Skip to content

Commit

Permalink
Add eks:UpdateClusterConfig permission
Browse files Browse the repository at this point in the history
  • Loading branch information
jonathan-innis committed Oct 17, 2023
1 parent b4d4ea3 commit 4ff3288
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 15 deletions.
13 changes: 4 additions & 9 deletions .github/actions/e2e/create-cluster/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,10 @@ runs:
- key: CriticalAddonsOnly
value: "true"
effect: NoSchedule
cloudWatch:
clusterLogging:
enableTypes: ["*"]
logRetentionInDays: 30
iam:
serviceRolePermissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
serviceAccounts:
Expand Down Expand Up @@ -152,8 +156,6 @@ runs:
# We need to call these update iamserviceaccount commands again since the "eksctl upgrade cluster" action
# doesn't handle updates to IAM serviceaccounts correctly when the roles assigned to them change
eksctl update iamserviceaccount -f clusterconfig.yaml --approve
- name: tag oidc provider of the cluster
if: always()
shell: bash
Expand All @@ -162,13 +164,6 @@ runs:
arn="arn:aws:iam::${{ inputs.account_id }}:oidc-provider/${oidc_id}"
aws iam tag-open-id-connect-provider --open-id-connect-provider-arn $arn \
--tags Key=testing/type,Value=e2e Key=github.com/run-url,Value=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
- name: enable control-plane logging for the cluster
shell: bash
run: |
aws eks update-cluster-config \
--region ${{ inputs.region }} \
--name ${{ inputs.cluster_name }} \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
- name: give KarpenterNodeRole permission to bootstrap
shell: bash
run: |
Expand Down
13 changes: 7 additions & 6 deletions test/cloudformation/iam_cloudformation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -144,12 +144,12 @@ Resources:
- eks:CreateCluster
- eks:CreateAddon
- eks:CreateNodegroup
- eks:UpdateClusterConfig
- eks:DeleteCluster
- eks:ListFargateProfiles
- eks:TagResource
- eks:DescribeCluster
Resource:
- !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*"
Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*"
Condition:
StringEquals:
aws:RequestedRegion:
Expand All @@ -169,16 +169,17 @@ Resources:
- eks:DeleteNodegroup
- eks:DescribeNodegroup
- eks:TagResource
Resource:
- !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:nodegroup/*"
Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:nodegroup/*"
Condition:
StringEquals:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action: logs:PutRetentionPolicy
Resource: !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/eks/*"
- Effect: Allow
Action: fis:CreateExperimentTemplate
Resource:
- !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:action/*"
Resource: !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:action/*"
Condition:
StringEquals:
aws:RequestedRegion:
Expand Down

0 comments on commit 4ff3288

Please sign in to comment.