From d6f59c4c7f9c6c69c88ead493910be872bdd9fc3 Mon Sep 17 00:00:00 2001 From: Sean Rankine Date: Mon, 8 Jul 2024 15:18:56 +0100 Subject: [PATCH] Add pull-through ECR permissions for EKS nodes This replaces the AWS managed policy with a custom policy that contains the same permissions plus an additional "BatchImportUpstreamImage" permission. This allows the nodes to pull-through from ghcr.io if images are missing. --- .../cluster-infrastructure/main.tf | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/terraform/deployments/cluster-infrastructure/main.tf b/terraform/deployments/cluster-infrastructure/main.tf index c9c8e2467..22ba83b90 100644 --- a/terraform/deployments/cluster-infrastructure/main.tf +++ b/terraform/deployments/cluster-infrastructure/main.tf @@ -113,12 +113,41 @@ resource "aws_iam_role" "node" { force_detach_policies = true } +data "aws_iam_policy_document" "pull_from_ecr" { + statement { + actions = [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", + "ecr:BatchImportUpstreamImage", + "ecr:GetLifecyclePolicy", + "ecr:GetLifecyclePolicyPreview", + "ecr:ListTagsForResource", + "ecr:DescribeImageScanFindings" + ] + + effect = "Allow" + resources = ["*"] + } +} + +resource "aws_iam_policy" "pull_from_ecr" { + name = "pull-from-ecr" + description = "Policy to allows EKS to pull images from ECR" + policy = data.aws_iam_policy_document.pull_from_ecr.json +} + resource "aws_iam_role_policy_attachment" "node" { for_each = toset([ "AmazonEKSWorkerNodePolicy", - "AmazonEC2ContainerRegistryReadOnly", "AmazonEKS_CNI_Policy", "AmazonSSMManagedInstanceCore", + aws_iam_policy.pull_from_ecr.name, ]) policy_arn = "arn:aws:iam::aws:policy/${each.key}" role = aws_iam_role.node.name