Add validation for Hybrid node IAM role

Author: abhay-krishna

internal/node/hybrid/hybrid.go

@@ -27,6 +27,7 @@ const (
 	apiServerEndpointResolution = "api-server-endpoint-resolution-validation"
 	proxyValidation             = "proxy-validation"
 	nodeInactiveValidation      = "node-inactive-validation"
+	clusterAccessValidation     = "cluster-access-validation"
 	kubeletCurrentCertPath      = "/var/lib/kubelet/pki/kubelet-server-current.pem"
 )
 
@@ -145,6 +146,7 @@ func (hnp *HybridNodeProvider) Validate(ctx context.Context) error {
 		validation.New(apiServerEndpointResolution, kubernetes.ValidateAPIServerEndpointResolution),
 		validation.New(proxyValidation, network.NewProxyValidator().Run),
 		validation.New(nodeInactiveValidation, hnp.ValidateNodeIsInactive),
+		validation.New(clusterAccessValidation, hnp.ValidateClusterAccess),
 	)
 
 	// Run all validations sequentially

internal/node/hybrid/hybrid_role_validator.go

@@ -0,0 +1,136 @@
+package hybrid
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/service/eks"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+
+	"github.com/aws/eks-hybrid/internal/api"
+	"github.com/aws/eks-hybrid/internal/validation"
+)
+
+const (
+	accessEntryRemediation = "Ensure your EKS cluster has at least one access entry of type HYBRID_LINUX with the hybrid node IAM role as principal."
+)
+
+// ValidateClusterAccess checks if the current IAM role has access to the EKS cluster
+// through an access entry
+func (hnp *HybridNodeProvider) ValidateClusterAccess(ctx context.Context, informer validation.Informer, _ *api.NodeConfig) error {
+	var err error
+	if hnp.awsConfig == nil {
+		err = fmt.Errorf("AWS config not set")
+		return err
+	}
+
+	if hnp.cluster == nil || hnp.cluster.Name == nil {
+		informer.Starting(ctx, clusterAccessValidation, "Skipping cluster access validation due to node IAM role missing EKS DescribeCluster permission")
+		informer.Done(ctx, clusterAccessValidation, err)
+		return nil
+	}
+
+	informer.Starting(ctx, clusterAccessValidation, "Validating cluster access through EKS access entry")
+	defer func() {
+		informer.Done(ctx, clusterAccessValidation, err)
+	}()
+
+	stsClient := sts.NewFromConfig(*hnp.awsConfig)
+	eksClient := eks.NewFromConfig(*hnp.awsConfig)
+
+	getCallerIdentityOutput, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+	if err != nil {
+		err = validation.WithRemediation(fmt.Errorf("getting caller identity: %w", err), accessEntryRemediation)
+		return err
+	}
+
+	if getCallerIdentityOutput.Arn == nil {
+		err = validation.WithRemediation(fmt.Errorf("caller identity ARN is nil"), accessEntryRemediation)
+		return err
+	}
+
+	roleArn := *getCallerIdentityOutput.Arn
+	parsedARN, err := arn.Parse(roleArn)
+	if err != nil {
+		err = validation.WithRemediation(fmt.Errorf("parsing role ARN: %w", err), accessEntryRemediation)
+		return err
+	}
+
+	roleName, ok := extractRoleNameFromARN(parsedARN)
+	if !ok || roleName == "" {
+		err = validation.WithRemediation(fmt.Errorf("extracting role name from ARN: %s", roleArn), accessEntryRemediation)
+		return err
+	}
+
+	accessEntries, err := fetchAllAccessEntries(ctx, eksClient, hnp.cluster.Name)
+	if err != nil {
+		err = validation.WithRemediation(fmt.Errorf("fetching access entries from cluster: %w", err), accessEntryRemediation)
+		return err
+	}
+
+	foundRole := false
+	for _, accessEntry := range accessEntries {
+		if strings.Contains(accessEntry, fmt.Sprintf("role/%s", roleName)) ||
+			strings.Contains(accessEntry, fmt.Sprintf("role/%s/", roleName)) ||
+			strings.HasSuffix(accessEntry, roleName) {
+			foundRole = true
+			break
+		}
+	}
+
+	if !foundRole {
+		err = validation.WithRemediation(
+			fmt.Errorf("missing access entry of type HYBRID_LINUX with Hybrid Node role principal: %s", roleName),
+			accessEntryRemediation,
+		)
+		return err
+	}
+
+	return nil
+}
+
+// extractRoleNameFromARN extracts the role name from an ARN
+// Returns the role name and a boolean indicating if extraction was successful
+func extractRoleNameFromARN(parsedARN arn.ARN) (string, bool) {
+	splitArn := strings.Split(parsedARN.Resource, "/")
+
+	// Handle assumed role ARN format: arn:aws:sts::123456789012:assumed-role/RoleName/session
+	if parsedARN.Service == "sts" && strings.HasPrefix(parsedARN.Resource, "assumed-role") && len(splitArn) >= 2 {
+		return splitArn[1], true
+	}
+
+	// Handle IAM role ARN format: arn:aws:iam::123456789012:role/RoleName
+	if parsedARN.Service == "iam" && strings.HasPrefix(parsedARN.Resource, "role") && len(splitArn) >= 2 {
+		return splitArn[len(splitArn)-1], true
+	}
+
+	return "", false
+}
+
+// fetchAllAccessEntries retrieves all access entries for a cluster with pagination handling
+func fetchAllAccessEntries(ctx context.Context, eksClient *eks.Client, clusterName *string) ([]string, error) {
+	accessEntries := []string{}
+	var nextToken *string
+
+	for {
+		listAccessEntriesOutput, err := eksClient.ListAccessEntries(ctx, &eks.ListAccessEntriesInput{
+			ClusterName: clusterName,
+			NextToken:   nextToken,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to list access entries: %w", err)
+		}
+
+		accessEntries = append(accessEntries, listAccessEntriesOutput.AccessEntries...)
+
+		if listAccessEntriesOutput.NextToken == nil || aws.ToString(listAccessEntriesOutput.NextToken) == "" {
+			break
+		}
+		nextToken = listAccessEntriesOutput.NextToken
+	}
+
+	return accessEntries, nil
+}

