From fe8054276ee2e2cb1a4961dc03b5d62c8d9aa5a9 Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Fri, 10 May 2024 16:16:22 -0700 Subject: [PATCH 1/8] feat: expose enableIMDSv2 option for managed node groups --- nodejs/eks/nodegroup.ts | 10 ++++++++++ provider/cmd/pulumi-gen-eks/main.go | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/nodejs/eks/nodegroup.ts b/nodejs/eks/nodegroup.ts index 87cd16a26..7ec3de580 100644 --- a/nodejs/eks/nodegroup.ts +++ b/nodejs/eks/nodegroup.ts @@ -1456,6 +1456,16 @@ export type ManagedNodeGroupOptions = Omit< */ bootstrapExtraArgs?: string; + /** + * Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance + * metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + * Defaults to `false`. + * + * Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should + * enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + */ + enableIMDSv2?: boolean; + /** * Make nodeGroupName optional, since the NodeGroup resource name can be * used as a default. diff --git a/provider/cmd/pulumi-gen-eks/main.go b/provider/cmd/pulumi-gen-eks/main.go index 7161e9ea3..06f27fecf 100644 --- a/provider/cmd/pulumi-gen-eks/main.go +++ b/provider/cmd/pulumi-gen-eks/main.go @@ -854,6 +854,14 @@ func generateSchema() schema.PackageSpec { "flags are included automatically based on other configuration parameters.\n\n" + "Note that this field conflicts with `launchTemplate`.", }, + "enableIMDSv2": { + TypeSpec: schema.TypeSpec{Type: "boolean", Plain: true}, + Description: "Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance " + + "metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html.\n" + + "Defaults to `false`.\n\n" + + "Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should " + + "enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`.", + }, }, RequiredInputs: []string{"cluster"}, }, From 1ed6883c0720af46b17929312ca00bcfaa77db52 Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Fri, 10 May 2024 16:19:03 -0700 Subject: [PATCH 2/8] chore: run `make build_python` --- provider/cmd/pulumi-resource-eks/schema.json | 5 ++++ sdk/python/pulumi_eks/managed_node_group.py | 29 ++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/provider/cmd/pulumi-resource-eks/schema.json b/provider/cmd/pulumi-resource-eks/schema.json index c14cfcf67..379a7ae3b 100644 --- a/provider/cmd/pulumi-resource-eks/schema.json +++ b/provider/cmd/pulumi-resource-eks/schema.json @@ -1012,6 +1012,11 @@ "type": "integer", "description": "Disk size in GiB for worker nodes. Defaults to `20`. This provider will only perform drift detection if a configuration value is provided." }, + "enableIMDSv2": { + "type": "boolean", + "plain": true, + "description": "Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html.\nDefaults to `false`.\n\nNote that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`." + }, "forceUpdateVersion": { "type": "boolean", "description": "Force version update if existing pods are unable to be drained due to a pod disruption budget issue." diff --git a/sdk/python/pulumi_eks/managed_node_group.py b/sdk/python/pulumi_eks/managed_node_group.py index 5311ac3ee..047c1d513 100644 --- a/sdk/python/pulumi_eks/managed_node_group.py +++ b/sdk/python/pulumi_eks/managed_node_group.py @@ -25,6 +25,7 @@ def __init__(__self__, *, capacity_type: Optional[pulumi.Input[str]] = None, cluster_name: Optional[pulumi.Input[str]] = None, disk_size: Optional[pulumi.Input[int]] = None, + enable_imd_sv2: Optional[bool] = None, force_update_version: Optional[pulumi.Input[bool]] = None, instance_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, kubelet_extra_args: Optional[str] = None, @@ -51,6 +52,10 @@ def __init__(__self__, *, :param pulumi.Input[str] capacity_type: Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT`. This provider will only perform drift detection if a configuration value is provided. :param pulumi.Input[str] cluster_name: Name of the EKS Cluster. :param pulumi.Input[int] disk_size: Disk size in GiB for worker nodes. Defaults to `20`. This provider will only perform drift detection if a configuration value is provided. + :param bool enable_imd_sv2: Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + Defaults to `false`. + + Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. :param pulumi.Input[bool] force_update_version: Force version update if existing pods are unable to be drained due to a pod disruption budget issue. :param pulumi.Input[Sequence[pulumi.Input[str]]] instance_types: Set of instance types associated with the EKS Node Group. Defaults to `["t3.medium"]`. This provider will only perform drift detection if a configuration value is provided. Currently, the EKS API only accepts a single value in the set. :param str kubelet_extra_args: Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. To escape characters in the extra argsvalue, wrap the value in quotes. For example, `kubeletExtraArgs = '--allowed-unsafe-sysctls "net.core.somaxconn"'`. @@ -97,6 +102,8 @@ def __init__(__self__, *, pulumi.set(__self__, "cluster_name", cluster_name) if disk_size is not None: pulumi.set(__self__, "disk_size", disk_size) + if enable_imd_sv2 is not None: + pulumi.set(__self__, "enable_imd_sv2", enable_imd_sv2) if force_update_version is not None: pulumi.set(__self__, "force_update_version", force_update_version) if