[Feature] Request for improvements to IAM policies set from the nodeGroups.iam.withAddonPolicies.efs parameter #7138
Labels
area/aws-iam
kind/improvement
priority/important-longterm
Important over the long term, but may not be currently staffed and/or may require multiple releases
What feature/behavior/change do you want?
I want to improve the permissions when set from the nodeGroups.iam.withAddonPolicies.efs parameter.
Specifically, isn't it possible to have the same permissions as AmazonEFSCSIDriverPolicy.?
If can't it, I want to know why the current permissions is needed.
Why do you want this feature?
This is to minimize more unnecessary permissions and make it more secure.
I understand that the nodeGroups.iam.withAddonPolicies.efs parameter is a setting for the IAM policy to use the EFS CSI driver add-on like the EBS CSI driver.
IAM policies - eksctl
Currently, when the parameter is set to true, the following policies are set to the node's IAM role.
eksctl/pkg/cfn/builder/iam_helper.go
Lines 136 to 139 in 268db7b
eksctl/pkg/cfn/builder/statement.go
Lines 578 to 605 in 268db7b
This permission is powerful compared to the AmazonEFSCSIDriverPolicy.
For example, other pods on the node can use permission elasticfilesystem:DeleteFileSystem when the parameter is true.
I open this issue on behalf our customer.
The text was updated successfully, but these errors were encountered: