Add new EKS permissions as found by `clusterawsadm bootstrap iam prin…

…t-policy --document AWSIAMManagedPolicyControllersEKS` (#89)

CHANGELOG.md

@@ -9,14 +9,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- Add `S3` permission for CAPA polices in order to run on Flatcar.
-- Remove not existing IAM actions.
-- Add `EKS` permission for managed node pools.
+- Add S3 permission for CAPA polices in order to run on Flatcar.
+- Remove non-existent IAM actions.
 
 ### Added
 
 - Add `s3:PutBucketOwnershipControls` to irsa policy. Needed because of [this change](https://github.com/giantswarm/irsa-operator/commit/2437798672c74cfae15162a561629c6565dbee41) in irsa-operator
 - Add `"ec2:DescribeInstanceTypes"` to the CAPA controller policy, as it's required by newest CAPA releases.
+- Add EKS permissions for managed node pools, encryption/identity provider configs, CIDR blocks, KMS.
 
 ## [3.3.0] - 2023-05-11
 

capa-controller-role/eks-controller-policy.json

@@ -1,6 +1,15 @@
 {
     "Version": "2012-10-17",
     "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:GetParameter"
+            ],
+            "Resource": [
+                "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*"
+            ]
+        },
         {
             "Effect": "Allow",
             "Action": [
@@ -15,15 +24,6 @@
                 }
             }
         },
-	{
-            "Effect": "Allow",
-            "Action": [
-                "ssm:GetParameter"
-            ],
-            "Resource": [
-                "arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*"
-            ]
-        },
         {
             "Effect": "Allow",
             "Action": [
@@ -52,13 +52,23 @@
                 }
             }
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:ListAttachedRolePolicies"
+            ],
+            "Resource": [
+                "arn:*:iam::*:role/*"
+            ]
+        },
         {
             "Effect": "Allow",
             "Action": [
                 "iam:GetPolicy"
             ],
             "Resource": [
-		"arn:*:iam::*:policy/AmazonEKSClusterPolicy",
+                "arn:*:iam::*:policy/AmazonEKSClusterPolicy",
                 "arn:*:iam::*:policy/AmazonEKSWorkerNodePolicy",
                 "arn:*:iam::*:policy/AmazonEKS_CNI_Policy",
                 "arn:*:iam::*:policy/AmazonEC2ContainerRegistryReadOnly",
@@ -80,7 +90,12 @@
                 "eks:DescribeNodegroup",
                 "eks:DeleteNodegroup",
                 "eks:UpdateNodegroupConfig",
-                "eks:CreateNodegroup"
+                "eks:CreateNodegroup",
+                "eks:AssociateEncryptionConfig",
+                "eks:ListIdentityProviderConfigs",
+                "eks:AssociateIdentityProviderConfig",
+                "eks:DescribeIdentityProviderConfig",
+                "eks:DisassociateIdentityProviderConfig"
             ],
             "Resource": [
                 "arn:*:eks:*:*:cluster/*",
@@ -90,6 +105,8 @@
         {
             "Effect": "Allow",
             "Action": [
+                "ec2:AssociateVpcCidrBlock",
+                "ec2:DisassociateVpcCidrBlock",
                 "eks:ListAddons",
                 "eks:CreateAddon",
                 "eks:DescribeAddonVersions",
@@ -118,6 +135,21 @@
                     "iam:PassedToService": "eks.amazonaws.com"
                 }
             }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant",
+                "kms:DescribeKey"
+            ],
+            "Resource": [
+                "*"
+            ],
+            "Condition": {
+                "ForAnyValue:StringLike": {
+                    "kms:ResourceAliases": "alias/cluster-api-provider-aws-*"
+                }
+            }
         }
     ]
 }