Support setting role path and permissions boundary for EKS control pl…

…ane, EKS fargate profile, and managed machine pools Signed-off-by: Robin Ketelbuters <[email protected]>
kubernetes-sigs · Jan 29, 2025 · 4078bd9 · 4078bd9
1 parent 07a93a5
commit 4078bd9
Show file tree

Hide file tree

Showing 16 changed files with 231 additions and 3 deletions.
diff --git a/cmd/clusterawsadm/api/bootstrap/v1alpha1/types.go b/cmd/clusterawsadm/api/bootstrap/v1alpha1/types.go
@@ -83,6 +83,12 @@ type AWSIAMRoleSpec struct {
 	// ExtraStatements are additional IAM statements to be included inline for the role.
 	ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"`
 
+	// Path sets the path to the role.
+	Path string `json:"path,omitempty"`
+
+	// PermissionsBoundary sets the ARN of the managed policy that is used to set the permissions boundary for the role.
+	PermissionsBoundary string `json:"permissionsBoundary,omitempty"`
+
 	// TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role.
 	// See "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1" for more documentation.
 	TrustStatements []iamv1.StatementEntry `json:"trustStatements,omitempty"`

diff --git a/cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go b/cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go
diff --git a/cmd/clusterawsadm/api/bootstrap/v1beta1/types.go b/cmd/clusterawsadm/api/bootstrap/v1beta1/types.go
@@ -83,6 +83,12 @@ type AWSIAMRoleSpec struct {
 	// ExtraStatements are additional IAM statements to be included inline for the role.
 	ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"`
 
+	// Path sets the path to the role.
+	Path string `json:"path,omitempty"`
+
+	// PermissionsBoundary sets the ARN of the managed policy that is used to set the permissions boundary for the role.
+	PermissionsBoundary string `json:"permissionsBoundary,omitempty"`
+
 	// TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role.
 	// See "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1" for more documentation.
 	TrustStatements []iamv1.StatementEntry `json:"trustStatements,omitempty"`

diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/template.go b/cmd/clusterawsadm/cloudformation/bootstrap/template.go
@@ -138,24 +138,30 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 
 	template.Resources[AWSIAMRoleControlPlane] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("control-plane"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controlPlaneTrustPolicy(),
 		ManagedPolicyArns:        t.Spec.ControlPlane.ExtraPolicyAttachments,
 		Policies:                 t.controlPlanePolicies(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ControlPlane.Tags),
 	}
 
 	template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("controllers"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controllersTrustPolicy(),
 		Policies:                 t.controllersRolePolicy(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags),
 	}
 
 	template.Resources[AWSIAMRoleNodes] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("nodes"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.nodeTrustPolicy(),
 		ManagedPolicyArns:        t.nodeManagedPolicies(),
 		Policies:                 t.nodePolicies(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.Nodes.Tags),
 	}
 

diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -2913,6 +2913,30 @@ spec:
                   and no name is supplied then a role is created.
                 minLength: 2
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               secondaryCidrBlock:
                 description: |-
                   SecondaryCidrBlock is the additional CIDR range to use for pod IPs.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml
@@ -78,6 +78,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               selectors:
                 description: Selectors specify fargate pod selectors.
                 items:
@@ -264,6 +288,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               selectors:
                 description: Selectors specify fargate pod selectors.
                 items:

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml
@@ -921,6 +921,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               scaling:
                 description: Scaling specifies scaling for the ASG behind this pool
                 properties:

diff --git a/controlplane/eks/api/v1beta1/zz_generated.conversion.go b/controlplane/eks/api/v1beta1/zz_generated.conversion.go
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go
@@ -88,6 +88,28 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	RoleAdditionalPolicies *[]string `json:"roleAdditionalPolicies,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	RolePath *string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	RolePermissionsBoundary *string `json:"rolePermissionsBoundary,omitempty"`
+
 	// Logging specifies which EKS Cluster logs should be enabled. Entries for
 	// each of the enabled logs will be sent to CloudWatch
 	// +optional

diff --git a/controlplane/eks/api/v1beta2/zz_generated.deepcopy.go b/controlplane/eks/api/v1beta2/zz_generated.deepcopy.go
diff --git a/exp/api/v1beta1/awsfargateprofile_types.go b/exp/api/v1beta1/awsfargateprofile_types.go
@@ -60,6 +60,28 @@ type FargateProfileSpec struct {
 	// +optional
 	RoleName string `json:"roleName,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	RolePath string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
+
 	// Selectors specify fargate pod selectors.
 	Selectors []FargateSelector `json:"selectors,omitempty"`
 }

diff --git a/exp/api/v1beta1/zz_generated.conversion.go b/exp/api/v1beta1/zz_generated.conversion.go
diff --git a/exp/api/v1beta2/awsfargateprofile_types.go b/exp/api/v1beta2/awsfargateprofile_types.go
@@ -60,6 +60,28 @@ type FargateProfileSpec struct {
 	// +optional
 	RoleName string `json:"roleName,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	RolePath string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
+
 	// Selectors specify fargate pod selectors.
 	Selectors []FargateSelector `json:"selectors,omitempty"`
 }

diff --git a/exp/api/v1beta2/awsmanagedmachinepool_types.go b/exp/api/v1beta2/awsmanagedmachinepool_types.go
@@ -100,6 +100,28 @@ type AWSManagedMachinePoolSpec struct {
 	// +optional
 	RoleName string `json:"roleName,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	RolePath string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
+
 	// AMIVersion defines the desired AMI release version. If no version number
 	// is supplied then the latest version for the Kubernetes version
 	// will be used