AWS
Architecture
This guide describes the architecture diagram and created access policies in a compute plane in your AWS account
Please refer to the “Access Policies” section for details of each access policy that is present in a truefoundry compute.
Access Policies Overview
Access Policy | Role | Reason |
---|---|---|
ELBControllerPolicy - link | <cluster_name>-elb-controller | Role assumed by load balancer controller to provision ELB when a service of type LoadBalancer is created |
KarpenterPolicy - link SQSPolicy - link | <cluster_name>-karpenter | Role assumed by Karpenter to dynamically provision nodes. Karpenter has an additional role to listen to interruption events coming from SQS to safely handle spot node termination |
EFSPolicy - link | <cluster_name>-efs | Role assumed by EFS CSI to provision and attach EFS volumes |
EBSPolicy - link | <cluster_name>-csi-ebs | Role assumed by EBS CSI to provision and attach EBS volumes |
RolePolicy - - ECR - link - S3 - link - SSM - link | <cluster_name>-platform-iam-role | Role assumed by TrueFoundry to allow for - ECR - S3 - SSM |
The role attaches these policies - - AmazonEKSClusterPolicy - link - AmazonEKSVPCResourceControllerPolicy - link - EncryptionPolicy to create and manage key for encryption(see below). | <cluster_name>-cluster-<random_string> | This role provides Kubernetes the permissions needed to manage the cluster. This includes permissions needed to - Manage the end to end lifecycle of EC2 instances used as EKS nodes - Assign networking components to EC2 instances - Perform encryption at rest |
The role attaches these policies - - AmazonEC2ContainerRegistryReadOnlyPolicy - link - AmazonEKS_CNI_Policy - link - AmazonEKSWorkerNodePolicy - link - AmazonSSMManagedInstanceCorePolicy - link | initial-eks-node-group-<random_string> | Role assumed by EKS nodes to work with the AWS resources for these purposes - - Pull images from ECR - Assign IPs to the EC2 instance - Register itself with the cluster - Perform disk encryption |
EncryptionPolicy to create and manage key for encryption: