-
-
Save stazdx/e79e381fd9a9207f790b616cecfe5679 to your computer and use it in GitHub Desktop.
AWS Karpenter Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Statement": [ | |
{ | |
"Action": [ | |
"ec2:RunInstances", | |
"ec2:CreateFleet" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"arn:aws:ec2:${AWS_REGION}::image/*", | |
"arn:aws:ec2:${AWS_REGION}::snapshot/*", | |
"arn:aws:ec2:${AWS_REGION}:*:spot-instances-request/*", | |
"arn:aws:ec2:${AWS_REGION}:*:security-group/*", | |
"arn:aws:ec2:${AWS_REGION}:*:subnet/*", | |
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*" | |
], | |
"Sid": "AllowScopedEC2InstanceActions" | |
}, | |
{ | |
"Action": [ | |
"ec2:RunInstances", | |
"ec2:CreateFleet", | |
"ec2:CreateLaunchTemplate" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned" | |
}, | |
"StringLike": { | |
"aws:RequestTag/karpenter.sh/nodepool": "*" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": [ | |
"arn:aws:ec2:${AWS_REGION}:*:fleet/*", | |
"arn:aws:ec2:${AWS_REGION}:*:instance/*", | |
"arn:aws:ec2:${AWS_REGION}:*:volume/*", | |
"arn:aws:ec2:${AWS_REGION}:*:network-interface/*", | |
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*" | |
], | |
"Sid": "AllowScopedEC2InstanceActionsWithTags" | |
}, | |
{ | |
"Action": "ec2:CreateTags", | |
"Condition": { | |
"StringEquals": { | |
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned", | |
"ec2:CreateAction": [ | |
"RunInstances", | |
"CreateFleet", | |
"CreateLaunchTemplate" | |
] | |
}, | |
"StringLike": { | |
"aws:RequestTag/karpenter.sh/nodepool": "*" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": [ | |
"arn:aws:ec2:${AWS_REGION}:*:fleet/*", | |
"arn:aws:ec2:${AWS_REGION}:*:instance/*", | |
"arn:aws:ec2:${AWS_REGION}:*:volume/*", | |
"arn:aws:ec2:${AWS_REGION}:*:network-interface/*", | |
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*" | |
], | |
"Sid": "AllowScopedResourceCreationTagging" | |
}, | |
{ | |
"Action": "ec2:CreateTags", | |
"Condition": { | |
"ForAllValues:StringEquals": { | |
"aws:TagKeys": [ | |
"karpenter.sh/nodeclaim", | |
"Name" | |
] | |
}, | |
"StringEquals": { | |
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned" | |
}, | |
"StringLike": { | |
"aws:ResourceTag/karpenter.sh/nodepool": "*" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": "arn:aws:ec2:${AWS_REGION}:*:instance/*", | |
"Sid": "AllowScopedResourceTagging" | |
}, | |
{ | |
"Action": [ | |
"ec2:TerminateInstances", | |
"ec2:DeleteLaunchTemplate" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned" | |
}, | |
"StringLike": { | |
"aws:ResourceTag/karpenter.sh/nodepool": "*" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": [ | |
"arn:aws:ec2:${AWS_REGION}:*:instance/*", | |
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*" | |
], | |
"Sid": "AllowScopedDeletion" | |
}, | |
{ | |
"Action": [ | |
"ec2:DescribeAvailabilityZones", | |
"ec2:DescribeImages", | |
"ec2:DescribeInstances", | |
"ec2:DescribeInstanceTypeOfferings", | |
"ec2:DescribeInstanceTypes", | |
"ec2:DescribeLaunchTemplates", | |
"ec2:DescribeSecurityGroups", | |
"ec2:DescribeSpotPriceHistory", | |
"ec2:DescribeSubnets" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:RequestedRegion": "${AWS_REGION}" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": "*", | |
"Sid": "AllowRegionalReadActions" | |
}, | |
{ | |
"Action": "ssm:GetParameter", | |
"Effect": "Allow", | |
"Resource": "arn:aws:ssm:${AWS_REGION}::parameter/aws/service/*", | |
"Sid": "AllowSSMReadActions" | |
}, | |
{ | |
"Action": "pricing:GetProducts", | |
"Effect": "Allow", | |
"Resource": "*", | |
"Sid": "AllowPricingReadActions" | |
}, | |
{ | |
"Action": [ | |
"sqs:DeleteMessage", | |
"sqs:GetQueueAttributes", | |
"sqs:GetQueueUrl", | |
"sqs:ReceiveMessage" | |
], | |
"Effect": "Allow", | |
"Resource": "arn:aws:sqs:${AWS_REGION}:${AWS_ACCOUNT_ID}:karpenter-interruption-queue", | |
"Sid": "AllowInterruptionQueueActions" | |
}, | |
{ | |
"Action": "iam:PassRole", | |
"Condition": { | |
"StringEquals": { | |
"iam:PassedToService": "ec2.amazonaws.com" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${EKS_CLUSTER_NAME}", | |
"Sid": "AllowPassingInstanceRole" | |
}, | |
{ | |
"Action": [ | |
"iam:CreateInstanceProfile" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned", | |
"aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}" | |
}, | |
"StringLike": { | |
"aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": "*", | |
"Sid": "AllowScopedInstanceProfileCreationActions" | |
}, | |
{ | |
"Action": [ | |
"iam:TagInstanceProfile" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned", | |
"aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}", | |
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned", | |
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}" | |
}, | |
"StringLike": { | |
"aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*", | |
"aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": "*", | |
"Sid": "AllowScopedInstanceProfileTagActions" | |
}, | |
{ | |
"Action": [ | |
"iam:AddRoleToInstanceProfile", | |
"iam:RemoveRoleFromInstanceProfile", | |
"iam:DeleteInstanceProfile" | |
], | |
"Condition": { | |
"StringEquals": { | |
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned", | |
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}" | |
}, | |
"StringLike": { | |
"aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*" | |
} | |
}, | |
"Effect": "Allow", | |
"Resource": "*", | |
"Sid": "AllowScopedInstanceProfileActions" | |
}, | |
{ | |
"Action": "iam:GetInstanceProfile", | |
"Effect": "Allow", | |
"Resource": "*", | |
"Sid": "AllowInstanceProfileReadActions" | |
}, | |
{ | |
"Action": "eks:DescribeCluster", | |
"Effect": "Allow", | |
"Resource": "arn:aws:eks:${AWS_REGION}:${AWS_ACCOUNT_ID}:cluster/${EKS_CLUSTER_NAME}", | |
"Sid": "AllowAPIServerEndpointDiscovery" | |
} | |
], | |
"Version": "2012-10-17" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment