Adding Pod Identity option for Karpenter

aws-ia · Jun 9, 2024 · 8c83eda · 8c83eda
1 parent 7755fb6
commit 8c83eda
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 11 deletions.
diff --git a/main.tf b/main.tf
@@ -2749,7 +2749,7 @@ locals {
   input_karpenter_node_instance_profile_name = try(var.karpenter_node.instance_profile_name, local.karpenter_node_iam_role_name)
   # This is the name passed to the Karpenter Helm chart - either the profile the module creates, or one provided by the user
   output_karpenter_node_instance_profile_name = try(aws_iam_instance_profile.karpenter[0].name, var.karpenter_node.instance_profile_name, "")
-  karpenter_namespace                         = try(var.karpenter.namespace, "karpenter")
+  karpenter_namespace                         = try(var.karpenter.namespace, "kube-system")
 
   karpenter_set = [
     # TODO - remove at next breaking change
@@ -3006,9 +3006,25 @@ resource "aws_iam_instance_profile" "karpenter" {
   tags = merge(var.tags, try(var.karpenter_node.instance_profile_tags, {}))
 }
 
+resource "aws_eks_access_entry" "node" {
+  count = var.enable_karpenter && var.karpenter_create_access_entry ? 1 : 0
+
+  cluster_name  = var.cluster_name
+  principal_arn = local.create_karpenter_node_iam_role ? aws_iam_role.karpenter[0].arn : var.karpenter.node_iam_role_arn
+  type          = "EC2_LINUX"
+
+  tags = var.tags
+
+  depends_on = [
+    # If we try to add this too quickly, it fails. So .... we wait
+    module.karpenter_sqs
+  ]
+}
+
 module "karpenter" {
-  source  = "aws-ia/eks-blueprints-addon/aws"
-  version = "1.1.1"
+  source = "../terraform-aws-eks-blueprints-addon"
+  # source  = "aws-ia/eks-blueprints-addon/aws"
+  # version = "1.1.1"
 
   create = var.enable_karpenter
 
@@ -3021,7 +3037,7 @@ module "karpenter" {
   namespace        = local.karpenter_namespace
   create_namespace = try(var.karpenter.create_namespace, true)
   chart            = try(var.karpenter.chart, "karpenter")
-  chart_version    = try(var.karpenter.chart_version, "0.35.0")
+  chart_version    = try(var.karpenter.chart_version, "0.37.0")
   repository       = try(var.karpenter.repository, "oci://public.ecr.aws/karpenter")
   values           = try(var.karpenter.values, [])
 
@@ -3058,6 +3074,12 @@ module "karpenter" {
   )
   set_sensitive = try(var.karpenter.set_sensitive, [])
 
+  # Pod Identity
+  enable_pod_identity             = try(var.karpenter.enable_pod_identity, false)
+  create_pod_identity_association = try(var.karpenter.create_pod_identity_association, false)
+  cluster_name                    = var.cluster_name
+  service_account                 = local.karpenter_service_account_name
+
   # IAM role for service account (IRSA)
   set_irsa_names                = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
   create_role                   = try(var.karpenter.create_role, true)
@@ -3074,14 +3096,14 @@ module "karpenter" {
   policy_name_use_prefix  = try(var.karpenter.policy_name_use_prefix, true)
   policy_path             = try(var.karpenter.policy_path, null)
   policy_description      = try(var.karpenter.policy_description, "IAM Policy for karpenter")
-
+  
   oidc_providers = {
     this = {
       provider_arn = local.oidc_provider_arn
       # namespace is inherited from chart
       service_account = local.karpenter_service_account_name
-    }
-  }
+    } 
+  } 
 
   tags = var.tags
 }

diff --git a/tests/complete/main.tf b/tests/complete/main.tf
@@ -82,6 +82,7 @@ module "eks_blueprints_addons" {
       most_recent = true
     }
     kube-proxy = {}
+    eks-pod-identity-agent = {}
     adot = {
       most_recent              = true
       service_account_role_arn = module.adot_irsa.iam_role_arn
@@ -162,8 +163,11 @@ module "eks_blueprints_addons" {
 
   enable_karpenter                           = true
   karpenter_enable_instance_profile_creation = true
-  # ECR login required
-  karpenter = {
+  karpenter_create_access_entry              = true
+   karpenter = {
+    enable_pod_identity             = true
+    create_pod_identity_association = true
+    # ECR login required
     repository_username = data.aws_ecrpublic_authorization_token.token.user_name
     repository_password = data.aws_ecrpublic_authorization_token.token.password
   }
@@ -266,12 +270,17 @@ module "eks" {
       instance_type = "m5.large"
 
       min_size     = 1
-      max_size     = 10
+      max_size     = 5
       desired_size = 1
     }
   }
 
-  tags = local.tags
+  tags = merge(local.tags, {
+    # NOTE - if creating multiple security groups with this module, only tag the
+    # security group that Karpenter should utilize with the following tag
+    # (i.e. - at most, only one security group should have this tag in your account)
+    "karpenter.sh/discovery" = local.name
+  })
 }
 
 ################################################################################
@@ -298,6 +307,7 @@ module "vpc" {
 
   private_subnet_tags = {
     "kubernetes.io/role/internal-elb" = 1
+    "karpenter.sh/discovery" = local.name
   }
 
   tags = local.tags

diff --git a/variables.tf b/variables.tf
@@ -454,6 +454,12 @@ variable "karpenter_enable_instance_profile_creation" {
   default     = true
 }
 
+variable "karpenter_create_access_entry" {
+  description = "Determines whether to create Karpenter Access Entry for Cluster Access Management API."
+  type        = bool
+  default     = false
+}
+
 variable "karpenter_sqs" {
   description = "Karpenter SQS queue for native node termination handling configuration values"
   type        = any