-
Notifications
You must be signed in to change notification settings - Fork 786
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EKS Prow Cluster] Add karpenter terraform module for eks-prow-build cluster #6895
base: main
Are you sure you want to change the base?
Conversation
/assign @xmudrii |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: koksay The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@@ -81,6 +82,27 @@ locals { | |||
} | |||
] | |||
|
|||
karpenter_roles = [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we use cluster access entry instead of adding to the aws-auth configmap?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question. I tried this code on the Canary cluster first and could not run Karpenter with the access entry. I may have missed something, so I turned it off and continued with the aws-auth file.
cluster_name = module.eks.cluster_name | ||
create_access_entry = false | ||
|
||
enable_irsa = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not use EKS Pod Identity here?
rolearn = "arn:aws:iam::468814281478:role/AWSReservedSSO_AdministratorAccess_abaef4db15a2c055" | ||
username = "sso-admins" | ||
groups = [ | ||
"eks-cluster-admin" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what permissions this group maps to, but similar to above - would cluster access entry work here instead?
interruptionQueue: Karpenter-prow-canary-cluster | ||
serviceAccount: | ||
annotations: | ||
eks.amazonaws.com/role-arn: "arn:aws:iam::054318140392:role/KarpenterController-20240527081538529900000002" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
EKS Pod Identity would remove this hardcoded role arn mapping in code
serviceAccount: | ||
annotations: | ||
# terraform state show module.karpenter.aws_iam_role.controller\[0\] | grep " arn " | ||
eks.amazonaws.com/role-arn: arn:aws:iam::468814281478:role/KarpenterController-20240527081538529900000002 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment - EKS Pod Identity removes this hardcoding
@@ -90,6 +101,12 @@ data "aws_iam_policy_document" "eks_apply" { | |||
"logs:PutRetentionPolicy", | |||
"logs:TagLogGroup", | |||
"s3:PutObject", | |||
"sqs:createqueue", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these permissions required by prow, or by Karpenter? Likewise fir the Eventbridge API permissions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are required by the karpenter module, it creates a SQS queue for the event messaging.
Make sure to update the
serviceAccount.annotations
field in theinfra/aws/terraform/prow-build-cluster/resources/karpenter/flux-hr-karpenter.yaml
file (also ininfra/aws/terraform/prow-build-cluster/resources/karpenter/prod-cluster-values
):There will be a follow-up PR to add nodepool and nodeclass configration.