AWS
Architecture
This guide describes the architecture diagram and created access policies in a compute plane in your AWS account
Please refer to the “Access Policies” section for details of each access policy that is present in a truefoundry compute.
Access Policies Overview
If you are using terraform given by Truefoundry, the policies will be created automatically. If you are using an existing cluster, you will need to create the policies manually.
Policy | Description |
---|---|
ELBControllerPolicy | Role assumed by load balancer controller to provision ELB when a service of type LoadBalancer is created |
KarpenterPolicy and SQSPolicy | Role assumed by Karpenter to dynamically provision nodes and handle spot node termination |
EFSPolicy | Role assumed by EFS CSI to provision and attach EFS volumes |
EBSPolicy | Role assumed by EBS CSI to provision and attach EBS volumes |
RolePolicy with policies for: - ECR - S3 - SSM - EKS Use the trust relationship. If you are using TrueFoundry’s control plane the role will be assumed by arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps otherwise it will be your control plane’s IAM role | Role assumed by TrueFoundry to allow access to ECR, S3, and SSM services |
ClusterRole with policies: - AmazonEKSClusterPolicy - AmazonEKSVPCResourceControllerPolicy - EncryptionPolicy | Role that provides Kubernetes permissions to manage the cluster lifecycle, networking, and encryption |
NodeRole with policies: - AmazonEC2ContainerRegistryReadOnlyPolicy - AmazonEKS_CNI_Policy - AmazonEKSWorkerNodePolicy - AmazonSSMManagedInstanceCorePolicy | Role assumed by EKS nodes to work with AWS resources for ECR access, IP assignment, and cluster registration |
EncryptionPolicy to create and manage key for encryption: