I know that this (closed) issue asked for the ability to attach existing IAM policies to a nodegroup, but the issue was closed without anything being implemented.
My use case is that I use a cluster autoscaler on a non-autoscaling node-group to scale a separate node-group from 0. Scaling from 0 requires more permissions than the existing IAM policy that is attached with using --asg-access provides. So, I have to manually create the policy in the AWS management console, find the nodegroup role in CloudFormation, then find the nodegroup role in IAM, and then finally attach my manually created policy to the nodegroup role. It would be much more convenient if we could specify either a policy directly (as a string that is formatted with the standard json policy format) or if we could just specify the policy we would like to attach.
This would be much more flexible and scaleable than trying to provide flags for every conceivable policy that one might want attached to a nodegroup.
albertmichaelj
All 3 comments
Hi @albertmichaelj. In your eksctl config file you can specify the IAM role to be attached to workers in each nodegroup. So you can attach your own role with the extra permissions included.
nodeGroups:
- name: group-1
...
iam:
instanceProfileARN: ...
instanceRoleARN: ...
That said the asg-access policy used to include everything needed to scale from 0, and I think that is the intention. @errordeveloper it looks like the newest cluster-autoscaler has added an additional requirement for ec2:DescribeLaunchTemplateVersions for nodegroups created with launch templates, which includes the newer eksctl version. Maybe the asg-access policy needs updating too?
https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#scaling-a-node-group-to-0
whereisaaron
on 21 May 2019
Ah, I couldn't find this option documented anywhere (I really tried to look for it!). This is exactly what I was requesting. I'll leave this issue open in case it is useful for the update to asg-access, which would separately be nice. If it would be better to open an additional issue for asg-access with scaling clusters to 0, then feel free to close this one.
Thanks!
albertmichaelj
on 22 May 2019
Thanks @whereisaaron !
I submitted a small PR to include the policy and I'll make a note to add examples around this now that we are improving the documentation.
martina-if
on 23 May 2019
Related issues
errordeveloper
·
4Comments
errordeveloper
·
3Comments
jcleal
·
4Comments
xakraz
·
4Comments
errordeveloper
·
4Comments
Most helpful comment
Thanks @whereisaaron !
I submitted a small PR to include the policy and I'll make a note to add examples around this now that we are improving the documentation.