what permissions are required for ak/sk

[ipyker]

What RAM and ACK permissions should I grant to this ak/sk?

[jwcesign]

Based on the code, it needs:

• AutoProvisionGroup create permission
• ECS delete permission
• ContainerService DescribeClusterAttachScripts/DescribeKubernetesVersionMetadata permission
• ECS Describe Instance types permission
• ECS DescribeSecurityGroup/VSwitch permission

We will support limited permission configuration in the future

[jwcesign]

Related issue: #29

[ipyker]

RRSA is the future direction, now AK/SK authorization needs to create a more granular policy permissions, so as to achieve the smallest granularity of security restrictions, I think the list of permissions you give can be subdivided, but at present I gave the following hosting permissions Karpenter can work normally.
AliyunCSFullAccess
ecs:AddTags
ecs:RemoveTags
ecs:Delete*
ecs:Create*
ecs:Describe*
vpc:Describe*

While it's still overprivileged, it may be necessary to provide the full Policy json as you would with reference AWS.
Reference: https://raw.githubusercontent.com/aws/karpenter-provider-aws/v1.0.7/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml

[jwcesign]

Thanks for suggestion, a more granular policy permissions is a good approach.

Would you mind giving a PR about this? A doc to show the least permissions of AK/SK