OCM-20625 | feat: Managed Policy additions for Karpenter on ROSA HCP

[robpblake]

What type of PR is this?

Feature

What this PR does / why we need it?

This PR adds the following:

• A new Managed Policy for the Karpenter Controller on ROSA HCP
• Additions to the Control Plane Operator managed policy to allow for tagging of SecurityGroups as a day-2 operation
• Additions to the installer role managed policy to allow for validation of user provided SQS queue URLs when configuring Karpenter Spot instance interruptions

Which Jira/Github issue(s) this PR fixes?

Fixes #

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster

• Included documentation changes with PR

• If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

  matchExpressions:
  - key: api.openshift.com/fedramp
    operator: NotIn
    values: ["true"]

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: robpblake
Once this PR has been reviewed and has the lgtm label, please assign iamkirkbater for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• resources/sts/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[robpblake]

Required because the Control Plane Operator adds the karpenter.sh/discovery tags to the SecurityGroup of the cluster when AutoNode is enabled as a day-2 operation on a cluster.

[robpblake]

This will allow Cluster Service to validate that the user provided SQS queue for spot interruption handling exists in the account, preventing basic misconfiguration errors.

[jharrington22]

This permission has rather large implications. Its a requirement?

[MitaliBhalla]

Yes, iam:PassRole is required for Karpenter to launch EC2 instances with an IAM instance profile. This is documented in Karpenter's prerequisites.
However, we should constrain this following the pattern in ROSAInstallerPolicy:

 "Condition": {
    "StringEquals": {
      "iam:PassedToService": ["ec2.amazonaws.com"]
   }
}

We can also scope the Resource ARN to Karpenter-specific roles (e.g., arn:aws:iam::*:role/*karpenter*).
Reference: ROSAInstallerPolicy uses this exact pattern for PassRole to EC2.

[jharrington22]

Are we sure all of these cannot be conditioned by tag?

[MitaliBhalla]

Unfortunately, most EC2 Describe* actions do not support resource-level permissions or tag-based conditions. This is an AWS API limitation, not a design choice.

Per the AWS Service Authorization Reference for EC2:

• ec2:DescribeAvailabilityZones - Resource type: None (no resource-level permissions)
• ec2:DescribeImages - Resource type: None
• ec2:DescribeInstances - Resource type: None (filtering happens at API response level, not IAM)
• ec2:DescribeInstanceTypes - Resource type: None
• ec2:DescribeSubnets - Resource type: None
• ec2:DescribeVpcs - Resource type: None

These are read-only discovery actions required for Karpenter to find available capacity. The ROSAInstallerPolicy similarly uses Resource: "*" for EC2 read permissions.

Reference: AWS EC2 Actions, Resources, and Condition Keys

[jharrington22]

This is another permission that will go through some scrutiny. We have this in our other managed policies IIRC?

[MitaliBhalla]

kms:CreateGrant permissions exist in multiple ROSA managed policies. For reference :

HCP CAPA Controller (openshift_hcp_capa_controller_manager_credentials_policy.json line 239-257):

{

  "Sid": "CreateGrantRestricted",
  "Effect": "Allow",
  "Action": ["kms:CreateGrant"],
  "Resource": "*",
  "Condition": {
    "Bool": { "kms:GrantIsForAWSResource": true },
    "StringEquals": { "aws:ResourceTag/red-hat": "true" },
    "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" }
  }
}

Machine API (openshift_machine_api_aws_cloud_credentials_policy.json):

Uses kms:GrantIsForAWSResource: true condition.

For Karpenter, we can follow the more restrictive HCP CAPA pattern with all three conditions.

For more reference : AWS KMS Condition Keys

[jharrington22]

Conditions?

[MitaliBhalla]

iam:GetInstanceProfile and iam:ListInstanceProfiles do not support tag-based conditions per the
AWS IAM Service Authorization Reference

However, we can scope the Resource ARN for GetInstanceProfile:

"Resource": "arn:aws:iam::*:instance-profile/*karpenter*"

For ListInstanceProfiles, AWS requires Resource: "*" as it's a list operation that enumerates across all profiles. This matches the pattern in ROSAInstallerPolicy which uses Resource: "*" for IAM read operations.

References:

• IAM Actions, Resources, and Condition Keys
• ROSAInstallerPolicy