Merge pull request #652 from christopherhein/feature/ebs-csi-policies

Adding IAM policies for the EBS CSI driver
eksctl-io · Mar 22, 2019 · 2a1189c · 2a1189c
2 parents ca30d42 + 42b63f4
commit 2a1189c
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 4 deletions.
diff --git a/pkg/apis/eksctl.io/v1alpha4/types.go b/pkg/apis/eksctl.io/v1alpha4/types.go
@@ -312,6 +312,7 @@ func (c *ClusterConfig) NewNodeGroup() *NodeGroup {
 				AutoScaler:   NewBoolFalse(),
 				ExternalDNS:  NewBoolFalse(),
 				AppMesh:      NewBoolFalse(),
+				EBSCSI:       NewBoolFalse(),
 			},
 		},
 	}
@@ -420,5 +421,7 @@ type (
 		ExternalDNS *bool `json:"externalDNS"`
 		// +optional
 		AppMesh *bool `json:"appMesh"`
+		// +optional
+		EBSCSI *bool `json:"ebsCSI"`
 	}
 )
diff --git a/pkg/apis/eksctl.io/v1alpha4/validation.go b/pkg/apis/eksctl.io/v1alpha4/validation.go
@@ -28,6 +28,9 @@ func validateNodeGroupIAM(i int, ng *NodeGroup, value, fieldName, path string) e
 		if v := ng.IAM.WithAddonPolicies.AppMesh; v != nil && *v {
 			return fmt.Errorf("%s.AppMesh cannot be set at the same time", p)
 		}
+		if v := ng.IAM.WithAddonPolicies.EBSCSI; v != nil && *v {
+			return fmt.Errorf("%s.ebsCSI cannot be set at the same time", p)
+		}
 	}
 	return nil
 }

diff --git a/pkg/apis/eksctl.io/v1alpha4/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha4/zz_generated.deepcopy.go
diff --git a/pkg/cfn/builder/api_test.go b/pkg/cfn/builder/api_test.go
@@ -59,6 +59,7 @@ type Template struct {
 					Resource interface{}
 				}
 			}
+			BlockDeviceMappings      []interface{}
 			VPCZoneIdentifier        interface{}
 			AssociatePublicIpAddress bool
 			CidrIp                   string
@@ -341,6 +342,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 							AutoScaler:   api.NewBoolFalse(),
 							ExternalDNS:  api.NewBoolFalse(),
 							AppMesh:      api.NewBoolFalse(),
+							EBSCSI:       api.NewBoolFalse(),
 						},
 					},
 				},
@@ -473,7 +475,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 
 		It("should have correct policies", func() {
 			Expect(obj.Resources).ToNot(BeEmpty())
-			Expect(obj.Resources["PolicyAutoScaling"]).ToNot(BeNil())
+			Expect(obj.Resources).To(HaveKey("PolicyAutoScaling"))
 			Expect(obj.Resources["PolicyAutoScaling"].Properties.PolicyDocument.Statement).To(HaveLen(1))
 			Expect(obj.Resources["PolicyAutoScaling"].Properties.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
 			Expect(obj.Resources["PolicyAutoScaling"].Properties.PolicyDocument.Statement[0].Resource).To(Equal("*"))
@@ -533,15 +535,15 @@ var _ = Describe("CloudFormation template builder API", func() {
 		It("should have correct policies", func() {
 			Expect(obj.Resources).ToNot(BeEmpty())
 
-			Expect(obj.Resources["PolicyExternalDNSChangeSet"]).ToNot(BeNil())
+			Expect(obj.Resources).To(HaveKey("PolicyExternalDNSChangeSet"))
 			Expect(obj.Resources["PolicyExternalDNSChangeSet"].Properties.PolicyDocument.Statement).To(HaveLen(1))
 			Expect(obj.Resources["PolicyExternalDNSChangeSet"].Properties.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
 			Expect(obj.Resources["PolicyExternalDNSChangeSet"].Properties.PolicyDocument.Statement[0].Resource).To(Equal("arn:aws:route53:::hostedzone/*"))
 			Expect(obj.Resources["PolicyExternalDNSChangeSet"].Properties.PolicyDocument.Statement[0].Action).To(Equal([]string{
 				"route53:ChangeResourceRecordSets",
 			}))
 
-			Expect(obj.Resources["PolicyExternalDNSHostedZones"]).ToNot(BeNil())
+			Expect(obj.Resources).To(HaveKey("PolicyExternalDNSHostedZones"))
 			Expect(obj.Resources["PolicyExternalDNSHostedZones"].Properties.PolicyDocument.Statement).To(HaveLen(1))
 			Expect(obj.Resources["PolicyExternalDNSHostedZones"].Properties.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
 			Expect(obj.Resources["PolicyExternalDNSHostedZones"].Properties.PolicyDocument.Statement[0].Resource).To(Equal("*"))
@@ -550,13 +552,59 @@ var _ = Describe("CloudFormation template builder API", func() {
 				"route53:ListResourceRecordSets",
 			}))
 
-			Expect(obj.Resources["PolicyAppMesh"]).ToNot(BeNil())
+			Expect(obj.Resources).To(HaveKey("PolicyAppMesh"))
 			Expect(obj.Resources["PolicyAppMesh"].Properties.PolicyDocument.Statement).To(HaveLen(1))
 			Expect(obj.Resources["PolicyAppMesh"].Properties.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
 			Expect(obj.Resources["PolicyAppMesh"].Properties.PolicyDocument.Statement[0].Resource).To(Equal("*"))
 			Expect(obj.Resources["PolicyAppMesh"].Properties.PolicyDocument.Statement[0].Action).To(Equal([]string{
 				"appmesh:*",
 			}))
+
+			Expect(obj.Resources).ToNot(HaveKey("PolicyEBSCSI"))
+			Expect(obj.Resources).ToNot(HaveKey("PolicyAutoScaling"))
+		})
+
+	})
+
+	Context("NodeGroupEBSCSI", func() {
+		cfg, ng := newClusterConfigAndNodegroup(true)
+
+		ng.VolumeSize = 0
+		ng.IAM.WithAddonPolicies.EBSCSI = api.NewBoolTrue()
+
+		build(cfg, "eksctl-test-ebscsi-cluster", ng)
+
+		roundtript()
+
+		It("should have correct policies", func() {
+			Expect(obj.Resources).ToNot(BeEmpty())
+
+			Expect(obj.Resources).To(HaveKey("NodeLaunchConfig"))
+			Expect(obj.Resources["NodeLaunchConfig"].Properties.BlockDeviceMappings).To(HaveLen(0))
+
+			Expect(obj.Resources).To(HaveKey("PolicyEBSCSI"))
+			Expect(obj.Resources["PolicyEBSCSI"].Properties.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(obj.Resources["PolicyEBSCSI"].Properties.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(obj.Resources["PolicyEBSCSI"].Properties.PolicyDocument.Statement[0].Resource).To(Equal("*"))
+			Expect(obj.Resources["PolicyEBSCSI"].Properties.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"ec2:AttachVolume",
+				"ec2:CreateSnapshot",
+				"ec2:CreateTags",
+				"ec2:CreateVolume",
+				"ec2:DeleteSnapshot",
+				"ec2:DeleteTags",
+				"ec2:DeleteVolume",
+				"ec2:DescribeInstances",
+				"ec2:DescribeSnapshots",
+				"ec2:DescribeTags",
+				"ec2:DescribeVolumes",
+				"ec2:DetachVolume",
+			}))
+
+			Expect(obj.Resources).ToNot(HaveKey("PolicyAutoScaling"))
+			Expect(obj.Resources).ToNot(HaveKey("PolicyExternalDNSChangeSet"))
+			Expect(obj.Resources).ToNot(HaveKey("PolicyExternalDNSHostedZones"))
+			Expect(obj.Resources).ToNot(HaveKey("PolicyAppMesh"))
 		})
 	})
 
@@ -595,6 +643,17 @@ var _ = Describe("CloudFormation template builder API", func() {
 			}
 			Expect(x).To(Equal(refSubnets))
 
+			Expect(obj.Resources).To(HaveKey("NodeLaunchConfig"))
+
+			Expect(obj.Resources["NodeLaunchConfig"].Properties.BlockDeviceMappings).To(HaveLen(1))
+
+			rootVolume := obj.Resources["NodeLaunchConfig"].Properties.BlockDeviceMappings[0].(map[string]interface{})
+
+			Expect(rootVolume).To(HaveKeyWithValue("DeviceName", "/dev/xvda"))
+			Expect(rootVolume).To(HaveKey("Ebs"))
+			Expect(rootVolume["Ebs"].(map[string]interface{})).To(HaveKeyWithValue("VolumeType", "io1"))
+			Expect(rootVolume["Ebs"].(map[string]interface{})).To(HaveKeyWithValue("VolumeSize", 2.0))
+
 			Expect(obj.Resources["NodeLaunchConfig"].Properties.AssociatePublicIpAddress).To(BeFalse())
 
 			Expect(obj.Resources["SSHIPv4"].Properties.CidrIp).To(Equal("192.168.0.0/16"))

diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
@@ -217,6 +217,25 @@ func (n *NodeGroupResourceSet) addResourcesForIAM() {
 		)
 	}
 
+	if v := n.spec.IAM.WithAddonPolicies.EBSCSI; v != nil && *v {
+		n.rs.attachAllowPolicy("PolicyEBSCSI", refIR, "*",
+			[]string{
+				"ec2:AttachVolume",
+				"ec2:CreateSnapshot",
+				"ec2:CreateTags",
+				"ec2:CreateVolume",
+				"ec2:DeleteSnapshot",
+				"ec2:DeleteTags",
+				"ec2:DeleteVolume",
+				"ec2:DescribeInstances",
+				"ec2:DescribeSnapshots",
+				"ec2:DescribeTags",
+				"ec2:DescribeVolumes",
+				"ec2:DetachVolume",
+			},
+		)
+	}
+
 	n.rs.defineOutputFromAtt(outputs.NodeGroupInstanceProfileARN, "NodeInstanceProfile.Arn", true, func(v string) error {
 		n.spec.IAM.InstanceProfileARN = v
 		return nil