Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extraStatements in the eks fargate config for clusterawsadm is being ignored #4893

Open
ymgyt opened this issue Mar 25, 2024 · 1 comment
Open

extraStatements in the eks fargate config for clusterawsadm is being ignored #4893

ymgyt opened this issue Mar 25, 2024 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@ymgyt
Copy link

ymgyt commented Mar 25, 2024

/kind bug

What steps did you take and what happened:

When using clusterawsadm, policies defined in extraStatements is ignored

configuration to reproduce:

apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSIAMConfiguration
spec:
  region: ap-northeast-1
  eks:
    iamRoleCreation: false
    managedMachinePool:
      disable: false
    fargate:
      disable: false
      # https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/daaa1e12a8065329a5f8f2d10c207b7b739d9538/iam/api/v1beta1/types.go#L92
      extraStatements:
        # Allow fargate podexecution role to write cw logs
        - Sid: AllowWriteCWLogs
          Effect: "Allow"
          Actions: ["logs:CreateLogStream", "logs:CreateLogGroup", "logs:DescribeLogStreams", "logs:PutLogEvents"]
          Resources: "*"

What did you expect to happen:

The statement defined in extraStatements is added to the IAM Role.

Anything else you would like to add:

Related issues

It might be necessary to consider the extraStatement here.

cluster-api-provider-aws/cmd/clusterawsadm/cloudformation/bootstrap/fargate.go

Line 32 in daaa1e1

if roleSpec.ExtraPolicyAttachments != nil {

Environment:

  • Cluster-api-provider-aws version:
clusterawsadm version
clusterawsadm version: &version.Info{Major:"2", Minor:"2", GitVersion:"v2.2.4", GitCommit:"56c9a39dd834640ee4a027e679ad2a5757098dfd", GitTreeState:"clean", BuildDate:"2023-10-05T09:43:40Z", GoVersion:"go1.21.0", AwsSdkVersion:"v1.44.213", Compiler:"gc", Platform:"darwin/arm64"}
  • Kubernetes version: (use kubectl version):
Client Version: v1.28.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1-eks-508b6b3
  • OS (e.g. from /etc/os-release):
name: Darwin
os_version: 14.2.1
kernel_version: 23.2.0
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 25, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ymgyt @k8s-ci-robot