From 7240abbeb7d64c10ac32b8dc417bfda5ec60de7f Mon Sep 17 00:00:00 2001 From: Ivan Huang Date: Mon, 9 Feb 2026 21:30:07 +0800 Subject: [PATCH 1/7] Update generated files Signed-off-by: Ivan --- pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go index 18bee64b01..b9bbf44dab 100644 --- a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go +++ b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go @@ -2072,6 +2072,11 @@ func (in *NodeGroupIAMAddonPolicies) DeepCopyInto(out *NodeGroupIAMAddonPolicies *out = new(bool) **out = **in } + if in.AWSGlobalAccelerator != nil { + in, out := &in.AWSGlobalAccelerator, &out.AWSGlobalAccelerator + *out = new(bool) + **out = **in + } return } From 7726da41f40ffca4b6c87117a2afadc0c4dd9ac3 Mon Sep 17 00:00:00 2001 From: Ivan Huang Date: Mon, 9 Feb 2026 22:44:19 +0800 Subject: [PATCH 2/7] Add GlobalAccelerator IAM policy statements Add IAM policy statements for Global Accelerator usage. This grants the necessary permissions for GA resources through CloudFormation. Signed-off-by: Ivan --- pkg/cfn/builder/iam_helper.go | 9 +++ pkg/cfn/builder/statement.go | 125 ++++++++++++++++++++++++++++++++++ 2 files changed, 134 insertions(+) diff --git a/pkg/cfn/builder/iam_helper.go b/pkg/cfn/builder/iam_helper.go index 9c9576d737..a9188e8a96 100644 --- a/pkg/cfn/builder/iam_helper.go +++ b/pkg/cfn/builder/iam_helper.go @@ -74,6 +74,11 @@ func createWellKnownPolicies(wellKnownPolicies api.WellKnownPolicies) ([]managed customPolicyForRole{Name: "PolicyEFSCSIController", Statements: efsCSIControllerStatements()}, ) } + if wellKnownPolicies.AWSGlobalAccelerator { + customPolicies = append(customPolicies, + customPolicyForRole{Name: "PolicyAWSGlobalAccelerator", Statements: globalAcceleratorStatements()}, + ) + } return managedPolicies, customPolicies } @@ -143,6 +148,10 @@ func createRole(cfnTemplate cfnTemplate, clusterIAMConfig *api.ClusterIAM, iamCo cfnTemplate.attachAllowPolicy("PolicyXRay", refIR, xRayStatements()) } + if api.IsEnabled(iamConfig.WithAddonPolicies.AWSGlobalAccelerator) { + cfnTemplate.attachAllowPolicy("PolicyAWSGlobalAccelerator", refIR, globalAcceleratorStatements()) + } + return nil } diff --git a/pkg/cfn/builder/statement.go b/pkg/cfn/builder/statement.go index 8afe21bae7..3caff2a922 100644 --- a/pkg/cfn/builder/statement.go +++ b/pkg/cfn/builder/statement.go @@ -482,3 +482,128 @@ func efsCSIControllerStatements() []cft.MapOfInterfaces { }, } } + +func globalAcceleratorStatements() []cft.MapOfInterfaces { + return []cft.MapOfInterfaces{ + { + "Effect": effectAllow, + "Action": []string{"iam:CreateServiceLinkedRole"}, + "Resource": resourceAll, + "Condition": map[string]interface{}{ + "StringEquals": map[string][]string{ + "iam:AWSServiceName": { + "globalaccelerator.amazonaws.com", + }, + }, + }, + }, + { + "Effect": effectAllow, + "Resource": resourceAll, + "Action": []string{ + "globalaccelerator:ListAccelerators", + "globalaccelerator:ListEndpointGroups", + "globalaccelerator:ListListeners", + "globalaccelerator:ListTagsForResource", + "ec2:DescribeRegions", + "tag:GetResources", + }, + }, + { + "Effect": effectAllow, + "Resource": []*gfnt.Value{ + addARNPartitionPrefix("globalaccelerator::*:accelerator/*"), + addARNPartitionPrefix("globalaccelerator::*:accelerator/*/listener/*"), + addARNPartitionPrefix("globalaccelerator::*:accelerator/*/listener/*/endpoint-group/*"), + }, + "Action": []string{ + "globalaccelerator:DescribeAccelerator", + "globalaccelerator:DescribeEndpointGroup", + "globalaccelerator:DescribeListener", + }, + "Condition": map[string]interface{}{ + "Null": map[string]string{ + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false", + }, + "StringEquals": map[string]string{ + "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator", + }, + }, + }, + { + "Effect": effectAllow, + "Resource": resourceAll, + "Action": []string{ + "globalaccelerator:CreateAccelerator", + }, + "Condition": map[string]interface{}{ + "Null": map[string]string{ + "aws:RequestTag/elbv2.k8s.aws/cluster": "false", + }, + "StringEquals": map[string]string{ + "aws:RequestTag/aga.k8s.aws/resource": "GlobalAccelerator", + }, + }, + }, + { + "Effect": effectAllow, + "Resource": []*gfnt.Value{ + addARNPartitionPrefix("globalaccelerator::*:accelerator/*"), + addARNPartitionPrefix("globalaccelerator::*:accelerator/*/listener/*"), + addARNPartitionPrefix("globalaccelerator::*:accelerator/*/listener/*/endpoint-group/*"), + }, + "Action": []string{ + "globalaccelerator:UpdateAccelerator", + "globalaccelerator:DeleteAccelerator", + "globalaccelerator:CreateListener", + "globalaccelerator:UpdateListener", + "globalaccelerator:DeleteListener", + "globalaccelerator:CreateEndpointGroup", + "globalaccelerator:UpdateEndpointGroup", + "globalaccelerator:DeleteEndpointGroup", + "globalaccelerator:AddEndpoints", + "globalaccelerator:RemoveEndpoints", + }, + "Condition": map[string]interface{}{ + "Null": map[string]string{ + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false", + }, + "StringEquals": map[string]string{ + "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator", + }, + }, + }, + { + "Effect": effectAllow, + "Resource": addARNPartitionPrefix("globalaccelerator::*:accelerator/*"), + "Action": []string{ + "globalaccelerator:TagResource", + "globalaccelerator:UntagResource", + }, + "Condition": map[string]interface{}{ + "Null": map[string]string{ + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false", + }, + "StringEquals": map[string]string{ + "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator", + }, + }, + }, + { + "Effect": effectAllow, + "Resource": addARNPartitionPrefix("globalaccelerator::*:accelerator/*"), + "Action": []string{ + "globalaccelerator:TagResource", + }, + "Condition": map[string]interface{}{ + "Null": map[string]string{ + "aws:RequestTag/elbv2.k8s.aws/cluster": "false", + }, + "StringEquals": map[string]string{ + "aws:RequestTag/aga.k8s.aws/resource": "GlobalAccelerator", + }, + }, + }, + } +} From a4a4575905b08b18789fe96a122e44589ab25ac6 Mon Sep 17 00:00:00 2001 From: Ivan Huang Date: Mon, 9 Feb 2026 22:45:28 +0800 Subject: [PATCH 3/7] Wire GlobalAccelerator addon policy config and flags Expose GlobalAccelerator in addon policies and CLI flags. Set defaults and validation to keep config consistent. Signed-off-by: Ivan --- pkg/apis/eksctl.io/v1alpha5/types.go | 4 ++++ pkg/apis/eksctl.io/v1alpha5/validation.go | 3 +++ pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go | 6 +++++- pkg/ctl/cmdutils/nodegroup_flags.go | 2 ++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/types.go b/pkg/apis/eksctl.io/v1alpha5/types.go index 95b46517c7..ad66a1b796 100644 --- a/pkg/apis/eksctl.io/v1alpha5/types.go +++ b/pkg/apis/eksctl.io/v1alpha5/types.go @@ -1290,6 +1290,7 @@ func NewNodeGroup() *NodeGroup { DeprecatedALBIngress: Disabled(), XRay: Disabled(), CloudWatch: Disabled(), + AWSGlobalAccelerator: Disabled(), }, }, ScalingConfig: &ScalingConfig{}, @@ -1340,6 +1341,7 @@ func NewManagedNodeGroup() *ManagedNodeGroup { DeprecatedALBIngress: Disabled(), XRay: Disabled(), CloudWatch: Disabled(), + AWSGlobalAccelerator: Disabled(), }, }, ScalingConfig: &ScalingConfig{}, @@ -1565,6 +1567,8 @@ type ( XRay *bool `json:"xRay"` // +optional CloudWatch *bool `json:"cloudWatch"` + // +optional + AWSGlobalAccelerator *bool `json:"awsGlobalAccelerator"` } // NodeGroupSSH holds all the ssh access configuration to a NodeGroup diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index b6cf69653f..73a92e5e5d 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -1215,6 +1215,9 @@ func validateNodeGroupIAMWithAddonPolicies( if IsEnabled(policies.CloudWatch) { return fmtFieldConflictErr(prefix + "cloudWatch") } + if IsEnabled(policies.AWSGlobalAccelerator) { + return fmtFieldConflictErr(prefix + "awsGlobalAccelerator") + } return nil } diff --git a/pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go b/pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go index 0976c63bc6..58aeb1c290 100644 --- a/pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go +++ b/pkg/apis/eksctl.io/v1alpha5/well_known_iam_policy.go @@ -32,10 +32,14 @@ type WellKnownPolicies struct { // efs-csi-controller. See [aws-efs-csi-driver // docs](https://aws.amazon.com/blogs/containers/introducing-efs-csi-dynamic-provisioning). EFSCSIController bool `json:"efsCSIController,inline"` + // AWSGlobalAccelerator adds policies for using the + // Amazon Global Accelerator. See [IAM Policy for + // AWS Global Accelerator Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/install/aga_controller_iam_policy/). + AWSGlobalAccelerator bool `json:"awsGlobalAccelerator,inline"` } func (p *WellKnownPolicies) HasPolicy() bool { - return p.ImageBuilder || p.AutoScaler || p.AWSLoadBalancerController || p.ExternalDNS || p.CertManager || p.EBSCSIController || p.EFSCSIController + return p.ImageBuilder || p.AutoScaler || p.AWSLoadBalancerController || p.ExternalDNS || p.CertManager || p.EBSCSIController || p.EFSCSIController || p.AWSGlobalAccelerator } func (p *WellKnownPolicies) String() string { return "" } diff --git a/pkg/ctl/cmdutils/nodegroup_flags.go b/pkg/ctl/cmdutils/nodegroup_flags.go index ac8ff7982d..a51b88dd9a 100644 --- a/pkg/ctl/cmdutils/nodegroup_flags.go +++ b/pkg/ctl/cmdutils/nodegroup_flags.go @@ -96,12 +96,14 @@ func addCommonCreateNodeGroupIAMAddonsFlags(fs *pflag.FlagSet, ng *api.NodeGroup ng.IAM.WithAddonPolicies.AWSLoadBalancerController = new(bool) ng.IAM.WithAddonPolicies.XRay = new(bool) ng.IAM.WithAddonPolicies.CloudWatch = new(bool) + ng.IAM.WithAddonPolicies.AWSGlobalAccelerator = new(bool) fs.BoolVar(ng.IAM.WithAddonPolicies.AutoScaler, "asg-access", false, "enable IAM policy for cluster-autoscaler") fs.BoolVar(ng.IAM.WithAddonPolicies.ExternalDNS, "external-dns-access", false, "enable IAM policy for external-dns") fs.BoolVar(ng.IAM.WithAddonPolicies.ImageBuilder, "full-ecr-access", false, "enable full access to ECR") fs.BoolVar(ng.IAM.WithAddonPolicies.AppMesh, "appmesh-access", false, "enable full access to AppMesh") fs.BoolVar(ng.IAM.WithAddonPolicies.AppMeshPreview, "appmesh-preview-access", false, "enable full access to AppMesh Preview") fs.BoolVar(ng.IAM.WithAddonPolicies.AWSLoadBalancerController, "alb-ingress-access", false, "enable full access for alb-ingress-controller") + fs.BoolVar(ng.IAM.WithAddonPolicies.AWSGlobalAccelerator, "global-accelerator-access", false, "enable IAM policy for Global Accelerator") } // AddNodeGroupFilterFlags add common `--include` and `--exclude` flags for filtering nodegroups From 9fc136a6f1dd94d8216ec97248749cbc02f45867 Mon Sep 17 00:00:00 2001 From: Ivan Huang Date: Mon, 9 Feb 2026 22:49:08 +0800 Subject: [PATCH 4/7] Update the schema, add the GlobalAccelerator property. Expose GlobalAccelerator in the eksctl schema. Signed-off-by: Ivan --- pkg/apis/eksctl.io/v1alpha5/assets/schema.json | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json index 5bad31ad0a..53fde01111 100755 --- a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json +++ b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json @@ -2434,6 +2434,9 @@ "description": "enables IAM policy for cluster-autoscaler", "x-intellij-html-description": "enables IAM policy for cluster-autoscaler" }, + "awsGlobalAccelerator": { + "type": "boolean" + }, "awsLoadBalancerController": { "type": "boolean" }, @@ -2483,7 +2486,8 @@ "awsLoadBalancerController", "albIngress", "xRay", - "cloudWatch" + "cloudWatch", + "awsGlobalAccelerator" ], "additionalProperties": false, "description": "holds all IAM addon policies", @@ -3152,6 +3156,12 @@ "x-intellij-html-description": "adds policies for cluster-autoscaler. See autoscaler AWS docs.", "default": "false" }, + "awsGlobalAccelerator": { + "type": "boolean", + "description": "adds policies for using the Amazon Global Accelerator. See [IAM Policy for AWS Global Accelerator Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/install/aga_controller_iam_policy/).", + "x-intellij-html-description": "adds policies for using the Amazon Global Accelerator. See IAM Policy for AWS Global Accelerator Controller.", + "default": "false" + }, "awsLoadBalancerController": { "type": "boolean", "description": "adds policies for using the aws-load-balancer-controller. See [Load Balancer docs](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html).", @@ -3196,7 +3206,8 @@ "externalDNS", "certManager", "ebsCSIController", - "efsCSIController" + "efsCSIController", + "awsGlobalAccelerator" ], "additionalProperties": false, "description": "for attaching common IAM policies", From 1997851a8574b964bdc512282fc76ffcd9c04da9 Mon Sep 17 00:00:00 2001 From: Ivan Huang Date: Mon, 9 Feb 2026 22:51:11 +0800 Subject: [PATCH 5/7] Add tests for the GlobalAccelerator addon policy. Add coverage for GA policy attachment in nodegroup and IAM templates. Ensures new policy is rendered as expected. Signed-off-by: Ivan --- pkg/cfn/builder/iam_test.go | 148 +++++++++++++++++- pkg/cfn/builder/managed_nodegroup_test.go | 8 + .../cmdutils/filter/nodegroup_filter_test.go | 22 ++- 3 files changed, 169 insertions(+), 9 deletions(-) diff --git a/pkg/cfn/builder/iam_test.go b/pkg/cfn/builder/iam_test.go index 2923163978..aaf4ede839 100644 --- a/pkg/cfn/builder/iam_test.go +++ b/pkg/cfn/builder/iam_test.go @@ -299,6 +299,7 @@ var _ = Describe("template builder