Support setting role path and permissions boundary for EKS control plane, EKS fargate profile, and managed machine pools

Signed-off-by: Robin Ketelbuters <[email protected]>

Author: robinkb

cmd/clusterawsadm/api/bootstrap/v1alpha1/conversion.go

@@ -25,3 +25,7 @@ import (
 func Convert_v1beta1_AWSIAMConfigurationSpec_To_v1alpha1_AWSIAMConfigurationSpec(in *v1beta1.AWSIAMConfigurationSpec, out *AWSIAMConfigurationSpec, s conversion.Scope) error {
 	return autoConvert_v1beta1_AWSIAMConfigurationSpec_To_v1alpha1_AWSIAMConfigurationSpec(in, out, s)
 }
+
+func Convert_v1beta1_AWSIAMRoleSpec_To_v1alpha1_AWSIAMRoleSpec(in *v1beta1.AWSIAMRoleSpec, out *AWSIAMRoleSpec, s conversion.Scope) error {
+	return autoConvert_v1beta1_AWSIAMRoleSpec_To_v1alpha1_AWSIAMRoleSpec(in, out, s)
+}

cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go

@@ -83,6 +83,14 @@ type AWSIAMRoleSpec struct {
 	// ExtraStatements are additional IAM statements to be included inline for the role.
 	ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"`
 
+	// Path sets the path to the role.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// PermissionsBoundary sets the ARN of the managed policy that is used to set the permissions boundary for the role.
+	// +optional
+	PermissionsBoundary string `json:"permissionsBoundary,omitempty"`
+
 	// TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role.
 	// See "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1" for more documentation.
 	TrustStatements []iamv1.StatementEntry `json:"trustStatements,omitempty"`

cmd/clusterawsadm/api/bootstrap/v1beta1/types.go

@@ -138,24 +138,30 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 
 	template.Resources[AWSIAMRoleControlPlane] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("control-plane"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controlPlaneTrustPolicy(),
 		ManagedPolicyArns:        t.Spec.ControlPlane.ExtraPolicyAttachments,
 		Policies:                 t.controlPlanePolicies(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ControlPlane.Tags),
 	}
 
 	template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("controllers"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controllersTrustPolicy(),
 		Policies:                 t.controllersRolePolicy(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags),
 	}
 
 	template.Resources[AWSIAMRoleNodes] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("nodes"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.nodeTrustPolicy(),
 		ManagedPolicyArns:        t.nodeManagedPolicies(),
 		Policies:                 t.nodePolicies(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.Nodes.Tags),
 	}
 

cmd/clusterawsadm/cloudformation/bootstrap/template.go

@@ -2930,6 +2930,30 @@ spec:
                   and no name is supplied then a role is created.
                 minLength: 2
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               secondaryCidrBlock:
                 description: |-
                   SecondaryCidrBlock is the additional CIDR range to use for pod IPs.

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -264,6 +264,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               selectors:
                 description: Selectors specify fargate pod selectors.
                 items:

config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml

@@ -938,6 +938,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               scaling:
                 description: Scaling specifies scaling for the ASG behind this pool
                 properties:

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml

@@ -42,6 +42,8 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.VpcCni.Disable = r.Spec.DisableVPCCNI
 	dst.Spec.Partition = restored.Spec.Partition
 	dst.Spec.RestrictPrivateSubnets = restored.Spec.RestrictPrivateSubnets
+	dst.Spec.RolePath = restored.Spec.RolePath
+	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version
 
 	return nil

controlplane/eks/api/v1beta1/conversion.go

@@ -88,6 +88,30 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	RoleAdditionalPolicies *[]string `json:"roleAdditionalPolicies,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	// +optional
+	RolePath string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	// +optional
+	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
+
 	// Logging specifies which EKS Cluster logs should be enabled. Entries for
 	// each of the enabled logs will be sent to CloudWatch
 	// +optional

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -130,6 +130,9 @@ func (src *AWSManagedMachinePool) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.AvailabilityZoneSubnetType = restored.Spec.AvailabilityZoneSubnetType
 	}
 
+	dst.Spec.RolePath = restored.Spec.RolePath
+	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
+
 	return nil
 }
 
@@ -165,14 +168,33 @@ func (r *AWSManagedMachinePoolList) ConvertFrom(srcRaw conversion.Hub) error {
 // ConvertTo converts the v1beta1 AWSFargateProfile receiver to a v1beta2 AWSFargateProfile.
 func (src *AWSFargateProfile) ConvertTo(dstRaw conversion.Hub) error {
 	dst := dstRaw.(*infrav1exp.AWSFargateProfile)
-	return Convert_v1beta1_AWSFargateProfile_To_v1beta2_AWSFargateProfile(src, dst, nil)
+
+	if err := Convert_v1beta1_AWSFargateProfile_To_v1beta2_AWSFargateProfile(src, dst, nil); err != nil {
+		return err
+	}
+
+	// Manually restore data.
+	restored := &infrav1exp.AWSFargateProfile{}
+	if ok, err := utilconversion.UnmarshalData(src, restored); err != nil || !ok {
+		return err
+	}
+
+	dst.Spec.RolePath = restored.Spec.RolePath
+	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
+
+	return nil
 }
 
 // ConvertFrom converts the v1beta2 AWSFargateProfile receiver to v1beta1 AWSFargateProfile.
 func (r *AWSFargateProfile) ConvertFrom(srcRaw conversion.Hub) error {
 	src := srcRaw.(*infrav1exp.AWSFargateProfile)
 
-	return Convert_v1beta2_AWSFargateProfile_To_v1beta1_AWSFargateProfile(src, r, nil)
+	if err := Convert_v1beta2_AWSFargateProfile_To_v1beta1_AWSFargateProfile(src, r, nil); err != nil {
+		return err
+	}
+
+	// Preserve Hub data on down-conversion.
+	return utilconversion.MarshalData(src, r)
 }
 
 // ConvertTo converts the v1beta1 AWSFargateProfileList receiver to a v1beta2 AWSFargateProfileList.
@@ -235,3 +257,7 @@ func Convert_v1beta2_RefreshPreferences_To_v1beta1_RefreshPreferences(in *infrav
 	// spec.refreshPreferences.disable has been added to v1beta2.
 	return autoConvert_v1beta2_RefreshPreferences_To_v1beta1_RefreshPreferences(in, out, s)
 }
+
+func Convert_v1beta2_FargateProfileSpec_To_v1beta1_FargateProfileSpec(in *infrav1exp.FargateProfileSpec, out *FargateProfileSpec, s apiconversion.Scope) error {
+	return autoConvert_v1beta2_FargateProfileSpec_To_v1beta1_FargateProfileSpec(in, out, s)
+}