Skip to content

Instantly share code, notes, and snippets.

@stazdx

stazdx/karpenter-policy.json Secret

Last active April 17, 2024 08:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save stazdx/e79e381fd9a9207f790b616cecfe5679 to your computer and use it in GitHub Desktop.
Save stazdx/e79e381fd9a9207f790b616cecfe5679 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Karpenter Policy
Raw
karpenter-policy.json
{
"Statement": [
{
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:${AWS_REGION}::image/*",
"arn:aws:ec2:${AWS_REGION}::snapshot/*",
"arn:aws:ec2:${AWS_REGION}:*:spot-instances-request/*",
"arn:aws:ec2:${AWS_REGION}:*:security-group/*",
"arn:aws:ec2:${AWS_REGION}:*:subnet/*",
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*"
],
"Sid": "AllowScopedEC2InstanceActions"
},
{
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/nodepool": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:${AWS_REGION}:*:fleet/*",
"arn:aws:ec2:${AWS_REGION}:*:instance/*",
"arn:aws:ec2:${AWS_REGION}:*:volume/*",
"arn:aws:ec2:${AWS_REGION}:*:network-interface/*",
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*"
],
"Sid": "AllowScopedEC2InstanceActionsWithTags"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned",
"ec2:CreateAction": [
"RunInstances",
"CreateFleet",
"CreateLaunchTemplate"
]
},
"StringLike": {
"aws:RequestTag/karpenter.sh/nodepool": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:${AWS_REGION}:*:fleet/*",
"arn:aws:ec2:${AWS_REGION}:*:instance/*",
"arn:aws:ec2:${AWS_REGION}:*:volume/*",
"arn:aws:ec2:${AWS_REGION}:*:network-interface/*",
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*"
],
"Sid": "AllowScopedResourceCreationTagging"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"karpenter.sh/nodeclaim",
"Name"
]
},
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned"
},
"StringLike": {
"aws:ResourceTag/karpenter.sh/nodepool": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:${AWS_REGION}:*:instance/*",
"Sid": "AllowScopedResourceTagging"
},
{
"Action": [
"ec2:TerminateInstances",
"ec2:DeleteLaunchTemplate"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned"
},
"StringLike": {
"aws:ResourceTag/karpenter.sh/nodepool": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:${AWS_REGION}:*:instance/*",
"arn:aws:ec2:${AWS_REGION}:*:launch-template/*"
],
"Sid": "AllowScopedDeletion"
},
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "${AWS_REGION}"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowRegionalReadActions"
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": "arn:aws:ssm:${AWS_REGION}::parameter/aws/service/*",
"Sid": "AllowSSMReadActions"
},
{
"Action": "pricing:GetProducts",
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowPricingReadActions"
},
{
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:${AWS_REGION}:${AWS_ACCOUNT_ID}:karpenter-interruption-queue",
"Sid": "AllowInterruptionQueueActions"
},
{
"Action": "iam:PassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${EKS_CLUSTER_NAME}",
"Sid": "AllowPassingInstanceRole"
},
{
"Action": [
"iam:CreateInstanceProfile"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned",
"aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}"
},
"StringLike": {
"aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowScopedInstanceProfileCreationActions"
},
{
"Action": [
"iam:TagInstanceProfile"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned",
"aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}",
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned",
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}"
},
"StringLike": {
"aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*",
"aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowScopedInstanceProfileTagActions"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/${EKS_CLUSTER_NAME}": "owned",
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}"
},
"StringLike": {
"aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowScopedInstanceProfileActions"
},
{
"Action": "iam:GetInstanceProfile",
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowInstanceProfileReadActions"
},
{
"Action": "eks:DescribeCluster",
"Effect": "Allow",
"Resource": "arn:aws:eks:${AWS_REGION}:${AWS_ACCOUNT_ID}:cluster/${EKS_CLUSTER_NAME}",
"Sid": "AllowAPIServerEndpointDiscovery"
}
],
"Version": "2012-10-17"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment