[EKS] [request]: Remove requirement for EC2 permissions on aws-node VPC CNI daemon

[mikestef9]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request aws-node daemon that runs as part of VPC CNI plugin should not need EC2 API permissions on every worker node.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Today, the VPC CNI plugin includes a daemon that needs to run on every worker node, which makes EC2 API calls to configure networking reachability for pods. IAM Roles for Service Accounts help solve the problem of adding the EC2 API permissions to each worker node and instead to just the daemonset pod itself. But a better option would be to separate out the ipamd functionality into a separate controller that doesn't need to run on every node.

[johngmyers]

I would suggest that the ipamd functionality (at least that of assigning prefixes to node resources) of amazon-vmpc-cni-k8s belongs in kubernetes/cloud-provider-aws. It isn't specific to either EKS or amazon-vpc-cni-k8s, but is a common need for all ENI-based CNIs.

[jimmyjones2]

Is this the same? https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html

[aslatter]

I believe the the VPC-CNI controller is compatible with Pod Identity now, so you can even use the EKS-managed version of it (no need to customize the add-on with the role-ARN).