Skip to content

Commit

Permalink
Upgrade to k8s 1.30 (#367)
Browse files Browse the repository at this point in the history
* Upgrade to k8s 1.30

* Drop support for v1alpha Karpenter APIs

Ensure to update karpenter to 0.32+ before upgrading cluster to k8s 1.30

* Add required storageClassName to PVC test
  • Loading branch information
errm authored Jul 26, 2024
1 parent 8078235 commit 0d89edd
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 276 deletions.
267 changes: 5 additions & 262 deletions modules/karpenter/controller_iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,274 +28,17 @@ data "aws_iam_policy_document" "karpenter_controller_assume_role_policy" {
}
}

resource "aws_iam_role_policy" "karpenter_controller_v1_alpha" {
count = var.v1alpha ? 1 : 0
name = "KarpenterController"
role = aws_iam_role.karpenter_controller.id
policy = data.aws_iam_policy_document.karpenter_controller_v1_alpha.json
}

moved {
from = aws_iam_role_policy.karpenter_controller
to = aws_iam_role_policy.karpenter_controller_v1_alpha[0]
}

data "aws_iam_policy_document" "karpenter_controller_v1_alpha" {
statement {
sid = "AllowScopedEC2InstanceActions"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::image/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::snapshot/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:spot-instances-request/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:security-group/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:subnet/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
]

actions = [
"ec2:RunInstances",
"ec2:CreateFleet",
]
}

statement {
sid = "AllowScopedEC2LaunchTemplateAccessActions"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
]

actions = [
"ec2:RunInstances",
"ec2:CreateFleet",
]

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/provisioner-name"
values = ["*"]
}
}

statement {
sid = "AllowScopedEC2InstanceActionsWithTags"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
]

actions = [
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
]

condition {
test = "StringEquals"
variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/provisioner-name"
values = ["*"]
}
}

statement {
sid = "AllowScopedResourceCreationTagging"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
]

actions = ["ec2:CreateTags"]

condition {
test = "StringEquals"
variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "ec2:CreateAction"

values = [
"RunInstances",
"CreateFleet",
"CreateLaunchTemplate",
]
}

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/provisioner-name"
values = ["*"]
}
}

statement {
sid = "AllowMachineMigrationTagging"
effect = "Allow"
# tfsec:ignore:aws-iam-no-policy-wildcards
resources = ["arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*"]
actions = ["ec2:CreateTags"]

condition {
test = "StringEquals"
variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "aws:RequestTag/karpenter.sh/managed-by"
values = [var.cluster_config.name]
}

condition {
test = "StringLike"
variable = "aws:RequestTag/karpenter.sh/provisioner-name"
values = ["*"]
}

condition {
test = "ForAllValues:StringEquals"
variable = "aws:TagKeys"

values = [
"karpenter.sh/provisioner-name",
"karpenter.sh/managed-by",
]
}
}

statement {
sid = "AllowScopedDeletion"
effect = "Allow"

# tfsec:ignore:aws-iam-no-policy-wildcards
resources = [
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
"arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
]

actions = [
"ec2:TerminateInstances",
"ec2:DeleteLaunchTemplate",
]

condition {
test = "StringEquals"
variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
values = ["owned"]
}

condition {
test = "StringLike"
variable = "aws:ResourceTag/karpenter.sh/provisioner-name"
values = ["*"]
}
}

statement {
sid = "AllowRegionalReadActions"
effect = "Allow"
resources = ["*"]

actions = [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
]

condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = [data.aws_region.current.name]
}
}

statement {
sid = "AllowSSMReadActions"
effect = "Allow"
resources = ["arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}::parameter/aws/service/*"]
actions = ["ssm:GetParameter"]
}

statement {
sid = "AllowPricingReadActions"
effect = "Allow"
resources = ["*"]
actions = ["pricing:GetProducts"]
}

statement {
sid = "AllowInterruptionQueueActions"
effect = "Allow"
resources = [aws_sqs_queue.karpenter_interruption.arn]

actions = [
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
]
}

statement {
sid = "AllowPassingInstanceRole"
effect = "Allow"
resources = concat([aws_iam_role.karpenter_node.arn], var.additional_node_role_arns)
actions = ["iam:PassRole"]

condition {
test = "StringEquals"
variable = "iam:PassedToService"
values = ["ec2.amazonaws.com"]
}
}

statement {
sid = "AllowAPIServerEndpointDiscovery"
effect = "Allow"
resources = [var.cluster_config.arn]
actions = ["eks:DescribeCluster"]
}
}

resource "aws_iam_role_policy" "karpenter_controller_v1_beta" {
count = var.v1beta ? 1 : 0
name = "KarpenterController-v1beta"
role = aws_iam_role.karpenter_controller.id
policy = data.aws_iam_policy_document.karpenter_controller_v1_beta.json
}

moved {
from = aws_iam_role_policy.karpenter_controller_v1_beta[0]
to = aws_iam_role_policy.karpenter_controller_v1_beta
}

data "aws_iam_policy_document" "karpenter_controller_v1_beta" {
statement {
sid = "AllowScopedEC2InstanceAccessActions"
Expand Down
12 changes: 0 additions & 12 deletions modules/karpenter/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,6 @@ variable "oidc_config" {
})
}

variable "v1alpha" {
description = "Enable controller policy for v1alpha resources (Karpenter <= 0.32.*)"
type = bool
default = true
}

variable "v1beta" {
description = "Enable controller policy for v1beta resources (Karpenter >= 0.32.*)"
type = bool
default = true
}

variable "additional_node_role_arns" {
description = <<-EOF
Additional Node Role ARNS that karpenter should manage
Expand Down
1 change: 1 addition & 0 deletions test/cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ metadata:
name: ebs-claim
namespace: %s
spec:
storageClassName: gp2
accessModes:
- ReadWriteOnce
resources:
Expand Down
4 changes: 2 additions & 2 deletions versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
# to generate the latest values for this
locals {
versions = {
k8s = "1.29"
k8s = "1.30"
vpc_cni = "v1.18.2-eksbuild.1"
kube_proxy = "v1.29.3-eksbuild.5"
kube_proxy = "v1.30.0-eksbuild.3"
coredns = "v1.11.1-eksbuild.9"
aws_ebs_csi_driver = "v1.32.0-eksbuild.1"
}
Expand Down

0 comments on commit 0d89edd

Please sign in to comment.