fix(eks): separate yaml file

packages/aws-cdk-lib/aws-eks/lib/addons/neuron-device-plugin-rbac-cluster-role-binding.yaml

@@ -0,0 +1,14 @@
+# source: https://awsdocs-neuron.readthedocs-hosted.com/en/latest/containers/tutorials/k8s-setup.html
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: neuron-device-plugin
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: neuron-device-plugin
+subjects:
+- kind: ServiceAccount
+  name: neuron-device-plugin
+  namespace: kube-system

packages/aws-cdk-lib/aws-eks/lib/addons/neuron-device-plugin-rbac.yaml → packages/aws-cdk-lib/aws-eks/lib/addons/neuron-device-plugin-rbac-cluster-role.yaml

@@ -1,5 +1,4 @@
 # source: https://awsdocs-neuron.readthedocs-hosted.com/en/latest/containers/tutorials/k8s-setup.html
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -37,23 +36,3 @@ rules:
   verbs:
   - patch
   - update
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: neuron-device-plugin
-  namespace: kube-system
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: neuron-device-plugin
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: neuron-device-plugin
-subjects:
-- kind: ServiceAccount
-  name: neuron-device-plugin
-  namespace: kube-system

packages/aws-cdk-lib/aws-eks/lib/addons/neuron-device-plugin-rbac-service-account.yaml

@@ -0,0 +1,6 @@
+# source: https://awsdocs-neuron.readthedocs-hosted.com/en/latest/containers/tutorials/k8s-setup.html
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: neuron-device-plugin
+  namespace: kube-system

packages/aws-cdk-lib/aws-eks/lib/cluster.ts

@@ -1445,7 +1445,11 @@ export class Cluster extends ClusterBase {
 
   private _neuronDevicePlugin?: KubernetesManifest;
 
-  private _neuronDevicePluginRbac?: KubernetesManifest;
+  private _neuronDevicePluginRbacClusterRole?: KubernetesManifest;
+
+  private _neuronDevicePluginRbacServiceAccount?: KubernetesManifest;
+
+  private _neuronDevicePluginRbacClusterRoleBinding?: KubernetesManifest;
 
   private readonly endpointAccess: EndpointAccess;
 
@@ -1996,13 +2000,21 @@ export class Cluster extends ClusterBase {
    * already added.
    */
   private addNeuronDevicePluginRbac() {
-    if (!this._neuronDevicePluginRbac) {
-      const fileContents = fs.readFileSync(path.join(__dirname, 'addons', 'neuron-device-plugin-rbac.yaml'), 'utf8');
-      const sanitized = YAML.parse(fileContents);
-      this._neuronDevicePluginRbac = this.addManifest('NeuronDevicePluginRbac', sanitized);
+    if (!this._neuronDevicePluginRbacClusterRole) {
+      const clusterRoleFileContents = fs.readFileSync(path.join(__dirname, 'addons', 'neuron-device-plugin-rbac-cluster-role.yaml'), 'utf8');
+      const sanitizedClusterRole = YAML.parse(clusterRoleFileContents);
+      this._neuronDevicePluginRbacClusterRole = this.addManifest('NeuronDevicePluginRbacClusterRole', sanitizedClusterRole);
+    }
+    if (!this._neuronDevicePluginRbacClusterRoleBinding) {
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, 'addons', 'neuron-device-plugin-rbac-cluster-role-binding.yaml'), 'utf8');
+      const sanitizedClusterRoleBinding = YAML.parse(clusterRoleBindingFileContents);
+      this._neuronDevicePluginRbacClusterRoleBinding = this.addManifest('NeuronDevicePluginRbacClusterRoleBinding', sanitizedClusterRoleBinding);
+    }
+    if (!this._neuronDevicePluginRbacServiceAccount) {
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, 'addons', 'neuron-device-plugin-rbac-service-account.yaml'), 'utf8');
+      const sanitizedServiceAccount = YAML.parse(clusterRoleBindingFileContents);
+      this._neuronDevicePluginRbacServiceAccount = this.addManifest('NeuronDevicePluginRbacServiceAccount', sanitizedServiceAccount);
     }
-
-    return this._neuronDevicePluginRbac;
   }
 
   /**

packages/aws-cdk-lib/aws-eks/test/cluster.test.ts

@@ -2183,12 +2183,31 @@ describe('cluster', () => {
         instanceType: new ec2.InstanceType('inf1.2xlarge'),
         minCapacity: 1,
       });
-      const fileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
-      const sanitized = YAML.parse(fileContents);
+
+      const daemonSetFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
+      const sanitizedDaemonSet = YAML.parse(daemonSetFileContents);
+
+      const clusterRoleFileContent = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role.yaml'), 'utf8');
+      const sanitizedClusterRole = YAML.parse(clusterRoleFileContent);
+
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role-binding.yaml'), 'utf8');
+      const sanitizedClusterRoleBinding = YAML.parse(clusterRoleBindingFileContents);
+
+      const serviceAccountFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-service-account.yaml'), 'utf8');
+      const sanitizedServiceAccount = YAML.parse(serviceAccountFileContents);
 
       // THEN
       Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
-        Manifest: JSON.stringify([sanitized]),
+        Manifest: JSON.stringify([sanitizedDaemonSet]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRole]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRoleBinding]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedServiceAccount]),
       });
     });
     test('inf2 instances are supported', () => {
@@ -2201,12 +2220,31 @@ describe('cluster', () => {
         instanceType: new ec2.InstanceType('inf2.xlarge'),
         minCapacity: 1,
       });
-      const fileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
-      const sanitized = YAML.parse(fileContents);
+
+      const daemonSetFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
+      const sanitizedDaemonSet = YAML.parse(daemonSetFileContents);
+
+      const clusterRoleFileContent = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role.yaml'), 'utf8');
+      const sanitizedClusterRole = YAML.parse(clusterRoleFileContent);
+
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role-binding.yaml'), 'utf8');
+      const sanitizedClusterRoleBinding = YAML.parse(clusterRoleBindingFileContents);
+
+      const serviceAccountFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-service-account.yaml'), 'utf8');
+      const sanitizedServiceAccount = YAML.parse(serviceAccountFileContents);
 
