From df81750d00c2ad535436773c8f1fd83a30e502a8 Mon Sep 17 00:00:00 2001
From: Sienna Satterwhite <sienna.satterwhite@jamf.com>
Date: Wed, 22 May 2024 20:45:27 -0600
Subject: [PATCH] fixed iam permissions for karpenter

Signed-off-by: Sienna Satterwhite <sienna.satterwhite@jamf.com>
---
 pkg/cfn/builder/karpenter.go      | 17 ++++++++++++++---
 pkg/cfn/builder/karpenter_test.go | 15 +++++++++++++++
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/pkg/cfn/builder/karpenter.go b/pkg/cfn/builder/karpenter.go
index dc1ac5c3fb..5a42218aba 100644
--- a/pkg/cfn/builder/karpenter.go
+++ b/pkg/cfn/builder/karpenter.go
@@ -49,9 +49,15 @@ const (
 	ec2DescribeImages                = "ec2:DescribeImages"
 	ec2DescribeSpotPriceHistory      = "ec2:DescribeSpotPriceHistory"
 	// IAM
-	iamPassRole                = "iam:PassRole"
-	iamCreateServiceLinkedRole = "iam:CreateServiceLinkedRole"
-	ssmGetParameter            = "ssm:GetParameter"
+	iamPassRole                 = "iam:PassRole"
+	iamCreateServiceLinkedRole  = "iam:CreateServiceLinkedRole"
+	iamGetInstanceProfile       = "iam:GetInstanceProfile"
+	iamCreateInstanceProfile    = "iam:CreateInstanceProfile"
+	iamDeleteInstanceProfile    = "iam:DeleteInstanceProfile"
+	iamTagInstanceProfile       = "iam:TagInstanceProfile"
+	iamAddRoleToInstanceProfile = "iam:AddRoleToInstanceProfile"
+	// SSM
+	ssmGetParameter = "ssm:GetParameter"
 	// Pricing
 	pricingGetProducts = "pricing:GetProducts"
 	// SQS
@@ -165,6 +171,11 @@ func (k *KarpenterResourceSet) addResourcesForKarpenter() error {
 				ec2DescribeSpotPriceHistory,
 				iamPassRole,
 				iamCreateServiceLinkedRole,
+				iamGetInstanceProfile,
+				iamCreateInstanceProfile,
+				iamDeleteInstanceProfile,
+				iamTagInstanceProfile,
+				iamAddRoleToInstanceProfile,
 				ssmGetParameter,
 				pricingGetProducts,
 			},
diff --git a/pkg/cfn/builder/karpenter_test.go b/pkg/cfn/builder/karpenter_test.go
index 11935ea3a1..39605cd7ce 100644
--- a/pkg/cfn/builder/karpenter_test.go
+++ b/pkg/cfn/builder/karpenter_test.go
@@ -125,6 +125,11 @@ var expectedTemplate = `{
                 "ec2:DescribeSpotPriceHistory",
                 "iam:PassRole",
                 "iam:CreateServiceLinkedRole",
+                "iam:GetInstanceProfile",
+                "iam:CreateInstanceProfile",
+                "iam:DeleteInstanceProfile",
+                "iam:TagInstanceProfile",
+                "iam:AddRoleToInstanceProfile",
                 "ssm:GetParameter",
                 "pricing:GetProducts"
               ],
@@ -262,6 +267,11 @@ var expectedTemplateWithPermissionBoundary = `{
                 "ec2:DescribeSpotPriceHistory",
                 "iam:PassRole",
                 "iam:CreateServiceLinkedRole",
+                "iam:GetInstanceProfile",
+                "iam:CreateInstanceProfile",
+                "iam:DeleteInstanceProfile",
+                "iam:TagInstanceProfile",
+                "iam:AddRoleToInstanceProfile",
                 "ssm:GetParameter",
                 "pricing:GetProducts"
               ],
@@ -424,6 +434,11 @@ var expectedTemplateWithSpotInterruptionQueue = `{
                 "ec2:DescribeSpotPriceHistory",
                 "iam:PassRole",
                 "iam:CreateServiceLinkedRole",
+                "iam:GetInstanceProfile",
+                "iam:CreateInstanceProfile",
+                "iam:DeleteInstanceProfile",
+                "iam:TagInstanceProfile",
+                "iam:AddRoleToInstanceProfile",
                 "ssm:GetParameter",
                 "pricing:GetProducts"
               ],