kOps Karpenter addon IAM is outdated and missing InstanceProfile permissions #17843
Description
/kind bug
1. What kops version are you running? The command kops version, will display
this information.
1.34.1
2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
1.34.3
3. What cloud provider are you using?
AWS
What happened?
The IAM policy generated by the kOps Karpenter addon is missing several
permissions that are required by upstream Karpenter AWS provider
documentation.
As a result, the Karpenter controller fails to provision nodes when
instance profile management is required.
What did you expect to happen?
The Karpenter addon IAM policy generated by kOps should align with the
official Karpenter documentation and include all required permissions.
Missing IAM permissions
The following IAM actions are required but missing from the kOps-managed
Karpenter IAM policy:
- iam:CreateInstanceProfile
- iam:ListInstanceProfiles
References
- https://karpenter.sh/docs/getting-started/migrating-from-cas/
- kOps source: pkg/model/components/addonmanifests/karpenter/iam.go
Environment
- Kubernetes version: v1.8.1