configuration even if I specified it in config.

How to reproduce it?

Use following config: addons:

• name: vpc-cni attachPolicyARNs:
  • arn:aws:iam::account:policy/AmazonEKS_CNI_Policy

Logs

2024-06-24 03:21:09 [!] IAM permissions are not required for "vpc-cni" addon; any IRSA configuration or pod identity associations will be ignored 2024-06-24 03:21:09 [ℹ] creating addon 2024-06-24 03:21:20 [ℹ] addon "vpc-cni" active

Anything else we need to know?

VPC CNI need AmazonEKS_CNI_Policy, usually we attach it to node instance role, to restrict the permissions and attach it only to VPC CNI pods, we follow the https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html to configure IRSA but it's ignored by eksctl.

Seems the issue is due to this commit: https://github.com/eksctl-io/eksctl/blame/3cbd926a42beddb0398a02ae36e2202674188a9e/pkg/actions/addon/create.go#L65

Versions

$ eksctl info

eksctl version: 0.183.0 kubectl version: v1.29.0-eks-5e0fdde OS: linux

[github-actions[bot]]

Hello DawnElixir :wave: Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.