search

kube-aws / kube-spot-termination-notice-handler

A Kubernetes DaemonSet to gracefully delete pods 2 minutes before an EC2 Spot Instance gets terminated
Apache License 2.0
378 stars 77 forks source link

[Question] Support IAM roles for service account ? What are required IAM policies ? #39

Closed dogzzdogzz closed 3 years ago

dogzzdogzz commented 4 years ago

Hi,

We removed most of IAM policy from instance role of worker node since EKS support IAM roles for service account and some apps like cluster-autoscaler already support it.

but we got below error log

[k8s-spot-termination-handler] An error occurred (AccessDenied) when calling the DescribeAutoScalingInstances operation: User: arn:aws:sts::xxxxx:assumed-role/sxxxx/i-xxxx is not authorized to perform: autoscaling:DescribeAutoScalingInstances

I think this is because we turned the ASG detach feature, so I'm wondering if spot-termination-handler support IAM roles for service account ? If not, what are the minimum required IAM policies for it so I can added it back to instance role? It would be appreciated if you can document on README,

Thanks.

fliphess commented 3 years ago

The policy I use is: 

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "",
        "Effect": "Allow",
        "Action": [
          "autoscaling:DescribeAutoScalingInstances",
          "autoscaling:DetachInstances"
        ],
        "Resource": "*"
      }
    ]
  }