Skip to main content
Amazon EKS 0.72.0Last updated in version 0.70.2

K8S Cluster Autoscaler IAM Policy Module

View Source Release Notes

This Terraform Module defines an IAM policy that defines the minimal set of permissions necessary for the Kubernetes Cluster Autoscaler. This policy can then be attached to the EC2 instance profile of the worker nodes in a Kubernetes cluster which will allow the autoscaler to manage scaling up and down EC2 instances in targeted Auto Scaling Groups in response to resource utilization.

See the eks-k8s-cluster-autoscaler module for a module that deploys the Cluster Autoscaler to your EKS cluster.

Attaching IAM policy to workers

To allow the Cluster Autoscaler to manage Auto Scaling Groups, it needs IAM permissions to monitor and adjust them. Currently, the way to grant Pods IAM privileges is to use the worker IAM profiles provisioned by the eks-cluster-workers module.

The Terraform templates in this module create an IAM policy that has the required permissions. You then need to use an aws_iam_policy_attachment to attach that policy to the IAM roles of your EC2 Instances.

module "eks_workers" {
# (arguments omitted)
}

module "k8s_cluster_autoscaler_iam_policy" {
# (arguments omitted)
eks_worker_asg_arns = module.eks_workers.eks_worker_asg_arns
}

resource "aws_iam_role_policy_attachment" "attach_k8s_cluster_autoscaler_iam_policy" {
role = module.eks_workers.eks_worker_iam_role_name
policy_arn = module.k8s_cluster_autoscaler_iam_policy.k8s_cluster_autoscaler_policy_arn
}

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-CLUSTER-AUTOSCALER-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------

module "eks_k_8_s_cluster_autoscaler_iam_policy" {

source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-cluster-autoscaler-iam-policy?ref=v0.72.0"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# A name that uniquely identified in which context this module is being
# invoked. This also helps to avoid creating two resources with the same name
# from different terraform applies.
name_prefix = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true

# ARNs of the EKS Managed Node Groups to grant access to. If this is not
# specified the policy will match based on tags only (specifically, the tag
# 'k8s.io/cluster-autoscaler/NAME_PREFIX').
eks_managed_node_group_arns = []

# ARNs of the Auto Scaling Groups to grant access to. If this is not specified
# the policy will match based on tags only (specifically, the tag
# 'k8s.io/cluster-autoscaler/NAME_PREFIX').
eks_worker_asg_arns = []

}


Reference

Required

name_prefixstringrequired

A name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies.

Optional

create_resourcesbooloptional

If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.

true
eks_managed_node_group_arnslist(string)optional

ARNs of the EKS Managed Node Groups to grant access to. If this is not specified the policy will match based on tags only (specifically, the tag 'k8s.io/cluster-autoscaler/NAME_PREFIX').

[]
eks_worker_asg_arnslist(string)optional

ARNs of the Auto Scaling Groups to grant access to. If this is not specified the policy will match based on tags only (specifically, the tag 'k8s.io/cluster-autoscaler/NAME_PREFIX').

[]