Fix IAM permissions for Karpenter

2022-08-01 07:34:57 +02:00 · 2022-08-01 07:34:57 +02:00 · 2a21b49eea
parent dba1e5d594
commit 2a21b49eea
2 changed files with 13 additions and 9 deletions
--- a/pkg/model/components/addonmanifests/karpenter/iam.go
+++ b/pkg/model/components/addonmanifests/karpenter/iam.go
@ -52,17 +52,19 @@ func addKarpenterPermissions(p *iam.Policy) {
 		// use existing kOps instance group launch templates
 		// "ec2:CreateLaunchTemplate",
 		"ec2:CreateFleet",
-		"ec2:RunInstances",
 		"ec2:CreateTags",
-		"iam:PassRole",
-		"ec2:TerminateInstances",
-		"ec2:DescribeLaunchTemplates",
-		"ec2:DescribeInstances",
-		"ec2:DescribeSecurityGroups",
-		"ec2:DescribeSubnets",
-		"ec2:DescribeInstanceTypes",
-		"ec2:DescribeInstanceTypeOfferings",
 		"ec2:DescribeAvailabilityZones",
+		"ec2:DescribeInstanceTypeOfferings",
+		"ec2:DescribeInstanceTypes",
+		"ec2:DescribeInstances",
+		"ec2:DescribeLaunchTemplates",
+		"ec2:DescribeSecurityGroups",
+		"ec2:DescribeSpotPriceHistory",
+		"ec2:DescribeSubnets",
+		"iam:PassRole",
+		"ec2:RunInstances",
+		"ec2:TerminateInstances",
+		"pricing:GetProducts",
 		"ssm:GetParameter",
 	)
 }
--- a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
+++ b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
@ -10,10 +10,12 @@
        "ec2:DescribeInstances",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSpotPriceHistory",
        "ec2:DescribeSubnets",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "iam:PassRole",
+        "pricing:GetProducts",
        "ssm:GetParameter"
      ],
      "Effect": "Allow",