[Feature] Request for improvements to IAM policies set from the nodeGroups.iam.withAddonPolicies.efs parameter

[KazuhoShibutani]

What feature/behavior/change do you want?

I want to improve the permissions when set from the nodeGroups.iam.withAddonPolicies.efs parameter.
Specifically, isn't it possible to have the same permissions as AmazonEFSCSIDriverPolicy.?
If can't it, I want to know why the current permissions is needed.

Why do you want this feature?

This is to minimize more unnecessary permissions and make it more secure.

I understand that the nodeGroups.iam.withAddonPolicies.efs parameter is a setting for the IAM policy to use the EFS CSI driver add-on like the EBS CSI driver.
IAM policies - eksctl

EBS Policy¶
The ebs policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver.

Currently, when the parameter is set to true, the following policies are set to the node's IAM role.

eksctl/pkg/cfn/builder/iam_helper.go

Lines 136 to 139 in 268db7b

	if api.IsEnabled(iamConfig.WithAddonPolicies.EFS) {
	cfnTemplate.attachAllowPolicy("PolicyEFS", refIR, efsStatements())
	cfnTemplate.attachAllowPolicy("PolicyEFSEC2", refIR, efsEc2Statements())
	}

eksctl/pkg/cfn/builder/statement.go

Lines 578 to 605 in 268db7b

	func efsStatements() []cft.MapOfInterfaces {
	return []cft.MapOfInterfaces{
	{
	"Effect": effectAllow,
	"Resource": resourceAll,
	"Action": []string{
	"elasticfilesystem:*",
	},
	},
	}
	}
	func efsEc2Statements() []cft.MapOfInterfaces {
	return []cft.MapOfInterfaces{
	{
	"Effect": effectAllow,
	"Resource": resourceAll,
	"Action": []string{
	"ec2:DescribeSubnets",
	"ec2:CreateNetworkInterface",
	"ec2:DescribeNetworkInterfaces",
	"ec2:DeleteNetworkInterface",
	"ec2:ModifyNetworkInterfaceAttribute",
	"ec2:DescribeNetworkInterfaceAttribute",
	},
	},
	}
	}

This permission is powerful compared to the AmazonEFSCSIDriverPolicy.
For example, other pods on the node can use permission elasticfilesystem:DeleteFileSystem when the parameter is true.

I open this issue on behalf our customer.

[github-actions]

Hello KazuhoShibutani 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.