Skip to content

iamauth: fix aws-iam-authenticator reconcile for clusters using instance profiles from AWSMachinePool / AWSMachineTemplate#6076

Open
Kesav531 wants to merge 1 commit into
kubernetes-sigs:mainfrom
Kesav531:iamauth-dispatch-instance-profile
Open

iamauth: fix aws-iam-authenticator reconcile for clusters using instance profiles from AWSMachinePool / AWSMachineTemplate#6076
Kesav531 wants to merge 1 commit into
kubernetes-sigs:mainfrom
Kesav531:iamauth-dispatch-instance-profile

Conversation

@Kesav531

@Kesav531 Kesav531 commented Jun 26, 2026

Copy link
Copy Markdown

What this PR does / why we need it:

Fixes a bug in pkg/cloud/services/iamauth where the aws-iam-authenticator reconciler conflates IAM instance profile names (sourced from AWSMachineTemplate.Spec.Template.Spec.IAMInstanceProfile and AWSMachinePool.Spec.AWSLaunchTemplate.IamInstanceProfile) with IAM role names (sourced from AWSManagedMachinePool.Spec.RoleName). All three are collected into a single map[string]struct{} and then unconditionally resolved via iam:GetRole, which is wrong for the first two cases.

Result on EKS clusters whose workers come from AWSMachinePool or MachineDeployment + AWSMachineTemplate:

  • GetRole returns NoSuchEntity (when no IAM role of the same name as the instance profile exists) — reconcile fails permanently, the aws-auth ConfigMap never gets the node role mapping, AMCP condition IAMAuthenticatorConfigured stays False.
  • Or, GetRole returns the ARN of an unrelated IAM role that happens to share the name — aws-auth is silently populated with the wrong ARN.

Fix:

  • Track each discovered name's kind (asInstanceProfile vs asRole) at collection time via a map[string]nameKind.
  • Add getARNForInstanceProfile calling iam:GetInstanceProfile and returning Roles[0].Arn (AWS limits an instance profile to one attached role; empty Roles is treated as an error).
  • Add resolveRoleARN(ctx, name, kind) dispatcher; replace the single getARNForRole call site in ReconcileIAMAuthenticator.
  • Grant iam:GetInstanceProfile in the EKS controllers policy generated by clusterawsadm, so the controller can actually call the new API. Regenerated all 13 affected bootstrap fixtures.

Which issue(s) this PR fixes:

Fixes #6075

Special notes for your reviewer:

  • Unit tests added in pkg/cloud/services/iamauth/reconcile_test.go cover: instance-profile-name dispatch, role-name dispatch, error path for instance profile with no attached role, error path for unknown kind.
  • Mock regenerated for the new GetInstanceProfile call.
  • The bootstrap fixture test (cmd/clusterawsadm/cloudformation/bootstrap) passes — all 13 fixtures match the regenerated policy.
  • Validated across a fleet of EKS clusters using AWSMachinePool; AMCP IAMAuthenticatorConfigured flipped from False to True after the fix landed alongside the IAM grant.

Release note:

Fix `aws-iam-authenticator` reconcile for EKS clusters whose worker nodes come from `AWSMachinePool` or `MachineDeployment` + `AWSMachineTemplate`. Names from `IAMInstanceProfile` CRD fields are now resolved via `iam:GetInstanceProfile`; only `AWSManagedMachinePool.Spec.RoleName` is resolved via `iam:GetRole`. The EKS controllers IAM policy generated by `clusterawsadm` now grants `iam:GetInstanceProfile`.

Fixes kubernetes-sigs#6075

Signed-off-by: Kesavaraj S <ksugumaran@newrelic.com>
@kubernetes-prow kubernetes-prow Bot added do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 26, 2026
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jun 26, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: Kesav531 / name: Kesavaraj S (4bcd0a6)

@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign neolit123 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jun 26, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

Hi @Kesav531. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Kesav531 Kesav531 changed the title iamauth: dispatch GetInstanceProfile vs GetRole based on source CRD iamauth: fix aws-iam-authenticator reconcile for clusters using instance profiles from AWSMachinePool / AWSMachineTemplate Jun 26, 2026
@kubernetes-prow kubernetes-prow Bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jun 26, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

Invalid commit message issues detected

Invalid commit messages

Keywords which can automatically close issues and hashtag(#) mentions are not allowed.

  • 4bcd0a6 iamauth: dispatch GetInstanceProfile vs GetRole based on source CRD

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kubernetes-prow kubernetes-prow Bot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jun 26, 2026
@asifdxtreme

Copy link
Copy Markdown

Thanks @Kesav531 for submitting this change, this was one of the blocking issue for us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

iamauth: GetRole called with instance profile names from AWSMachinePool / AWSMachineTemplate, breaking aws-iam-authenticator reconcile on EKS clusters

2 participants