internal/node/hybrid/nodeinactive_validator_test.go

@@ -101,6 +101,7 @@ func TestHybridNodeProvider_ValidateNodeIsInactive(t *testing.T) {
 					"kubelet-cert-validation",
 					"api-server-endpoint-resolution-validation",
 					"proxy-validation",
+					"cluster-access-validation",
 				},
 				observedLogger,
 				hybrid.WithDaemonManager(mockDaemon),

test/e2e/credentials/stack.go

@@ -94,7 +94,7 @@ func (s *Stack) Deploy(ctx context.Context, logger logr.Logger) (*StackOutput, e
 	}
 
 	if !skipIRATest() {
-		logger.Info("Creating access entry", "iamRoleArn", output.IRANodeRoleARN)
+		logger.Info("Creating access entry", "iamRARoleArn", output.IRANodeRoleARN)
 		_, err = s.EKS.CreateAccessEntry(ctx, &eks.CreateAccessEntryInput{
 			ClusterName:  &s.ClusterName,
 			PrincipalArn: &output.IRANodeRoleARN,
@@ -404,7 +404,7 @@ func (s *Stack) Delete(ctx context.Context, logger logr.Logger, output *StackOut
 		return fmt.Errorf("deleting SSM access entry: %w", err)
 	}
 	if !skipIRATest() {
-		logger.Info("Deleting access entry", "iamRoleArn", output.IRANodeRoleARN)
+		logger.Info("Deleting access entry", "iamRARoleArn", output.IRANodeRoleARN)
 		if _, err := s.EKS.DeleteAccessEntry(ctx, &eks.DeleteAccessEntryInput{
 			ClusterName:  &s.ClusterName,
 			PrincipalArn: &output.IRANodeRoleARN,

test/integration/cases/init-with-config-enrichment/run.sh

@@ -21,7 +21,7 @@ nodeadm install $CURRENT_VERSION  --credential-provider iam-ra
 mock::aws_signing_helper
 
 exit_code=0
-STDERR=$(nodeadm init --skip run,node-ip-validation,k8s-authentication-validation --config-source file://config.yaml 2>&1) || exit_code=$?
+STDERR=$(nodeadm init --skip run,node-ip-validation,k8s-authentication-validation,cluster-access-validation --config-source file://config.yaml 2>&1) || exit_code=$?
 if [ $exit_code -ne 0 ]; then
     assert::is-substring "$STDERR" "ResourceNotFoundException"
 else
@@ -37,7 +37,7 @@ aws eks create-cluster \
     --resources-vpc-config subnetIds=subnet-123456789012,subnet-123456789013,securityGroupIds=sg-123456789014,endpointPrivateAccess=true,endpointPublicAccess=false \
     --remote-network-config '{"remoteNodeNetworks":[{"cidrs":["10.100.0.0/16"]}],"remotePodNetworks":[{"cidrs":["10.101.0.0/16"]}]}'
 
-if ! nodeadm init --skip run,node-ip-validation,k8s-authentication-validation --config-source file://config.yaml; then
+if ! nodeadm init --skip run,node-ip-validation,k8s-authentication-validation,cluster-access-validation --config-source file://config.yaml; then
     echo "nodeadm init should have succeeded after creating the cluster"
     exit 1
 fi

test/integration/cases/init-with-node-ip-validation/run.sh

@@ -28,10 +28,10 @@ nodeadm install $CURRENT_VERSION --credential-provider iam-ra
 mock::aws_signing_helper
 
 # should fail when --node-ip set to ip not in remote node networks
-if nodeadm init --skip run,k8s-authentication-validation --config-source file://config-ip-out-of-range.yaml; then
+if nodeadm init --skip run,k8s-authentication-validation,cluster-access-validation --config-source file://config-ip-out-of-range.yaml; then
     echo "nodeadm init should have failed with ip out of range but succeeded unexpectedly"
     exit 1
 fi
 
 # should succeed when --node-ip set to ip in remote node networks
-nodeadm init --skip run,k8s-authentication-validation --config-source file://config-ip-in-range.yaml
+nodeadm init --skip run,k8s-authentication-validation,cluster-access-validation --config-source file://config-ip-in-range.yaml