diff --git a/pkg/model/components/addonmanifests/karpenter/iam.go b/pkg/model/components/addonmanifests/karpenter/iam.go index e5646bf9aa..9d3b2763d2 100644 --- a/pkg/model/components/addonmanifests/karpenter/iam.go +++ b/pkg/model/components/addonmanifests/karpenter/iam.go @@ -52,17 +52,19 @@ func addKarpenterPermissions(p *iam.Policy) { // use existing kOps instance group launch templates // "ec2:CreateLaunchTemplate", "ec2:CreateFleet", - "ec2:RunInstances", "ec2:CreateTags", - "iam:PassRole", - "ec2:TerminateInstances", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeInstances", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSpotPriceHistory", + "ec2:DescribeSubnets", + "iam:PassRole", + "ec2:RunInstances", + "ec2:TerminateInstances", + "pricing:GetProducts", "ssm:GetParameter", ) } diff --git a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy index eb011e04da..07f40f3a6b 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy @@ -10,10 +10,12 @@ "ec2:DescribeInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", + "ec2:DescribeSpotPriceHistory", "ec2:DescribeSubnets", "ec2:RunInstances", "ec2:TerminateInstances", "iam:PassRole", + "pricing:GetProducts", "ssm:GetParameter" ], "Effect": "Allow",