search

vmware-tanzu / tanzu-framework

Tanzu Framework provides a set of building blocks to build atop of the Tanzu platform and leverages Carvel packaging and plugins to provide users with a much stronger, more integrated experience than the loose coupling and stand-alone commands of the previous generation of tools.
Apache License 2.0
195 stars 192 forks source link

Extend the IAM permissions of cluster nodes. #1240

Open sfzylad opened 2 years ago

sfzylad commented 2 years ago

(This is used to request new product features)

Describe the feature request CAPA creates IAM roles and policies for cluster nodes. The nodes.cluster-api-provider-aws.sigs.k8s.io role is attached to the worker nodes and the control-plane.cluster-api-provider-aws.sigs.k8s.io role is attached to the control plane nodes.

They all run an SSM agent that allows SSM session manager access to the nodes without using a jump box. However they don't contain enough permissions to execute SSM documents. The following permissions are missing and should be added to the before mentioned roles:

Describe alternatives you've considered The only other option is to do this changes manually. However they will be wiped out after the next clusterawsadm run.

Affected product area (please put an X in all that apply)

Additional context

blc1996 commented 2 years ago

Hi @saimanoj01 @vuil , could you help take a look?