docs: Collapse CloudFormation permissions (#4599)

aws · Sep 11, 2023 · f178721 · f178721
1 parent 6a88b9a
commit f178721
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 126 deletions.
diff --git a/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -57,32 +57,20 @@ Resources:
                 "ec2:CreateFleet"
               ]
             },
-            {
-              "Sid": "AllowScopedEC2LaunchTemplateActions",
-              "Effect": "Allow",
-              "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*",
-              "Action": "ec2:CreateLaunchTemplate",
-              "Condition": {
-                "StringEquals": {
-                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
-                },
-                "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
-                }
-              }
-            },
             {
               "Sid": "AllowScopedEC2InstanceActionsWithTags",
               "Effect": "Allow",
               "Resource": [
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:fleet/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:instance/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:volume/*",
-                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*"
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*",
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*"
               ],
               "Action": [
                 "ec2:RunInstances",
-                "ec2:CreateFleet"
+                "ec2:CreateFleet",
+                "ec2:CreateLaunchTemplate"
               ],
               "Condition": {
                 "StringEquals": {
@@ -181,13 +169,16 @@ Resources:
               }
             },
             {
-              "Sid": "AllowGlobalReadActions",
+              "Sid": "AllowSSMReadActions",
+              "Effect": "Allow",
+              "Resource": "arn:${AWS::Partition}:ssm:${AWS::Region}::parameter/aws/service/*",
+              "Action": "ssm:GetParameter"
+            },
+            {
+              "Sid": "AllowPricingReadActions",
               "Effect": "Allow",
               "Resource": "*",
-              "Action": [
-                "pricing:GetProducts",
-                "ssm:GetParameter"
-              ]
+              "Action": "pricing:GetProducts"
             },
             {
               "Sid": "AllowInterruptionQueueActions",

diff --git a/...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml b/...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -57,32 +57,20 @@ Resources:
                 "ec2:CreateFleet"
               ]
             },
-            {
-              "Sid": "AllowScopedEC2LaunchTemplateActions",
-              "Effect": "Allow",
-              "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*",
-              "Action": "ec2:CreateLaunchTemplate",
-              "Condition": {
-                "StringEquals": {
-                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
-                },
-                "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
-                }
-              }
-            },
             {
               "Sid": "AllowScopedEC2InstanceActionsWithTags",
               "Effect": "Allow",
               "Resource": [
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:fleet/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:instance/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:volume/*",
-                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*"
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*",
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*"
               ],
               "Action": [
                 "ec2:RunInstances",
-                "ec2:CreateFleet"
+                "ec2:CreateFleet",
+                "ec2:CreateLaunchTemplate"
               ],
               "Condition": {
                 "StringEquals": {
@@ -181,13 +169,16 @@ Resources:
               }
             },
             {
-              "Sid": "AllowGlobalReadActions",
+              "Sid": "AllowSSMReadActions",
+              "Effect": "Allow",
+              "Resource": "arn:${AWS::Partition}:ssm:${AWS::Region}::parameter/aws/service/*",
+              "Action": "ssm:GetParameter"
+            },
+            {
+              "Sid": "AllowPricingReadActions",
               "Effect": "Allow",
               "Resource": "*",
-              "Action": [
-                "pricing:GetProducts",
-                "ssm:GetParameter"
-              ]
+              "Action": "pricing:GetProducts"
             },
             {
               "Sid": "AllowInterruptionQueueActions",

diff --git a/website/content/en/v0.27/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.27/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -57,32 +57,20 @@ Resources:
                 "ec2:CreateFleet"
               ]
             },
-            {
-              "Sid": "AllowScopedEC2LaunchTemplateActions",
-              "Effect": "Allow",
-              "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*",
-              "Action": "ec2:CreateLaunchTemplate",
-              "Condition": {
-                "StringEquals": {
-                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
-                },
-                "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
-                }
-              }
-            },
             {
               "Sid": "AllowScopedEC2InstanceActionsWithTags",
               "Effect": "Allow",
               "Resource": [
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:fleet/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:instance/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:volume/*",
-                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*"
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*",
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*"
               ],
               "Action": [
                 "ec2:RunInstances",
-                "ec2:CreateFleet"
+                "ec2:CreateFleet",
+                "ec2:CreateLaunchTemplate"
               ],
               "Condition": {
                 "StringEquals": {
@@ -181,13 +169,16 @@ Resources:
               }
             },
             {
-              "Sid": "AllowGlobalReadActions",
+              "Sid": "AllowSSMReadActions",
+              "Effect": "Allow",
+              "Resource": "arn:${AWS::Partition}:ssm:${AWS::Region}::parameter/aws/service/*",
+              "Action": "ssm:GetParameter"
+            },
+            {
+              "Sid": "AllowPricingReadActions",
               "Effect": "Allow",
               "Resource": "*",
-              "Action": [
-                "pricing:GetProducts",
-                "ssm:GetParameter"
-              ]
+              "Action": "pricing:GetProducts"
             },
             {
               "Sid": "AllowInterruptionQueueActions",

