To provide basic functionality over your Kubernetes cluster, we often need to configure Addons (usually in the form of Helm charts).
Understanding which permissions are required for the Helm charts is cruicial. Too many permissions, and you open yourself up to a breach if the service account is compromised. Too little, and you will run into runtime issues.
Documentation around required permissions for each addon are often limited, and we have to scour google to find the best permissions.
AWS EKS Blueprints
EKS Blueprints is an official repository managed by AWS, to provision EKS clusters using AWS CDK.
The repository contains a lib/addon directory. Each addon defines required permissions for it to function.
The policies are nested inside some functions, but they're simple enough to understand and copy.
For example -
- LB Controller Policy - Allows provisioning of load balancers.
- EBS CSI Driver Policy - Allows creating EBS volumes on your cluster.
- EFS CSI Driver Policy - Allows creating EFS volumes on your cluster.
We can further refine the search of all available policies by using GitHub search filters. The following filter will find all files containing polic in the lib/addons folder:
repo:aws-quickstart/cdk-eks-blueprints path:/^lib\/addons\// path:*polic*.ts
How to use
I do not recommend using the blueprints directly for serious environments
- The code is overly complex, and a lot of it is auto-generated.
- Addons should be managed using GitOps in production clusters, not AWS CDK.
If you're unsure about permissions for a specific addon, you can look at the EKS blueprints to help you figure them out. This is not a catch-all solution, but it may help you define fine grained permissions for your addons.
You can take these permissions, and copy them to your Terraform / Pulumi / AWS CDK code, and reference the blueprints.
Useful links
- Addon is a helm chart that adds functionality to your cluster ()
- EKS is the managed Kubernetes solution on AWS
- IAM is the security engine for creating users, roles and policies.