aws-controllers-k8s · a-hilaly · Sep 24, 2025
diff --git a/apis/core/v1alpha1/iam_role_selector.go b/apis/core/v1alpha1/iam_role_selector.go
@@ -0,0 +1,59 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// LabelSelector is a label query over a set of resources.
+type LabelSelector struct {
+	MatchLabels map[string]string `json:"matchLabels"`
+}
+
+// IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+type NamespaceSelector struct {
+	Names         []string      `json:"name"`
+	LabelSelector LabelSelector `json:"labelSelector,omitempty"`
+}
+
+type IAMRoleSelectorSpec struct {
+	ARN                  string                    `json:"arn"`
+	NamespaceSelector    NamespaceSelector         `json:"namespaceSelector,omitempty"`
+	ResourceTypeSelector []schema.GroupVersionKind `json:"resourceTypeSelector,omitempty"`
+}
+
+type IAMRoleSelectorStatus struct{}
+
+// IAMRoleSelector is the schema for the IAMRoleSelector API.
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+type IAMRoleSelector struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              IAMRoleSelectorSpec   `json:"spec,omitempty"`
+	Status            IAMRoleSelectorStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+type IAMRoleSelectorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []IAMRoleSelector `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&IAMRoleSelector{}, &IAMRoleSelectorList{})
+}
diff --git a/apis/core/v1alpha1/zz_generated.deepcopy.go b/apis/core/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/services.k8s.aws_iamroleselectors.yaml b/config/crd/bases/services.k8s.aws_iamroleselectors.yaml
@@ -0,0 +1,79 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.2
+  name: iamroleselectors.services.k8s.aws
+spec:
+  group: services.k8s.aws
+  names:
+    kind: IAMRoleSelector
+    listKind: IAMRoleSelectorList
+    plural: iamroleselectors
+    singular: iamroleselector
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IAMRoleSelector is the schema for the IAMRoleSelector API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              arn:
+                type: string
+              namespaceSelector:
+                description: IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+                properties:
+                  labelSelector:
+                    description: LabelSelector is a label query over a set of resources.
+                    properties:
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    required:
+                    - matchLabels
+                    type: object
+                  name:
+                    items:
+                      type: string
+                    type: array
+                required:
+                - name
+                type: object
+              resourceTypeSelector:
+                items:
+                  description: |-
+                    GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+                    to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+                  type: object
+                type: array
+            required:
+            - arn
+            type: object
+          status:
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -3,5 +3,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - bases/services.k8s.aws_iamroleselectors.yaml
   - bases/services.k8s.aws_adoptedresources.yaml
   - bases/services.k8s.aws_fieldexports.yaml
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -380,6 +380,11 @@ func (cfg *Config) Validate(ctx context.Context, options ...Option) error {
 		return fmt.Errorf("error overriding feature gates: %v", err)
 	}
 
+	// IAMRolerSelector cannotbe used with enable-carm=true
+	if cfg.FeatureGates.IsEnabled(featuregate.IAMRoleSelector) && cfg.EnableCARM {
+		return fmt.Errorf("cannot enable feature gate '%s' when flag '%s' is set to true", featuregate.IAMRoleSelector, flagEnableCARM)
+	}
+
 	return nil
 }
 

diff --git a/pkg/featuregate/features.go b/pkg/featuregate/features.go
@@ -31,6 +31,9 @@ const (
 
 	// ServiceLevelCARM is a feature gate for enabling CARM for service-level resources.
 	ServiceLevelCARM = "ServiceLevelCARM"
+
+	// IAMRoleSelector is a feature gate for enabling the IAMRoleSelector feature and reconciler.
+	IAMRoleSelector = "IAMRoleSelector"
 )
 
 // defaultACKFeatureGates is a map of feature names to Feature structs
@@ -40,6 +43,7 @@ var defaultACKFeatureGates = FeatureGates{
 	ReadOnlyResources: {Stage: Beta, Enabled: true},
 	TeamLevelCARM:     {Stage: Alpha, Enabled: false},
 	ServiceLevelCARM:  {Stage: Alpha, Enabled: false},
+	IAMRoleSelector:   {Stage: Alpha, Enabled: false},
 }
 
 // FeatureStage represents the development stage of a feature.

diff --git a/pkg/runtime/adoption_reconciler.go b/pkg/runtime/adoption_reconciler.go
@@ -466,7 +466,7 @@ func (r *adoptionReconciler) getOwnerAccountID(
 ) (ackv1alpha1.AWSAccountID, bool) {
 	// look for owner account id in the namespace annotations
 	namespace := res.GetNamespace()
-	accID, ok := r.cache.Namespaces.GetOwnerAccountID(namespace)
+	accID, ok := r.carmCache.Namespaces.GetOwnerAccountID(namespace)
 	if ok {
 		return ackv1alpha1.AWSAccountID(accID), true
 	}
@@ -481,7 +481,7 @@ func (r *adoptionReconciler) getTeamID(
 ) ackv1alpha1.TeamID {
 	// look for team id in the namespace annotations
 	namespace := res.GetNamespace()
-	teamID, ok := r.cache.Namespaces.GetTeamID(namespace)
+	teamID, ok := r.carmCache.Namespaces.GetTeamID(namespace)
 	if ok {
 		return ackv1alpha1.TeamID(teamID)
 	}
@@ -497,7 +497,7 @@ func (r *adoptionReconciler) getEndpointURL(
 ) string {
 	// look for endpoint url in the namespace annotations
 	namespace := res.GetNamespace()
-	endpointURL, ok := r.cache.Namespaces.GetEndpointURL(namespace)
+	endpointURL, ok := r.carmCache.Namespaces.GetEndpointURL(namespace)
 	if ok {
 		return endpointURL
 	}
@@ -512,9 +512,9 @@ func (r *adoptionReconciler) getRoleARN(id string, cacheName string) (ackv1alpha
 	var cache *ackrtcache.CARMMap
 	switch cacheName {
 	case ackrtcache.ACKRoleTeamMap:
-		cache = r.cache.Teams
+		cache = r.carmCache.Teams
 	case ackrtcache.ACKRoleAccountMap:
-		cache = r.cache.Accounts
+		cache = r.carmCache.Accounts
 	default:
 		return "", fmt.Errorf("invalid cache name: %s", cacheName)
 	}
@@ -552,7 +552,7 @@ func (r *adoptionReconciler) getRegion(
 
 	// look for default region in namespace metadata annotations
 	ns := res.GetNamespace()
-	defaultRegion, ok := r.cache.Namespaces.GetDefaultRegion(ns)
+	defaultRegion, ok := r.carmCache.Namespaces.GetDefaultRegion(ns)
 	if ok {
 		return ackv1alpha1.AWSRegion(defaultRegion)
 	}
@@ -623,7 +623,7 @@ func NewAdoptionReconcilerWithClient(
 			log:       log.WithName("adopted-reconciler"),
 			cfg:       cfg,
 			metrics:   metrics,
-			cache:     cache,
+			carmCache: cache,
 			kc:        kc,
 			apiReader: apiReader,
 		},