for IAM", func() { ImageBuilder: true, AutoScaler: true, AWSLoadBalancerController: true, + AWSGlobalAccelerator: true, ExternalDNS: true, CertManager: true, EBSCSIController: true, @@ -319,7 +320,7 @@ var _ = Describe("template builder for IAM", func() { Expect(t.Description).To(Equal("IAM role for serviceaccount \"default/sa-1\" [created and managed by eksctl]")) - Expect(t.Resources).To(HaveLen(9)) + Expect(t.Resources).To(HaveLen(10)) Expect(t.Outputs).To(HaveLen(1)) Expect(t).To(HaveResource(outputs.IAMServiceAccountRoleName, "AWS::IAM::Role")) @@ -335,6 +336,7 @@ var _ = Describe("template builder for IAM", func() { ]`)) Expect(t).To(HaveOutputWithValue(outputs.IAMServiceAccountRoleName, `{ "Fn::GetAtt": "Role1.Arn" }`)) Expect(t).To(HaveResourceWithPropertyValue("PolicyAWSLoadBalancerController", "PolicyDocument", expectedAWSLoadBalancerControllerPolicyDocument)) + Expect(t).To(HaveResourceWithPropertyValue("PolicyAWSGlobalAccelerator", "PolicyDocument", expectedAWSAWSGlobalAcceleratorPolicyDocument)) }) It("can parse an iamserviceaccount addon template", func() { @@ -806,3 +808,147 @@ const expectedAWSLoadBalancerControllerPolicyDocument = `{ ], "Version": "2012-10-17" }` + +const expectedAWSAWSGlobalAcceleratorPolicyDocument = `{ + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "globalaccelerator.amazonaws.com" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "globalaccelerator:ListAccelerators", + "globalaccelerator:ListEndpointGroups", + "globalaccelerator:ListListeners", + "globalaccelerator:ListTagsForResource", + "ec2:DescribeRegions", + "tag:GetResources" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "globalaccelerator:DescribeAccelerator", + "globalaccelerator:DescribeEndpointGroup", + "globalaccelerator:DescribeListener" + ], + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*" + }, + { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*/listener/*" + }, + { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*/listener/*/endpoint-group/*" + } + ], + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + }, + "StringEquals": { + "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "globalaccelerator:CreateAccelerator" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + }, + "StringEquals": { + "aws:RequestTag/aga.k8s.aws/resource": "GlobalAccelerator" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "globalaccelerator:UpdateAccelerator", + "globalaccelerator:DeleteAccelerator", + "globalaccelerator:CreateListener", + "globalaccelerator:UpdateListener", + "globalaccelerator:DeleteListener", + "globalaccelerator:CreateEndpointGroup", + "globalaccelerator:UpdateEndpointGroup", + "globalaccelerator:DeleteEndpointGroup", + "globalaccelerator:AddEndpoints", + "globalaccelerator:RemoveEndpoints" + ], + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*" + }, + { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*/listener/*" + }, + { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*/listener/*/endpoint-group/*" + } + ], + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + }, + "StringEquals": { + "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "globalaccelerator:TagResource", + "globalaccelerator:UntagResource" + ], + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*" + }, + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + }, + "StringEquals": { + "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "globalaccelerator:TagResource" + ], + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:globalaccelerator::*:accelerator/*" + }, + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + }, + "StringEquals": { + "aws:RequestTag/aga.k8s.aws/resource": "GlobalAccelerator" + } + } + } + ], + "Version": "2012-10-17" +}` diff --git a/pkg/cfn/builder/managed_nodegroup_test.go b/pkg/cfn/builder/managed_nodegroup_test.go index 66f1b2733d..69dc49b6bd 100644 --- a/pkg/cfn/builder/managed_nodegroup_test.go +++ b/pkg/cfn/builder/managed_nodegroup_test.go @@ -59,6 +59,14 @@ func TestManagedPolicyResources(t *testing.T) { expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryPullOnly", "AmazonSSMManagedInstanceCore"), description: "AutoScaler enabled", }, + { + addons: api.NodeGroupIAMAddonPolicies{ + AWSGlobalAccelerator: api.Enabled(), + }, + expectedNewPolicies: []string{"PolicyAWSGlobalAccelerator"}, + expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryPullOnly", "AmazonSSMManagedInstanceCore"), + description: "AWSGlobalAccelerator enabled", + }, { attachPolicy: cft.MakePolicyDocument(cft.MapOfInterfaces{ "Effect": "Allow", diff --git a/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go b/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go index b7e99a7997..06e40d6443 100644 --- a/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go +++ b/pkg/ctl/cmdutils/filter/nodegroup_filter_test.go @@ -414,7 +414,8 @@ var expected = fmt.Sprintf(` "efs": false, "albIngress": false, "xRay": false, - "cloudWatch": false + "cloudWatch": false, + "awsGlobalAccelerator": false } }, "disableIMDSv1": true, @@ -459,7 +460,8 @@ var expected = fmt.Sprintf(` "efs": false, "albIngress": false, "xRay": false, - "cloudWatch": false + "cloudWatch": false, + "awsGlobalAccelerator": false } }, "disableIMDSv1": true, @@ -504,7 +506,8 @@ var expected = fmt.Sprintf(` "efs": false, "albIngress": false, "xRay": false, - "cloudWatch": false + "cloudWatch": false, + "awsGlobalAccelerator": false } }, "clusterDNS": "1.2.3.4", @@ -540,7 +543,7 @@ var expected = fmt.Sprintf(` "withAddonPolicies": { "imageBuilder": false, "autoScaler": false, - "awsLoadBalancerController": false, + "awsLoadBalancerController": false, "externalDNS": false, "certManager": false, "appMesh": false, @@ -550,7 +553,8 @@ var expected = fmt.Sprintf(` "efs": false, "albIngress": false, "xRay": false, - "cloudWatch": false + "cloudWatch": false, + "awsGlobalAccelerator": false } }, "disableIMDSv1": true, @@ -588,7 +592,7 @@ var expected = fmt.Sprintf(` "withAddonPolicies": { "imageBuilder": false, "autoScaler": false, - "awsLoadBalancerController": false, + "awsLoadBalancerController": false, "externalDNS": false, "certManager": false, "appMesh": false, @@ -598,7 +602,8 @@ var expected = fmt.Sprintf(` "efs": false, "albIngress": false, "xRay": false, - "cloudWatch": false + "cloudWatch": false, + "awsGlobalAccelerator": false } }, "clusterDNS": "4.2.8.14", @@ -647,7 +652,8 @@ var expected = fmt.Sprintf(` "efs": false, "albIngress": false, "xRay": false, - "cloudWatch": false + "cloudWatch": false, + "awsGlobalAccelerator": false } }, "disableIMDSv1": true, From 48514b297c9987acb97f318c4a27ce884a08febd Mon Sep 17 00:00:00 2001 From: Ivan Huang Date: