I am trying to set up an RKE2 cluster on AWS. As such, I am using the aws cloud provider to interact with the autoscaling groups to spin up new master / worker nodes as needed. The cloud provider requires a significant number of policies added to my IAM role in order to work, and that is where my problem comes in.
The AWS IAM role I have access to has locked down permissions that I cannot update. Specifically "ec2:DeleteRoute*" is Denied, and RKE2 needs that to be Allowed on it's control plane nodes. However, the documentation for the aws cloud provider module says the following:
The control plane (formerly master) policy is a bit open and can be scaled back depending on the use case. Adjust these based on your needs.
Testing shows that I cannot simply ignore the fact that ec2:DeleteRoute is Denied and try to start up the control plane, as this causes the kubelet to immediately exit with error code 1. However, that module note gives me hope that there is some workaround.
Is there any way to run the aws cloud provider without ec2:DeleteRoute permissions?
