v0.11

AWS union-ai-admin role:

• Add ec2:DisassociateVpcCidrBlock to allow Union to remove additional IPv4 CIDR block ranges to Union VPCs. This allows Union to restructure VPC IP ranges. Ref: #32
• Add ability for Union to read cloud watch logs. Ref: #33 and #35
• Add permission in support of Union remote image builder: #38

GCP Role:

• Add ability to remove additional pod IP ranges: #41
• Add permission in support of Union remote image builder: #37
• Update as of Jan 2025 Add permissions to create GCP log views to allow the ability to opt-in to Union creating GCP log views to assist scaling issues.

v0.10

Allow associating additional CIDR blocks to VPC (#26)

* Allow associating additional VPC CIDR blocks to VPC

* Also add to provisioner

v0.9

• Add ability to untag Karpenter event resources
  • Enables support for customer defined AWS default_tags
• Add permission to union-ai-admin to manage EKS access entries
  • Required to enable managing of IAM roles or users access to EKS using access entries

v0.8

• Added iam:UpdateAssumeRolePolicy to instance-profile resources
  • Required for Union's Karpenter migration. Karpenter directly manages to attach roles to the EC2 instances. This change adds permissions to Karpenter-managed EC2 instances to assume Karpenter-managed roles.
• Added permissions for creating SQS queues and EventBridge rules to be used by Karpenter
  • Required to support the Karpenter feature to monitor AWS reclaiming spot instance capacity and node termination.
• iam:CreatePolicyVersion and iam:DeletePolicyVersion' to modify existing Union IAM policies
• ec2:DescribeInstanceTypes, servicequotas:GetServiceQuota', cloudwatch:GetMetricStatistics to check cluster state before release of changes.
  • Union is introducing pre-deploy infrastructure checks to ensure accounts have sufficient quota for the desired cluster configuration.
• ec2:*VpcEndpoints to reduce NatGateway traffic and reduce subsequent costs
  • Introduce VpcEndpoints for AWS services to reduce internet-bound traffic through NAT Gateways. Thus, reducing NAT gateway costs.

Additionally, accessible at https://union-public.s3.amazonaws.com/templates/v0.8/union-ai-admin-role.template.yaml

v0.7

• Added iam:ListPolicies
  • This allows us to list available IAM policies and is often used by Union Cloud support staff to help troubleshoot AWS permissions issues.
• Removed Cloudfront Origin Identity Access permissions
  • These permissions are no longer necessary
• Added ability to apply tags EKS addons managed by Union Cloud