       // THEN
       Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
-        Manifest: JSON.stringify([sanitized]),
+        Manifest: JSON.stringify([sanitizedDaemonSet]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRole]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRoleBinding]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedServiceAccount]),
       });
     });
     test('trn1 instances are supported', () => {
@@ -2219,12 +2257,31 @@ describe('cluster', () => {
         instanceType: new ec2.InstanceType('trn1.2xlarge'),
         minCapacity: 1,
       });
-      const fileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
-      const sanitized = YAML.parse(fileContents);
+
+      const daemonSetFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
+      const sanitizedDaemonSet = YAML.parse(daemonSetFileContents);
+
+      const clusterRoleFileContent = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role.yaml'), 'utf8');
+      const sanitizedClusterRole = YAML.parse(clusterRoleFileContent);
+
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role-binding.yaml'), 'utf8');
+      const sanitizedClusterRoleBinding = YAML.parse(clusterRoleBindingFileContents);
+
+      const serviceAccountFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-service-account.yaml'), 'utf8');
+      const sanitizedServiceAccount = YAML.parse(serviceAccountFileContents);
 
       // THEN
       Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
-        Manifest: JSON.stringify([sanitized]),
+        Manifest: JSON.stringify([sanitizedDaemonSet]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRole]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRoleBinding]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedServiceAccount]),
       });
     });
     test('trn1n instances are supported', () => {
@@ -2237,12 +2294,31 @@ describe('cluster', () => {
         instanceType: new ec2.InstanceType('trn1n.2xlarge'),
         minCapacity: 1,
       });
-      const fileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
-      const sanitized = YAML.parse(fileContents);
+
+      const daemonSetFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
+      const sanitizedDaemonSet = YAML.parse(daemonSetFileContents);
+
+      const clusterRoleFileContent = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role.yaml'), 'utf8');
+      const sanitizedClusterRole = YAML.parse(clusterRoleFileContent);
+
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role-binding.yaml'), 'utf8');
+      const sanitizedClusterRoleBinding = YAML.parse(clusterRoleBindingFileContents);
+
+      const serviceAccountFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-service-account.yaml'), 'utf8');
+      const sanitizedServiceAccount = YAML.parse(serviceAccountFileContents);
 
       // THEN
       Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
-        Manifest: JSON.stringify([sanitized]),
+        Manifest: JSON.stringify([sanitizedDaemonSet]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRole]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRoleBinding]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedServiceAccount]),
       });
     });
 
@@ -2255,12 +2331,31 @@ describe('cluster', () => {
       cluster.addNodegroupCapacity('InferenceInstances', {
         instanceTypes: [new ec2.InstanceType('inf1.2xlarge')],
       });
-      const fileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
-      const sanitized = YAML.parse(fileContents);
+
+      const daemonSetFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
+      const sanitizedDaemonSet = YAML.parse(daemonSetFileContents);
+
+      const clusterRoleFileContent = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role.yaml'), 'utf8');
+      const sanitizedClusterRole = YAML.parse(clusterRoleFileContent);
+
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role-binding.yaml'), 'utf8');
+      const sanitizedClusterRoleBinding = YAML.parse(clusterRoleBindingFileContents);
+
+      const serviceAccountFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-service-account.yaml'), 'utf8');
+      const sanitizedServiceAccount = YAML.parse(serviceAccountFileContents);
 
       // THEN
       Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
-        Manifest: JSON.stringify([sanitized]),
+        Manifest: JSON.stringify([sanitizedDaemonSet]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRole]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRoleBinding]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedServiceAccount]),
       });
     });
     test('inf2 instances are supported in addNodegroupCapacity', () => {
@@ -2272,12 +2367,31 @@ describe('cluster', () => {
       cluster.addNodegroupCapacity('InferenceInstances', {
         instanceTypes: [new ec2.InstanceType('inf2.xlarge')],
       });
-      const fileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
-      const sanitized = YAML.parse(fileContents);
+
+      const daemonSetFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin.yaml'), 'utf8');
+      const sanitizedDaemonSet = YAML.parse(daemonSetFileContents);
+
+      const clusterRoleFileContent = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role.yaml'), 'utf8');
+      const sanitizedClusterRole = YAML.parse(clusterRoleFileContent);
+
+      const clusterRoleBindingFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-cluster-role-binding.yaml'), 'utf8');
+      const sanitizedClusterRoleBinding = YAML.parse(clusterRoleBindingFileContents);
+
+      const serviceAccountFileContents = fs.readFileSync(path.join(__dirname, '..', 'lib', 'addons', 'neuron-device-plugin-rbac-service-account.yaml'), 'utf8');
+      const sanitizedServiceAccount = YAML.parse(serviceAccountFileContents);
 
       // THEN
       Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
-        Manifest: JSON.stringify([sanitized]),
+        Manifest: JSON.stringify([sanitizedDaemonSet]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRole]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedClusterRoleBinding]),
+      });
+      Template.fromStack(stack).hasResourceProperties(eks.KubernetesManifest.RESOURCE_TYPE, {
+        Manifest: JSON.stringify([sanitizedServiceAccount]),
       });
     });