IAM policies¶
Supported IAM add-on policies¶
Example of all supported add-on policies:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | nodeGroups: - name: ng-1 instanceType: m5.xlarge desiredCapacity: 1 iam: withAddonPolicies: imageBuilder: true autoScaler: true externalDNS: true certManager: true appMesh: true ebs: true fsx: true efs: true albIngress: true xRay: true cloudWatch: true |
Image Builder Policy¶
The imageBuilder policy allows for full ECR (Elastic Container Registry) access. This is useful for building, for
example, a CI server that needs to push images to ECR.
EBS Policy¶
The ebs policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver.
Adding a custom instance role¶
This example creates a nodegroup that reuses an existing IAM Instance Role from another cluster:
1 2 3 4 5 6 7 8 9 10 11 12 13 | apiVersion: eksctl.io/v1alpha4 kind: ClusterConfig metadata: name: test-cluster-c-1 region: eu-north-1 nodeGroups: - name: ng2-private instanceType: m5.large desiredCapacity: 1 iam: instanceProfileARN: "arn:aws:iam::123:instance-profile/eksctl-test-cluster-a-3-nodegroup-ng2-private-NodeInstanceProfile-Y4YKHLNINMXC" instanceRoleARN: "arn:aws:iam::123:role/eksctl-test-cluster-a-3-nodegroup-NodeInstanceRole-DNGMQTQHQHBJ" |
Attaching policies by ARN¶
1 2 3 4 5 6 7 8 9 10 11 | nodeGroups: - name: my-special-nodegroup iam: attachPolicyARNs: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess - arn:aws:iam::1111111111:policy/kube2iam withAddonPolicies: autoScaler: true imageBuilder: true |
Warning
If a nodegroup includes the attachPolicyARNs it must also include the default node policies, like AmazonEKSWorkerNodePolicy and AmazonEKS_CNI_Policy in this example.