Use managed cni policy if not using cluster scoped ones

kishiel · Nov 1, 2023 · 0f0ea66 · 0f0ea66
1 parent ece5253
commit 0f0ea66
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/packages/aws-cdk-lib/aws-eks/lib/cluster.ts b/packages/aws-cdk-lib/aws-eks/lib/cluster.ts
@@ -1147,6 +1147,7 @@ abstract class ClusterBase extends Resource implements ICluster {
     }
 
     autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSWorkerNodePolicy'));
+    autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'));
     autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'));
 
     // EKS Required Tags

diff --git a/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts b/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts
@@ -446,19 +446,20 @@ export class Nodegroup extends Resource implements INodegroup {
       });
 
       ngRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSWorkerNodePolicy'));
-      ngRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'));
       ngRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'));
 
       this.role = ngRole;
     } else {
       this.role = props.nodeRole;
     }
 
-    // Apply the CNI policies to the node group role
+    // Apply the cluster-scoped CNI policies to the node group role
     if (props.cluster.cniPolicies && this.applyLimitedCNIPoliciesToRole) {
       for (let policy of props.cluster.cniPolicies) {
         this.role.addToPrincipalPolicy(policy);
       }
+    } else {
+      this.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'));
     }
 
     this.validateUpdateConfig(props.maxUnavailable, props.maxUnavailablePercentage);