Mon, 9 Feb 2026 22:52:17 +0800 Subject: [PATCH 6/7] Update generated pkg files. Update pkg files after `make test` execution. Signed-off-by: Ivan --- pkg/awsapi/autoscaling.go | 1 - pkg/awsapi/cloudwatchlogs.go | 1 - pkg/awsapi/ec2.go | 1 - pkg/awsapi/eks.go | 1 - 4 files changed, 4 deletions(-) diff --git a/pkg/awsapi/autoscaling.go b/pkg/awsapi/autoscaling.go index 846b71754f..59eb0f5403 100644 --- a/pkg/awsapi/autoscaling.go +++ b/pkg/awsapi/autoscaling.go @@ -926,4 +926,3 @@ type ASG interface { // [PutScalingPolicy]: https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_PutScalingPolicy.html UpdateAutoScalingGroup(ctx context.Context, params *autoscaling.UpdateAutoScalingGroupInput, optFns ...func(*Options)) (*autoscaling.UpdateAutoScalingGroupOutput, error) } - diff --git a/pkg/awsapi/cloudwatchlogs.go b/pkg/awsapi/cloudwatchlogs.go index d9baaab20d..bd49f7cbd2 100644 --- a/pkg/awsapi/cloudwatchlogs.go +++ b/pkg/awsapi/cloudwatchlogs.go @@ -1888,4 +1888,3 @@ type CloudWatchLogs interface { // destinations. UpdateScheduledQuery(ctx context.Context, params *cloudwatchlogs.UpdateScheduledQueryInput, optFns ...func(*Options)) (*cloudwatchlogs.UpdateScheduledQueryOutput, error) } - diff --git a/pkg/awsapi/ec2.go b/pkg/awsapi/ec2.go index d712418275..95807ac99e 100644 --- a/pkg/awsapi/ec2.go +++ b/pkg/awsapi/ec2.go @@ -6458,4 +6458,3 @@ type EC2 interface { // routing to Amazon Web Services because of BGP propagation delays. WithdrawByoipCidr(ctx context.Context, params *ec2.WithdrawByoipCidrInput, optFns ...func(*Options)) (*ec2.WithdrawByoipCidrOutput, error) } - diff --git a/pkg/awsapi/eks.go b/pkg/awsapi/eks.go index 2274e354e7..4e8eb8bff9 100644 --- a/pkg/awsapi/eks.go +++ b/pkg/awsapi/eks.go @@ -573,4 +573,3 @@ type EKS interface { // Amazon Web Services account. UpdatePodIdentityAssociation(ctx context.Context, params *eks.UpdatePodIdentityAssociationInput, optFns ...func(*Options)) (*eks.UpdatePodIdentityAssociationOutput, error) } - From 23000e3d71a992029892eec5f6146b7535333cd1 Mon Sep 17 00:00:00 2001 From: Ivan Date: Tue, 10 Feb 2026 10:27:03 +0800 Subject: [PATCH 7/7] Rename policy variable in iam_test.go Signed-off-by: Ivan --- pkg/cfn/builder/iam_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/cfn/builder/iam_test.go b/pkg/cfn/builder/iam_test.go index aaf4ede839..a097fc42b3 100644 --- a/pkg/cfn/builder/iam_test.go +++ b/pkg/cfn/builder/iam_test.go @@ -336,7 +336,7 @@ var _ = Describe("template builder for IAM", func() { ]`)) Expect(t).To(HaveOutputWithValue(outputs.IAMServiceAccountRoleName, `{ "Fn::GetAtt": "Role1.Arn" }`)) Expect(t).To(HaveResourceWithPropertyValue("PolicyAWSLoadBalancerController", "PolicyDocument", expectedAWSLoadBalancerControllerPolicyDocument)) - Expect(t).To(HaveResourceWithPropertyValue("PolicyAWSGlobalAccelerator", "PolicyDocument", expectedAWSAWSGlobalAcceleratorPolicyDocument)) + Expect(t).To(HaveResourceWithPropertyValue("PolicyAWSGlobalAccelerator", "PolicyDocument", expectedAWSGlobalAcceleratorPolicyDocument)) }) It("can parse an iamserviceaccount addon template", func() { @@ -809,7 +809,7 @@ const expectedAWSLoadBalancerControllerPolicyDocument = `{ "Version": "2012-10-17" }` -const expectedAWSAWSGlobalAcceleratorPolicyDocument = `{ +const expectedAWSGlobalAcceleratorPolicyDocument = `{ "Statement": [ { "Effect": "Allow",