diff --git a/modules/karpenter/controller_iam.tf b/modules/karpenter/controller_iam.tf index 5f0d1de..7ccdb39 100644 --- a/modules/karpenter/controller_iam.tf +++ b/modules/karpenter/controller_iam.tf @@ -28,274 +28,17 @@ data "aws_iam_policy_document" "karpenter_controller_assume_role_policy" { } } -resource "aws_iam_role_policy" "karpenter_controller_v1_alpha" { - count = var.v1alpha ? 1 : 0 - name = "KarpenterController" - role = aws_iam_role.karpenter_controller.id - policy = data.aws_iam_policy_document.karpenter_controller_v1_alpha.json -} - -moved { - from = aws_iam_role_policy.karpenter_controller - to = aws_iam_role_policy.karpenter_controller_v1_alpha[0] -} - -data "aws_iam_policy_document" "karpenter_controller_v1_alpha" { - statement { - sid = "AllowScopedEC2InstanceActions" - effect = "Allow" - - # tfsec:ignore:aws-iam-no-policy-wildcards - resources = [ - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::image/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::snapshot/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:spot-instances-request/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:security-group/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:subnet/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*", - ] - - actions = [ - "ec2:RunInstances", - "ec2:CreateFleet", - ] - } - - statement { - sid = "AllowScopedEC2LaunchTemplateAccessActions" - effect = "Allow" - - # tfsec:ignore:aws-iam-no-policy-wildcards - resources = [ - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*", - ] - - actions = [ - "ec2:RunInstances", - "ec2:CreateFleet", - ] - - condition { - test = "StringLike" - variable = "aws:RequestTag/karpenter.sh/provisioner-name" - values = ["*"] - } - } - - statement { - sid = "AllowScopedEC2InstanceActionsWithTags" - effect = "Allow" - - # tfsec:ignore:aws-iam-no-policy-wildcards - resources = [ - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*", - ] - - actions = [ - "ec2:RunInstances", - "ec2:CreateFleet", - "ec2:CreateLaunchTemplate", - ] - - condition { - test = "StringEquals" - variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}" - values = ["owned"] - } - - condition { - test = "StringLike" - variable = "aws:RequestTag/karpenter.sh/provisioner-name" - values = ["*"] - } - } - - statement { - sid = "AllowScopedResourceCreationTagging" - effect = "Allow" - - # tfsec:ignore:aws-iam-no-policy-wildcards - resources = [ - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*", - ] - - actions = ["ec2:CreateTags"] - - condition { - test = "StringEquals" - variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}" - values = ["owned"] - } - - condition { - test = "StringEquals" - variable = "ec2:CreateAction" - - values = [ - "RunInstances", - "CreateFleet", - "CreateLaunchTemplate", - ] - } - - condition { - test = "StringLike" - variable = "aws:RequestTag/karpenter.sh/provisioner-name" - values = ["*"] - } - } - - statement { - sid = "AllowMachineMigrationTagging" - effect = "Allow" - # tfsec:ignore:aws-iam-no-policy-wildcards - resources = ["arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*"] - actions = ["ec2:CreateTags"] - - condition { - test = "StringEquals" - variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}" - values = ["owned"] - } - - condition { - test = "StringEquals" - variable = "aws:RequestTag/karpenter.sh/managed-by" - values = [var.cluster_config.name] - } - - condition { - test = "StringLike" - variable = "aws:RequestTag/karpenter.sh/provisioner-name" - values = ["*"] - } - - condition { - test = "ForAllValues:StringEquals" - variable = "aws:TagKeys" - - values = [ - "karpenter.sh/provisioner-name", - "karpenter.sh/managed-by", - ] - } - } - - statement { - sid = "AllowScopedDeletion" - effect = "Allow" - - # tfsec:ignore:aws-iam-no-policy-wildcards - resources = [ - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*", - ] - - actions = [ - "ec2:TerminateInstances", - "ec2:DeleteLaunchTemplate", - ] - - condition { - test = "StringEquals" - variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}" - values = ["owned"] - } - - condition { - test = "StringLike" - variable = "aws:ResourceTag/karpenter.sh/provisioner-name" - values = ["*"] - } - } - - statement { - sid = "AllowRegionalReadActions" - effect = "Allow" - resources = ["*"] - - actions = [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeImages", - "ec2:DescribeInstances", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInstanceTypes", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSpotPriceHistory", - "ec2:DescribeSubnets", - ] - - condition { - test = "StringEquals" - variable = "aws:RequestedRegion" - values = [data.aws_region.current.name] - } - } - - statement { - sid = "AllowSSMReadActions" - effect = "Allow" - resources = ["arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}::parameter/aws/service/*"] - actions = ["ssm:GetParameter"] - } - - statement { - sid = "AllowPricingReadActions" - effect = "Allow" - resources = ["*"] - actions = ["pricing:GetProducts"] - } - - statement { - sid = "AllowInterruptionQueueActions" - effect = "Allow" - resources = [aws_sqs_queue.karpenter_interruption.arn] - - actions = [ - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ReceiveMessage", - ] - } - - statement { - sid = "AllowPassingInstanceRole" - effect = "Allow" - resources = concat([aws_iam_role.karpenter_node.arn], var.additional_node_role_arns) - actions = ["iam:PassRole"] - - condition { - test = "StringEquals" - variable = "iam:PassedToService" - values = ["ec2.amazonaws.com"] - } - } - - statement { - sid = "AllowAPIServerEndpointDiscovery" - effect = "Allow" - resources = [var.cluster_config.arn] - actions = ["eks:DescribeCluster"] - } -} - resource "aws_iam_role_policy" "karpenter_controller_v1_beta" { - count = var.v1beta ? 1 : 0 name = "KarpenterController-v1beta" role = aws_iam_role.karpenter_controller.id policy = data.aws_iam_policy_document.karpenter_controller_v1_beta.json } +moved { + from = aws_iam_role_policy.karpenter_controller_v1_beta[0] + to = aws_iam_role_policy.karpenter_controller_v1_beta +} + data "aws_iam_policy_document" "karpenter_controller_v1_beta" { statement { sid = "AllowScopedEC2InstanceAccessActions" diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf index df8c81a..9b55d28 100644 --- a/modules/karpenter/variables.tf +++ b/modules/karpenter/variables.tf @@ -17,18 +17,6 @@ variable "oidc_config" { }) } -variable "v1alpha" { - description = "Enable controller policy for v1alpha resources (Karpenter <= 0.32.*)" - type = bool - default = true -} - -variable "v1beta" { - description = "Enable controller policy for v1beta resources (Karpenter >= 0.32.*)" - type = bool - default = true -} - variable "additional_node_role_arns" { description = <<-EOF Additional Node Role ARNS that karpenter should manage diff --git a/test/cluster_test.go b/test/cluster_test.go index 7b33b23..09f49d2 100644 --- a/test/cluster_test.go +++ b/test/cluster_test.go @@ -230,6 +230,7 @@ metadata: name: ebs-claim namespace: %s spec: + storageClassName: gp2 accessModes: - ReadWriteOnce resources: diff --git a/versions.tf b/versions.tf index 09fb5cd..c82ad0b 100644 --- a/versions.tf +++ b/versions.tf @@ -2,9 +2,9 @@ # to generate the latest values for this locals { versions = { - k8s = "1.29" + k8s = "1.30" vpc_cni = "v1.18.2-eksbuild.1" - kube_proxy = "v1.29.3-eksbuild.5" + kube_proxy = "v1.30.0-eksbuild.3" coredns = "v1.11.1-eksbuild.9" aws_ebs_csi_driver = "v1.32.0-eksbuild.1" }