Please refer to the "Access Policies" section for details of each access policy that is present in a truefoundry compute.

Access Policies Overview

Access Policy	Role	Reason
ELBControllerPolicy - link	<cluster_name>-elb-controller	Role assumed by load balancer controller to provision ELB when a service of type LoadBalancer is created
KarpenterPolicy - link SQSPolicy - link	<cluster_name>-karpenter	Role assumed by Karpenter to dynamically provision nodes. Karpenter has an additional role to listen to interruption events coming from SQS to safely handle spot node termination
EFSPolicy - link	<cluster_name>-efs	Role assumed by EFS CSI to provision and attach EFS volumes
EBSPolicy - link	<cluster_name>-csi-ebs	Role assumed by EBS CSI to provision and attach EBS volumes
RolePolicy - ECR - link S3 - link SSM - link	<cluster_name>-platform-iam-role	Role assumed by TrueFoundry to allow for ECR S3 SSM
The role attaches these policies - AmazonEKSClusterPolicy - link AmazonEKSVPCResourceControllerPolicy - link EncryptionPolicy to create and manage key for encryption:\ `{ "Statement": \[ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ListGrants", "kms:DescribeKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:<region>:\<acc_id>:key/\<key_id>" } ], "Version": "2012-10-17" }`	<cluster_name>-cluster-<random_string>	This role provides Kubernetes the permissions needed to manage the cluster. This includes permissions needed to Manage the end to end lifecycle of EC2 instances used as EKS nodes Assign networking components to EC2 instances Perform encryption at rest
The role attaches these policies - AmazonEC2ContainerRegistryReadOnlyPolicy - link AmazonEKS_CNI_Policy - link AmazonEKSWorkerNodePolicy - link AmazonSSMManagedInstanceCorePolicy - link	initial-eks-node-group-<random_string>	Role assumed by EKS nodes to work with the AWS resources for these purposes - Pull images from ECR Assign IPs to the EC2 instance Register itself with the cluster Perform disk encryption