Please refer to the “Access Policies” section for details of each access policy that is present in a truefoundry compute.

Access Policies Overview

Access PolicyRoleReason
ELBControllerPolicy - link<cluster_name>-elb-controllerRole assumed by load balancer controller to provision ELB when a service of type LoadBalancer is created
KarpenterPolicy - link SQSPolicy - link<cluster_name>-karpenterRole assumed by Karpenter to dynamically provision nodes. Karpenter has an additional role to listen to interruption events coming from SQS to safely handle spot node termination
EFSPolicy - link<cluster_name>-efsRole assumed by EFS CSI to provision and attach EFS volumes
EBSPolicy - link<cluster_name>-csi-ebsRole assumed by EBS CSI to provision and attach EBS volumes
RolePolicy -
- ECR - link
- S3 - link
- SSM - link
<cluster_name>-platform-iam-roleRole assumed by TrueFoundry to allow for
- ECR
- S3
- SSM
The role attaches these policies -
- AmazonEKSClusterPolicy - link
- AmazonEKSVPCResourceControllerPolicy - link
- EncryptionPolicy to create and manage key for encryption(see below).
<cluster_name>-cluster-<random_string>This role provides Kubernetes the permissions needed to manage the cluster. This includes permissions needed to
- Manage the end to end lifecycle of EC2 instances used as EKS nodes
- Assign networking components to EC2 instances
- Perform encryption at rest
The role attaches these policies -
- AmazonEC2ContainerRegistryReadOnlyPolicy - link
- AmazonEKS_CNI_Policy - link
- AmazonEKSWorkerNodePolicy - link
- AmazonSSMManagedInstanceCorePolicy - link
initial-eks-node-group-<random_string>Role assumed by EKS nodes to work with the AWS resources for these purposes -
- Pull images from ECR
- Assign IPs to the EC2 instance
- Register itself with the cluster
- Perform disk encryption

EncryptionPolicy to create and manage key for encryption:

{  
    "Statement": \[  
        {  
            "Action": [  
                "kms:Encrypt",  
                "kms:Decrypt",  
                "kms:ListGrants",  
                "kms:DescribeKey"  
            ],  
            "Effect": "Allow",  
            "Resource": "arn:aws:kms:<region>:\<acc_id>:key/\<key_id>"  
        }  
    ],  
    "Version": "2012-10-17"  
}