Outdated IAM policy for cert-manager in wellKnownPolicies

[LEEDOWON96]

The current IAM policy applied by the wellKnownPolicies.certManager option in eksctl does not match the latest recommended policy for cert-manager.

Current Policy

The policy currently applied by eksctl's wellKnownPolicies.certManager option is split into three separate statements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": "arn:aws:route53:::hostedzone/*",
            "Effect": "Allow"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "route53:GetChange"
            ],
            "Resource": "arn:aws:route53:::change/*",
            "Effect": "Allow"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "route53:ListResourceRecordSets",
                "route53:ListHostedZonesByName"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Latest Recommended Policy

The latest recommended policy for cert-manager, as per the official documentation, is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": "arn:aws:route53:::hostedzone/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}

Reproduction Steps

1. Create a cluster configuration file with the following IAM section:
2. Create the cluster using this configuration.
3. Inspect the resulting IAM policy for the cert-manager role.

iam:
  withOIDC: true
  podIdentityAssociations:
    - namespace: kube-system
      serviceAccountName: cert-manager
      createServiceAccount: false
      roleName: TEST-CERT-MANAGER
      wellKnownPolicies:
        certManager: true

Expected Behavior
The IAM policy created by eksctl should match the latest recommended policy for cert-manager.

Actual Behavior
The created IAM policy does not match the latest recommended policy.

Additional Context
The latest recommended policy can be found in the cert-manager documentation: https://cert-manager.io/docs/configuration/acme/dns01/route53/

Proposed Solution
Update the wellKnownPolicies.certManager implementation in eksctl to use the latest recommended policy for cert-manager: https://github.com/eksctl-io/eksctl/blob/main/pkg/cfn/builder/statement.go#L261

[github-actions]

Hello LEEDOWON96 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[dims]

@LEEDOWON96 do you want to file a PR?

[LEEDOWON96]

Thank you for the quick response. Could you guide me through the steps to file a PR for this issue?

[LEEDOWON96]

Additionally, similar to the cert-manager policy update we're discussing, I noticed that the wellKnownPolicy for aws-load-balancer-controller also needs to be updated to match the latest recommended policy.

The current latest version of aws-load-balancer-controller is v2.11.0, and its policy has been updated accordingly. Recent releases have added permissions such as elasticloadbalancing:DescribeCapacityReservation and elasticloadbalancing:ModifyCapacityReservation.
https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases

Would it be appropriate to include this update in the same PR or should I propose it as a separate PR?🤔

[dims]

separate PRs for each policy will be easier to work with (if we need to tweak/revert).