The fargate-operator is a Kubernetes operator that allows you to manage Fargate Profiles directly from Kubernetes.
It utilizes Zalando's kopf, a framework for writing Kubernetes operators in Python. The operator watches for the creation,
or deletion of a FargateProfile object. The FargateProfile object is implemented as a Custom Resource Definition (CRD)
that provides input for the CreateFargateProfile and DeleteFargateProfile AWS API calls.
Since the operator is performing input validation, it needs a Kubernetes service account that allows it to assume an IAM role that grants it a variety of permissions. This is accomplished using the new IAM Roles for Service Accounts (IRSA) feature for EKS.
eksctl is far and away the easiest way to create the IAM role and corresponding Kubernetes service account. Start by
running the following command:
eksctl utils associate-iam-oidc-provider --name=<cluster> --approve
eksctl create iamserviceaccount --cluster=<clusterName> --name=fargate --namespace=default --attach-policy-arn=<policyARN>Use the ARN of the policy created from the IAMPolicy.json when creating the service account.
In order for the operator function properly, it needs a set of baseline permissions including the ability to read FargateProfile objects. All of these permissions are packaged in the rbac.yaml manifest. You can apply these permissions to the cluster by running:
kubectl apply -f rbac.yamlthe fargate-operator relies on a CRD that specifies the input parameters for creating a Fargate Profile. Create the CRD by running:
kubectl apply -f crd.yaml After the CRD has been created you can create fargateprofile objects. Below is an example of a fargateprofile that creates a Fargate Profile for the default, system, hello, and world namespaces. It also applies a set of selector labels that limit the pods the profile is applied to, i.e. only pods with matching labels will be run as Fargate pods.
apiVersion: jicomusic.com/v1
kind: FargateProfile
metadata:
name: new-profile-7
spec:
subnets: [subnet-075aa287882d71709, subnet-0b36ca4d53f742857]
podExecutionRoleArn: arn:aws:iam::123456789012:role/eksctl-cluster-workshop-cl-FargatePodExecutionRole-ZBZNZ6OBYOHE
selectors:
- namespace: default
labels:
foo: bar
red: black
green: blue
orange: red
purple: yellow
green: white
- namespace: system
labels:
foo: bar
- namespace: hello
labels:
foo: bar
- namespace: world
labels:
foo: bar
tags:
red: black
green: blueNote: the metadata name only accepts lowercase characters.
The deployment.yaml manifest in this repository references a serviceAccountName that has to be set to the service account created in the Creating an IAM role and service account step above. Once that's done, the operator can be deployed by running:
kubectl apply -f deployment.yaml With the operator running, create a new fargateprofile manifest and apply it to the cluster. For an example, see the sample-crd.yaml in this repository.
If you have trouble deleting a profile created through the operator, edit the fargateprofile's finalizer and set it to [].
The operator will not be able to delete objects created outside of the operator, i.e. it is not aware of Fargate Profiles created with the AWS APIs or eksctl.