Skip to content

The policy for AWS VPC CNI doesn't work out-of-the-box #1

Closed
@dex4er

Description

@dex4er

The policy for AWS VPC CNI has

      condition {
        test     = "StringEquals"
        variable = "aws:ResourceTag/eks-cluster-arn"
        values   = ["$${aws:PrincipalTag/eks-cluster-arn}"]
      }

but there is no clear example how to use it: ie. do I need to add this extra tag to some resources (node group?) or with ADDITIONAL_ENI_TAGS variable for vpc-cni addon.

With this policy IAM rejects CreateNetworkInterface and AttachNetworkInterface requests.

Activity

bryantbiggs

bryantbiggs commented on Dec 22, 2023

@bryantbiggs
Member

Users do not need to do anything for these tags, they are embedded into the API calls. The VPC CNI currently does not support pod identity which is why its failing for you

dex4er

dex4er commented on Dec 22, 2023

@dex4er
Author

It is not true: with amazon-k8s-cni:v1.15.5-eksbuild.1 and

  additional_policy_arns = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  }

everything is fine. Is it an error in the policy or I must use VPC CNI version that explicitly supports those tags?

dex4er

dex4er commented on Jan 2, 2024

@dex4er
Author

v1.16.0 fails with the standard policy (attach_aws_vpc_cni_policy = true, aws_vpc_cni_enable_ipv4 = true) too. All is fine when I use arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy.

Do I miss ADDITIONAL_ENI_TAGS? The documentation says VPC CNI adds cluster.k8s.amazonaws.com/name tag to the resources rather than eks-cluster-arn?

bryantbiggs

bryantbiggs commented on Mar 19, 2024

@bryantbiggs
Member

the session tag based policies have been removed - when the upstream projects update their policies to support, we can re-evaluate adding them here

github-actions

github-actions commented on Apr 19, 2024

@github-actions

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

locked as resolved and limited conversation to collaborators on Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @dex4er@bryantbiggs

        Issue actions

          The policy for AWS VPC CNI doesn't work out-of-the-box · Issue #1 · terraform-aws-modules/terraform-aws-eks-pod-identity