✨ Support setting role path and permissions boundary on managed IAM roles

[robinkb]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Allows setting the role path and permissions boundary on managed IAM roles for EKS control plane, EKS Fargate profile, and managed machine pools. This is typically needed in enterprise environments with more stringent IAM requirements.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

Fixes #5285

Special notes for your reviewer:

This is my first PR on this repository. I noticed a warning when generating code, and I wasn't sure if this needed to be fixed:

E0116 12:53:58.750053   55614 conversion.go:744] Warning: could not find nor generate a final Conversion function for sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2.FargateProfileSpec -> sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta1.FargateProfileSpec
E0116 12:53:58.750274   55614 conversion.go:745]   the following fields need manual conversion:
E0116 12:53:58.750281   55614 conversion.go:747]       - RolePath
E0116 12:53:58.750286   55614 conversion.go:747]       - RolePermissionsBoundary

Checklist:

• squashed commits
• includes documentation
• includes emojis
• adds unit tests
• adds or updates e2e tests

Release note:

Support setting role path and permissions boundary on managed IAM roles

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: robinkb / name: Robin Ketelbuters (5254562)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dlipovetsky for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @robinkb. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[pavansokkenagaraj]

@robinkb PermissionsBoundary are required for CloudFormation template rendering for creating roles and permissions.
https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/cmd/clusterawsadm/cloudformation/bootstrap/template.go#L139-L160

[robinkb]

Hi @pavansokkenagaraj, thanks for the feedback.

I've amended my commit. However, I see more roles generated in the template:
https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/cmd/clusterawsadm/cloudformation/bootstrap/template.go#L183-L208

Do these need to be changed, too? I didn't use the bootstrap proces, so I'm not really familiar with how it works.

[robinkb]

We are in the process of testing this on our own environment now. The most recent update includes some shenanigans around pointers. I'm not sure which way I am expected to handle them, as the codebase is inconsistent. The Spec for AWSManagedControlPlane uses pointers to strings for optional values, while the Spec for AWSFargateProfile does not, for example.

[richardcase]

/ok-to-test

[richardcase]

The new fields only need to go into the latest API version (i.e. v1beta1). These can be removed.

But what this means is that the conversions need to be updated so that values for these new fields are restored when roundtripping.

A bit like we do here: https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/api/v1beta1/awscluster_conversion.go#L27

[robinkb]

I managed to update the conversions for the other types, but I am confused as to why I need to implement conversion for this type in particular? The bootstrap API is only for a local configuration file, right? It's not stored in etcd?

There is no conversion in place for it today. If I do need to implement conversion for it, then sure, I will do that. But I will require help, because the test is spitting out vague errors that I can make neither heads nor tails out of.

[richardcase]

I managed to update the conversions for the other types, but I am confused as to why I need to implement conversion for this type in particular? The bootstrap API is only for a local configuration file, right? It's not stored in etcd?

Normally for any Kubernetes API there is a test that does roundtrip conversion. But actually looking at this API we don't have those tests. With is great. So no need to worry about the conversion. I wonder if it is worth adding conversion functions at some point in the future.

The new field(s) still only need to go into the latest API version.

[richardcase]

Could you add the "optional" kubebuilder comment?

[richardcase]

Same comment about optional.

[richardcase]

We don't need these in this API version (see previous comment).

[k8s-ci-robot]

@robinkb: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-aws-test	5254562	link	true	/test pull-cluster-api-provider-aws-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pavansokkenagaraj]

@robinkb

Do these need to be changed, too? I didn't use the bootstrap proces, so I'm not really familiar with how it works.

Yes, roles/permissions which are created in template function for eks need to be updated.

ref: - https://github.com/pavansokkenagaraj/cluster-api-provider-aws/blob/c518150b3a4aeabb38cab546d8a89988307cd053/cmd/clusterawsadm/cloudformation/bootstrap/template.go#L201-L238

The other thing I had to do was to set the permissionsBoundary if it is not nil/empty
if permissionsBoundary is empty, AWS IAM role creation returns an err expecting permissionsBoundary to be length of greater than 0(This needs some testing)

https://github.com/pavansokkenagaraj/cluster-api-provider-aws/blob/c518150b3a4aeabb38cab546d8a89988307cd053/pkg/cloud/services/eks/iam/iam.go#L190-L203

[robinkb]

@pavansokkenagaraj Thanks for the testing, I will get that fixed.

Regarding the failing apidiff: How do we handle that? I don't see how I could fix this issue without breaking the API of that particular package, unless we want to add a whole other function.

[richardcase]

@robinkb - we don't need to worry about the apidiff if its outside an api directory. The project doesn't provider guarantees for the exported API types outside of the APIs.

[richardcase]

/override pull-cluster-api-provider-aws-apidiff-main

[k8s-ci-robot]

@richardcase: Overrode contexts on behalf of richardcase: pull-cluster-api-provider-aws-apidiff-main

In response to this:

/override pull-cluster-api-provider-aws-apidiff-main

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.