Closed jmgalvez closed 2 months ago
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue was automatically closed because of stale in 10 days
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
This issue has been resolved in version 5.42.0 :tada:
Description
Submodule: iam-role-for-service-accounts-eks
The VPC CNI Policy in https://github.com/terraform-aws-modules/terraform-aws-iam/blob/v5.39.0/modules/iam-role-for-service-accounts-eks/policies.tf is missing some permissions when AWS VPC CNI Network Policy logs are enabled
When network policy is enabled on VPC CNI add-on, a second container is added to the
aws-node
pod for a node agent. This node agent can send the network policy logs to CloudWatch logs.With the current configuration,
aws-node
is in a CrashLoopBackOff state because that container does not have the right permissions related to CloudWatch logs.Versions
Module version: 5.39.0
Terraform version: 1.8.2
Provider version(s): 5.48.0
Reproduction Code
I am creating the EKS cluster by using the AWS EKS Terraform module 20.8.5. When setting up the cluster addons I am enabling the Network Policy and the Network Policy logs as we can see below:
The IRSA role is created by using the submodule iam-role-for-service-accounts-eks in this repo.
Expected behavior
It would be nice to add those permissions to the policy file.
Based on https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup the following permissions should be added
Actual behavior
aws-node
is in a CrashLoopBackOff state because that policy does not have the right permissions related to CloudWatch logs.