Support setting role path and permissions boundary for EKS control pl…

…ane, EKS fargate profile, and managed machine pools

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -2913,6 +2913,30 @@ spec:
                   and no name is supplied then a role is created.
                 minLength: 2
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               secondaryCidrBlock:
                 description: |-
                   SecondaryCidrBlock is the additional CIDR range to use for pod IPs.

config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml

@@ -264,6 +264,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               selectors:
                 description: Selectors specify fargate pod selectors.
                 items:

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml

@@ -921,6 +921,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               scaling:
                 description: Scaling specifies scaling for the ASG behind this pool
                 properties:

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -88,6 +88,28 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	RoleAdditionalPolicies *[]string `json:"roleAdditionalPolicies,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	RolePath *string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	RolePermissionsBoundary *string `json:"rolePermissionsBoundary,omitempty"`
+
 	// Logging specifies which EKS Cluster logs should be enabled. Entries for
 	// each of the enabled logs will be sent to CloudWatch
 	// +optional

exp/api/v1beta2/awsfargateprofile_types.go

@@ -60,6 +60,28 @@ type FargateProfileSpec struct {
 	// +optional
 	RoleName string `json:"roleName,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	RolePath string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
+
 	// Selectors specify fargate pod selectors.
 	Selectors []FargateSelector `json:"selectors,omitempty"`
 }

exp/api/v1beta2/awsmanagedmachinepool_types.go

@@ -100,6 +100,28 @@ type AWSManagedMachinePoolSpec struct {
 	// +optional
 	RoleName string `json:"roleName,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	RolePath string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
+
 	// AMIVersion defines the desired AMI release version. If no version number
 	// is supplied then the latest version for the Kubernetes version
 	// will be used

pkg/cloud/services/eks/iam/iam.go

@@ -190,6 +190,8 @@ func (s *IAMService) CreateRole(
 	key string,
 	trustRelationship *iamv1.PolicyDocument,
 	additionalTags infrav1.Tags,
+	path string,
+	permissionsBoundary string,
 ) (*iam.Role, error) {
 	tags := RoleTags(key, additionalTags)
 
@@ -202,6 +204,8 @@ func (s *IAMService) CreateRole(
 		RoleName:                 aws.String(roleName),
 		Tags:                     tags,
 		AssumeRolePolicyDocument: aws.String(trustRelationshipJSON),
+		Path:                     aws.String(path),
+		PermissionsBoundary:      aws.String(permissionsBoundary),
 	}
 
 	out, err := s.IAMClient.CreateRole(input)

pkg/cloud/services/eks/roles.go

@@ -95,7 +95,7 @@ func (s *Service) reconcileControlPlaneIAMRole() error {
 			return fmt.Errorf("getting role %s: %w", *s.scope.ControlPlane.Spec.RoleName, ErrClusterRoleNotFound)
 		}
 
-		role, err = s.CreateRole(*s.scope.ControlPlane.Spec.RoleName, s.scope.Name(), eksiam.ControlPlaneTrustRelationship(false), s.scope.AdditionalTags())
+		role, err = s.CreateRole(*s.scope.ControlPlane.Spec.RoleName, s.scope.Name(), eksiam.ControlPlaneTrustRelationship(false), s.scope.AdditionalTags(), *s.scope.ControlPlane.Spec.RolePath, *s.scope.ControlPlane.Spec.RolePermissionsBoundary)
 		if err != nil {
 			record.Warnf(s.scope.ControlPlane, "FailedIAMRoleCreation", "Failed to create control plane IAM role %q: %v", *s.scope.ControlPlane.Spec.RoleName, err)
 
@@ -204,7 +204,7 @@ func (s *NodegroupService) reconcileNodegroupIAMRole() error {
 			return ErrNodegroupRoleNotFound
 		}
 
-		role, err = s.CreateRole(s.scope.ManagedMachinePool.Spec.RoleName, s.scope.ClusterName(), eksiam.NodegroupTrustRelationship(), s.scope.AdditionalTags())
+		role, err = s.CreateRole(s.scope.ManagedMachinePool.Spec.RoleName, s.scope.ClusterName(), eksiam.NodegroupTrustRelationship(), s.scope.AdditionalTags(), s.scope.ManagedMachinePool.Spec.RolePath, s.scope.ManagedMachinePool.Spec.RolePermissionsBoundary)
 		if err != nil {
 			record.Warnf(s.scope.ManagedMachinePool, "FailedIAMRoleCreation", "Failed to create nodegroup IAM role %q: %v", s.scope.RoleName(), err)
 			return err
@@ -329,7 +329,7 @@ func (s *FargateService) reconcileFargateIAMRole() (requeue bool, err error) {
 		}
 
 		createdRole = true
-		role, err = s.CreateRole(s.scope.RoleName(), s.scope.ClusterName(), eksiam.FargateTrustRelationship(), s.scope.AdditionalTags())
+		role, err = s.CreateRole(s.scope.RoleName(), s.scope.ClusterName(), eksiam.FargateTrustRelationship(), s.scope.AdditionalTags(), s.scope.FargateProfile.Spec.RolePath, s.scope.FargateProfile.Spec.RolePermissionsBoundary)
 		if err != nil {
 			record.Warnf(s.scope.FargateProfile, "FailedIAMRoleCreation", "Failed to create fargate IAM role %q: %v", s.scope.RoleName(), err)
 			return false, errors.Wrap(err, "failed to create role")