Description
Currently, most IAM roles in eksctl support either referencing existing roles or specifying permission boundaries when creating new ones, but autoModeConfig lacks this capability. This forces customers with permission boundary requirements to:
- Create the auto mode node role in advance, outside the cluster creation flow
- Reference it via nodeRoleARN in their configuration
Adding a permissionBoundaryARN parameter under autoModeConfig would eliminate this extra step and allow the role to be managed directly through the cluster's CloudFormation stack, maintaining the infrastructure-as-code approach.
Current Limitation
In EKS Auto Mode, when using eksctl to create clusters, the IAM permissions boundary feature that exists for other roles isn't available for autoModeConfig. This creates inconsistency in how IAM roles are managed across the tool.
Proposed Solution
Add a permissionBoundaryARN parameter to the autoModeConfig section of the eksctl ClusterConfig specification. This would allow users to specify an IAM permission boundary ARN that would be applied when creating the auto mode node role.
Example implementation in the ClusterConfig:
autoModeConfig:
# Existing parameters
enabled: true
# New parameter
permissionBoundaryARN: arn:aws:iam::111122223333:policy/my-permission-boundary
This enhancement would align with AWS best practices for IAM permissions management and make eksctl more consistent in its handling of IAM roles. It would also make it easier for organizations that use permission boundaries as part of their security controls to adopt EKS Auto Mode.