diff --git a/website/content/en/v0.28/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.28/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -57,32 +57,20 @@ Resources:
                 "ec2:CreateFleet"
               ]
             },
-            {
-              "Sid": "AllowScopedEC2LaunchTemplateActions",
-              "Effect": "Allow",
-              "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*",
-              "Action": "ec2:CreateLaunchTemplate",
-              "Condition": {
-                "StringEquals": {
-                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
-                },
-                "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
-                }
-              }
-            },
             {
               "Sid": "AllowScopedEC2InstanceActionsWithTags",
               "Effect": "Allow",
               "Resource": [
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:fleet/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:instance/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:volume/*",
-                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*"
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*",
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*"
               ],
               "Action": [
                 "ec2:RunInstances",
-                "ec2:CreateFleet"
+                "ec2:CreateFleet",
+                "ec2:CreateLaunchTemplate"
               ],
               "Condition": {
                 "StringEquals": {
@@ -181,13 +169,16 @@ Resources:
               }
             },
             {
-              "Sid": "AllowGlobalReadActions",
+              "Sid": "AllowSSMReadActions",
+              "Effect": "Allow",
+              "Resource": "arn:${AWS::Partition}:ssm:${AWS::Region}::parameter/aws/service/*",
+              "Action": "ssm:GetParameter"
+            },
+            {
+              "Sid": "AllowPricingReadActions",
               "Effect": "Allow",
               "Resource": "*",
-              "Action": [
-                "pricing:GetProducts",
-                "ssm:GetParameter"
-              ]
+              "Action": "pricing:GetProducts"
             },
             {
               "Sid": "AllowInterruptionQueueActions",

diff --git a/website/content/en/v0.29/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.29/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -57,32 +57,20 @@ Resources:
                 "ec2:CreateFleet"
               ]
             },
-            {
-              "Sid": "AllowScopedEC2LaunchTemplateActions",
-              "Effect": "Allow",
-              "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*",
-              "Action": "ec2:CreateLaunchTemplate",
-              "Condition": {
-                "StringEquals": {
-                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
-                },
-                "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
-                }
-              }
-            },
             {
               "Sid": "AllowScopedEC2InstanceActionsWithTags",
               "Effect": "Allow",
               "Resource": [
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:fleet/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:instance/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:volume/*",
-                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*"
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*",
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*"
               ],
               "Action": [
                 "ec2:RunInstances",
-                "ec2:CreateFleet"
+                "ec2:CreateFleet",
+                "ec2:CreateLaunchTemplate"
               ],
               "Condition": {
                 "StringEquals": {
@@ -181,13 +169,16 @@ Resources:
               }
             },
             {
-              "Sid": "AllowGlobalReadActions",
+              "Sid": "AllowSSMReadActions",
+              "Effect": "Allow",
+              "Resource": "arn:${AWS::Partition}:ssm:${AWS::Region}::parameter/aws/service/*",
+              "Action": "ssm:GetParameter"
+            },
+            {
+              "Sid": "AllowPricingReadActions",
               "Effect": "Allow",
               "Resource": "*",
-              "Action": [
-                "pricing:GetProducts",
-                "ssm:GetParameter"
-              ]
+              "Action": "pricing:GetProducts"
             },
             {
               "Sid": "AllowInterruptionQueueActions",

diff --git a/website/content/en/v0.30/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.30/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -57,32 +57,20 @@ Resources:
                 "ec2:CreateFleet"
               ]
             },
-            {
-              "Sid": "AllowScopedEC2LaunchTemplateActions",
-              "Effect": "Allow",
-              "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*",
-              "Action": "ec2:CreateLaunchTemplate",
-              "Condition": {
-                "StringEquals": {
-                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
-                },
-                "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
-                }
-              }
-            },
             {
               "Sid": "AllowScopedEC2InstanceActionsWithTags",
               "Effect": "Allow",
               "Resource": [
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:fleet/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:instance/*",
                 "arn:${AWS::Partition}:ec2:${AWS::Region}:*:volume/*",
-                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*"
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:network-interface/*",
+                "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*"
               ],
               "Action": [
                 "ec2:RunInstances",
-                "ec2:CreateFleet"
+                "ec2:CreateFleet",
+                "ec2:CreateLaunchTemplate"
               ],
               "Condition": {
                 "StringEquals": {
@@ -181,13 +169,16 @@ Resources:
               }
             },
             {
-              "Sid": "AllowGlobalReadActions",
+              "Sid": "AllowSSMReadActions",
+              "Effect": "Allow",
+              "Resource": "arn:${AWS::Partition}:ssm:${AWS::Region}::parameter/aws/service/*",
+              "Action": "ssm:GetParameter"
+            },
+            {
+              "Sid": "AllowPricingReadActions",
               "Effect": "Allow",
               "Resource": "*",
-              "Action": [
-                "pricing:GetProducts",
-                "ssm:GetParameter"
-              ]
+              "Action": "pricing:GetProducts"
             },
             {
               "Sid": "AllowInterruptionQueueActions",