Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not possible to spin-up node with Karpenter submodule IAM Role when using SnapshotID #2648

Closed
sanjinp opened this issue Jun 9, 2023 · 2 comments
Closed

Not possible to spin-up node with Karpenter submodule IAM Role when using SnapshotID #2648

sanjinp opened this issue Jun 9, 2023 · 2 comments

Comments

@sanjinp
Copy link
Contributor

sanjinp commented Jun 9, 2023

Description

We have a use-case where we want to use pre-created EBS volume snapshots, and current karpenter submodule does not permit access to snapshot resources.

  • Module version [latest]:

  • Terraform version:
    1.3.9

  • Provider version(s):
    4.64.0

Steps to reproduce the behavior:

Try to spin ec2 machine with defined pre-created SnapshotID,

  blockDeviceMappings:
    - deviceName: /dev/xvda
      ebs:
        volumeSize: 4Gi
        volumeType: gp3
        encrypted: true
    - deviceName: /dev/xvdb
      ebs:
        volumeSize: 40Gi
        volumeType: gp3
        encrypted: true
        snapshotID: snap-********

Expected behavior

EC2 machine should successfully boot

Actual behavior

We receive error on Karpenter controller with no permissions related to snapshots

Terminal Output Screenshot(s)

{
  "allowed": false,
  "explicitDeny": false,
  "matchedStatements": {
    "items": []
  },
  "failures": {
    "items": []
  },
  "context": {
    "principal": {
      "id": "<REDACTED>:<REDACTED>",
      "arn": "arn:aws:sts::<REDACTED>:assumed-role/KarpenterIRSA-<REDACTED>"
    },
    "action": "ec2:RunInstances",
    "resource": "arn:aws:ec2:us-east-2::snapshot/snap-<REDACTED>",
    "conditions": {
      "items": [
        {
          "key": "ec2:ParentVolume",
          "values": {
            "items": [
              {
                "value": "arn:aws:ec2:us-east-2:<REDACTED>:volume/vol-<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "aws:Resource",
          "values": {
            "items": [
              {
                "value": "snapshot/snap-<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "aws:Account",
          "values": {
            "items": [
              {
                "value": "<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "ec2:ResourceTag/Name",
          "values": {
            "items": [
              {
                "value": "<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "ec2:IsLaunchTemplateResource",
          "values": {
            "items": [
              {
                "value": "true"
              }
            ]
          }
        },
        {
          "key": "aws:Region",
          "values": {
            "items": [
              {
                "value": "us-east-2"
              }
            ]
          }
        },
        {
          "key": "aws:Service",
          "values": {
            "items": [
              {
                "value": "ec2"
              }
            ]
          }
        },
        {
          "key": "<REDACTED>:Name",
          "values": {
            "items": [
              {
                "value": "<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "ec2:VolumeSize",
          "values": {
            "items": [
              {
                "value": "40"
              }
            ]
          }
        },
        {
          "key": "ec2:SnapshotID",
          "values": {
            "items": [
              {
                "value": "snap-<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "ec2:Owner",
          "values": {
            "items": [
              {
                "value": "<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "aws:Type",
          "values": {
            "items": [
              {
                "value": "snapshot"
              }
            ]
          }
        },
        {
          "key": "ec2:Region",
          "values": {
            "items": [
              {
                "value": "us-east-2"
              }
            ]
          }
        },
        {
          "key": "ec2:SnapshotTime",
          "values": {
            "items": [
              {
                "value": "<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "aws:ARN",
          "values": {
            "items": [
              {
                "value": "arn:aws:ec2:us-east-2::snapshot/snap-<REDACTED>"
              }
            ]
          }
        },
        {
          "key": "ec2:LaunchTemplate",
          "values": {
            "items": [
              {
                "value": "arn:aws:ec2:us-east-2:<REDACTED>:launch-template/<REDACTED>"
              }
            ]
          }
        }
      ]
    }
  }
}

Additional context

We lack permissions access to Snapshot ARN, in /modules/karpenter/main.tf
with value: "arn:${local.partition}:ec2:*::snapshot/*"
@sanjinp sanjinp mentioned this issue Jun 9, 2023
Merged
@bryantbiggs
Copy link
Member

closed in #2649

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @sanjinp