Fix missing permission setup for IPv6 cluster

[guessi]

Description

While useDefaultPodIdentityAssociations: true set, eksctl will only attached AmazonEKS_CNI_Policy to the IAM role for the CNI, however AmazonEKS_CNI_Policy is not designed for IPv6 cluster (missing ec2:AssignIpv6Addresses permission). Ref: IAM requirements for IPv6 cluster.

Additionally, to support IPv6 cluster, the ClusterConfig need to configure vpc-cni with IRSA mode but not PodIdentity, since the current design, attachPolicy association currently not compatible with useDefaultPodIdentityAssociations: true.

Error: cannot specify serviceAccountRoleARN, wellKnownPolicies, attachPolicy or attachPolicyARNs when addon.useDefaultPodIdentityAssociations is set (addon: vpc-cni)

The PR here attempts to do a quick fix of IPv6 cluster with simplest way, the doc fix only.

To made attachPolicy works with useDefaultPodIdentityAssociations: true may requires tons of code work, so, let's first keep it simple with doc changes only.

Before Fix:

After Fix:

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[naclonts]

Thanks for the CR and issue report! The functionality looks good -- tested on my machine and it seems to be working great. Just left a couple small suggestions/questions on the docs.

[naclonts]

Are the other policies required as well? The comment makes it sound a bit like "ec2:AssignIpv6Addresses" might be the only required action.

[guessi]

No, I have traced the code, IPv4/IPv4 have different IAM policy set, so they are completely different. For example, IPv6 mode does not required AssignIPv4/UnadsignIPv4 permission (and by current design, it doesn't need UnassignIPv6 as well).

[guessi]

Just search around the code once again, I found it already had makeIPv6VPCCNIPolicyDocument()...

Umm... 🤔

eksctl/pkg/actions/addon/create.go

Lines 474 to 498 in fbfeda6

	func makeIPv6VPCCNIPolicyDocument(partition string) map[string]interface{} {
	return map[string]interface{}{
	"Version": "2012-10-17",
	"Statement": []map[string]interface{}{
	{
	"Effect": "Allow",
	"Action": []string{
	"ec2:AssignIpv6Addresses",
	"ec2:DescribeInstances",
	"ec2:DescribeTags",
	"ec2:DescribeNetworkInterfaces",
	"ec2:DescribeInstanceTypes",
	},
	"Resource": "*",
	},
	{
	"Effect": "Allow",
	"Action": []string{
	"ec2:CreateTags",
	},
	"Resource": fmt.Sprintf("arn:%s:ec2:*:*:network-interface/*", partition),
	},
	},
	}
	}

[guessi]

Maybe it's a logic error so that makeIPv6VPCCNIPolicyDocument() not being called?

[naclonts]

Interesting -- looks like that's only applied if the cluster config has either autoApplyPodIdentityAssociations or useDefaultPodIdentityAssociations set (code).

Here are the docs:

EKS Add-ons also support receiving IAM permissions via EKS Pod Identity Associations. The config file exposes three fields that allow configuring these: addon.podIdentityAssociations, addonsConfig.autoApplyPodIdentityAssociations and addon.useDefaultPodIdentityAssociations. You can either explicitly configure the desired pod identity associations, using addon.podIdentityAssociations, or have eksctl automatically resolve (and apply) the recommended pod identity configuration, using either addonsConfig.autoApplyPodIdentityAssociations or addon.useDefaultPodIdentityAssociations.

That being said, I think your docs change is still correct -- the example you're changing is for a cluster with IPv6, and not using pod identity, right?

We could also change the code logic to auto-apply these permissions, but I think updating the docs here is good for now

[guessi]

Yes, should be still valid ClusterConfig.

Actually, I've created an issue before the PR here. Maybe we could track issue there, and merge the PR here first ( to avoid incoming issue report for the missing permission issue ).

[guessi]

Prefer to have another PR to fix the code logic issue, as it might need more test cases for CloudFormation Template generate.

[naclonts]

Sounds good! I'll go ahead and approve/merge this PR then. Thanks for the contribution!