Add validation for Hybrid node IAM role

abhay-krishna · abhay-krishna · commit 9d2fd30fe012 · 2025-09-04T14:57:37.000-07:00
diff --git a/internal/node/hybrid/hybrid.go b/internal/node/hybrid/hybrid.go
@@ -27,6 +27,7 @@ const (
 	apiServerEndpointResolution = "api-server-endpoint-resolution-validation"
 	proxyValidation             = "proxy-validation"
 	nodeInactiveValidation      = "node-inactive-validation"
+	hybridRoleValidation        = "hybrid-role-validation"
 	kubeletCurrentCertPath      = "/var/lib/kubelet/pki/kubelet-server-current.pem"
 )
 
@@ -145,6 +146,7 @@ func (hnp *HybridNodeProvider) Validate(ctx context.Context) error {
 		validation.New(apiServerEndpointResolution, kubernetes.ValidateAPIServerEndpointResolution),
 		validation.New(proxyValidation, network.NewProxyValidator().Run),
 		validation.New(nodeInactiveValidation, hnp.ValidateNodeIsInactive),
+		validation.New(hybridRoleValidation, hnp.ValidateKubeletVersionSkew),
 	)
 
 	// Run all validations sequentially
diff --git a/internal/node/hybrid/hybrid_role_validator.go b/internal/node/hybrid/hybrid_role_validator.go
@@ -0,0 +1,82 @@
+package hybrid
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/service/eks"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+
+	"github.com/aws/eks-hybrid/internal/api"
+	"github.com/aws/eks-hybrid/internal/validation"
+)
+
+func (hnp *HybridNodeProvider) ValidateClusterAccess(ctx context.Context, informer validation.Informer, _ *api.NodeConfig) error {
+	var err error
+	informer.Starting(ctx, "cluster-access", "Validating cluster access through EKS access entry or ConfigMap")
+	defer func() {
+		informer.Done(ctx, "cluster-access", err)
+	}()
+
+	var roleName string
+	stsClient := sts.NewFromConfig(*hnp.awsConfig)
+	eksClient := eks.NewFromConfig(*hnp.awsConfig)
+
+	getCallerIdentityOutput, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+	if err != nil {
+		return err
+	}
+	roleArn := *getCallerIdentityOutput.Arn
+	parsedARN, err := arn.Parse(roleArn)
+	if err != nil {
+		return err
+	}
+
+	splitArn := strings.Split(parsedARN.Resource, "/")
+	if parsedARN.Service == "sts" && strings.HasPrefix(parsedARN.Resource, "assumed-role") {
+		roleName = splitArn[1]
+	} else if parsedARN.Service == "iam" && strings.HasPrefix(parsedARN.Resource, "role") {
+		roleName = splitArn[len(splitArn)-1]
+	}
+
+	accessEntries := []string{}
+	listAccessEntriesOutput, err := eksClient.ListAccessEntries(ctx, &eks.ListAccessEntriesInput{
+		ClusterName: hnp.cluster.Name,
+	})
+	if err != nil {
+		return err
+	}
+
+	accessEntries = append(accessEntries, listAccessEntriesOutput.AccessEntries...)
+	nextToken := listAccessEntriesOutput.NextToken
+
+	for nextToken != nil && aws.ToString(nextToken) != "" {
+		listAccessEntriesOutput, err = eksClient.ListAccessEntries(ctx, &eks.ListAccessEntriesInput{
+			ClusterName: hnp.cluster.Name,
+			NextToken:   nextToken,
+		})
+		if err != nil {
+			return err
+		}
+
+		accessEntries = append(accessEntries, listAccessEntriesOutput.AccessEntries...)
+		nextToken = listAccessEntriesOutput.NextToken
+	}
+
+	foundRole := false
+	for _, accessEntry := range accessEntries {
+		if strings.Contains(accessEntry, roleName) {
+			foundRole = true
+		}
+	}
+
+	if !foundRole {
+		err = validation.WithRemediation(fmt.Errorf("missing access entry with Hybrid Node role principal"), "Ensure your EKS cluster has at least one access entry with the hybrid node IAM role as principal.")
+		return err
+	}
+
+	return nil
+}
diff --git a/test/e2e/credentials/stack.go b/test/e2e/credentials/stack.go
@@ -94,7 +94,7 @@ func (s *Stack) Deploy(ctx context.Context, logger logr.Logger) (*StackOutput, e
 	}
 
 	if !skipIRATest() {
-		logger.Info("Creating access entry", "iamRoleArn", output.IRANodeRoleARN)
+		logger.Info("Creating access entry", "iamRARoleArn", output.IRANodeRoleARN)
 		_, err = s.EKS.CreateAccessEntry(ctx, &eks.CreateAccessEntryInput{
 			ClusterName:  &s.ClusterName,
 			PrincipalArn: &output.IRANodeRoleARN,
@@ -335,7 +335,7 @@ func (s *Stack) Delete(ctx context.Context, logger logr.Logger, output *StackOut
 		return fmt.Errorf("deleting SSM access entry: %w", err)
 	}
 	if !skipIRATest() {
-		logger.Info("Deleting access entry", "iamRoleArn", output.IRANodeRoleARN)
+		logger.Info("Deleting access entry", "iamRARoleArn", output.IRANodeRoleARN)
 		if _, err := s.EKS.DeleteAccessEntry(ctx, &eks.DeleteAccessEntryInput{
 			ClusterName:  &s.ClusterName,
 			PrincipalArn: &output.IRANodeRoleARN,

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ const (`
`27`	`27`	`apiServerEndpointResolution = "api-server-endpoint-resolution-validation"`
`28`	`28`	`proxyValidation = "proxy-validation"`
`29`	`29`	`nodeInactiveValidation = "node-inactive-validation"`
	`30`	`+ hybridRoleValidation = "hybrid-role-validation"`
`30`	`31`	`kubeletCurrentCertPath = "/var/lib/kubelet/pki/kubelet-server-current.pem"`
`31`	`32`	`)`
`32`	`33`
`@@ -145,6 +146,7 @@ func (hnp *HybridNodeProvider) Validate(ctx context.Context) error {`
`145`	`146`	`validation.New(apiServerEndpointResolution, kubernetes.ValidateAPIServerEndpointResolution),`
`146`	`147`	`validation.New(proxyValidation, network.NewProxyValidator().Run),`
`147`	`148`	`validation.New(nodeInactiveValidation, hnp.ValidateNodeIsInactive),`
	`149`	`+ validation.New(hybridRoleValidation, hnp.ValidateKubeletVersionSkew),`
`148`	`150`	`)`
`149`	`151`
`150`	`152`	`// Run all validations sequentially`