instance_types is not None: @@ -204,6 +211,21 @@ def disk_size(self) -> Optional[pulumi.Input[int]]: def disk_size(self, value: Optional[pulumi.Input[int]]): pulumi.set(self, "disk_size", value) + @property + @pulumi.getter(name="enableIMDSv2") + def enable_imd_sv2(self) -> Optional[bool]: + """ + Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + Defaults to `false`. + + Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + """ + return pulumi.get(self, "enable_imd_sv2") + + @enable_imd_sv2.setter + def enable_imd_sv2(self, value: Optional[bool]): + pulumi.set(self, "enable_imd_sv2", value) + @property @pulumi.getter(name="forceUpdateVersion") def force_update_version(self) -> Optional[pulumi.Input[bool]]: @@ -424,6 +446,7 @@ def __init__(__self__, cluster: Optional[pulumi.Input[Union['Cluster', pulumi.InputType['CoreDataArgs']]]] = None, cluster_name: Optional[pulumi.Input[str]] = None, disk_size: Optional[pulumi.Input[int]] = None, + enable_imd_sv2: Optional[bool] = None, force_update_version: Optional[pulumi.Input[bool]] = None, instance_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, kubelet_extra_args: Optional[str] = None, @@ -457,6 +480,10 @@ def __init__(__self__, :param pulumi.Input[Union['Cluster', pulumi.InputType['CoreDataArgs']]] cluster: The target EKS cluster. :param pulumi.Input[str] cluster_name: Name of the EKS Cluster. :param pulumi.Input[int] disk_size: Disk size in GiB for worker nodes. Defaults to `20`. This provider will only perform drift detection if a configuration value is provided. + :param bool enable_imd_sv2: Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + Defaults to `false`. + + Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. :param pulumi.Input[bool] force_update_version: Force version update if existing pods are unable to be drained due to a pod disruption budget issue. :param pulumi.Input[Sequence[pulumi.Input[str]]] instance_types: Set of instance types associated with the EKS Node Group. Defaults to `["t3.medium"]`. This provider will only perform drift detection if a configuration value is provided. Currently, the EKS API only accepts a single value in the set. :param str kubelet_extra_args: Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. To escape characters in the extra argsvalue, wrap the value in quotes. For example, `kubeletExtraArgs = '--allowed-unsafe-sysctls "net.core.somaxconn"'`. @@ -525,6 +552,7 @@ def _internal_init(__self__, cluster: Optional[pulumi.Input[Union['Cluster', pulumi.InputType['CoreDataArgs']]]] = None, cluster_name: Optional[pulumi.Input[str]] = None, disk_size: Optional[pulumi.Input[int]] = None, + enable_imd_sv2: Optional[bool] = None, force_update_version: Optional[pulumi.Input[bool]] = None, instance_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, kubelet_extra_args: Optional[str] = None, @@ -560,6 +588,7 @@ def _internal_init(__self__, __props__.__dict__["cluster"] = cluster __props__.__dict__["cluster_name"] = cluster_name __props__.__dict__["disk_size"] = disk_size + __props__.__dict__["enable_imd_sv2"] = enable_imd_sv2 __props__.__dict__["force_update_version"] = force_update_version __props__.__dict__["instance_types"] = instance_types __props__.__dict__["kubelet_extra_args"] = kubelet_extra_args From 72c2d40bef77088ad6d5feb24711c51dd8426e5a Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Fri, 10 May 2024 16:19:11 -0700 Subject: [PATCH 3/8] chore: run `make build_go` --- sdk/go/eks/managedNodeGroup.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sdk/go/eks/managedNodeGroup.go b/sdk/go/eks/managedNodeGroup.go index f3b80b481..765f9d0fe 100644 --- a/sdk/go/eks/managedNodeGroup.go +++ b/sdk/go/eks/managedNodeGroup.go @@ -59,6 +59,11 @@ type managedNodeGroupArgs struct { ClusterName *string `pulumi:"clusterName"` // Disk size in GiB for worker nodes. Defaults to `20`. This provider will only perform drift detection if a configuration value is provided. DiskSize *int `pulumi:"diskSize"` + // Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + // Defaults to `false`. + // + // Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + EnableIMDSv2 *bool `pulumi:"enableIMDSv2"` // Force version update if existing pods are unable to be drained due to a pod disruption budget issue. ForceUpdateVersion *bool `pulumi:"forceUpdateVersion"` // Set of instance types associated with the EKS Node Group. Defaults to `["t3.medium"]`. This provider will only perform drift detection if a configuration value is provided. Currently, the EKS API only accepts a single value in the set. @@ -127,6 +132,11 @@ type ManagedNodeGroupArgs struct { ClusterName pulumi.StringPtrInput // Disk size in GiB for worker nodes. Defaults to `20`. This provider will only perform drift detection if a configuration value is provided. DiskSize pulumi.IntPtrInput + // Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + // Defaults to `false`. + // + // Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + EnableIMDSv2 *bool // Force version update if existing pods are unable to be drained due to a pod disruption budget issue. ForceUpdateVersion pulumi.BoolPtrInput // Set of instance types associated with the EKS Node Group. Defaults to `["t3.medium"]`. This provider will only perform drift detection if a configuration value is provided. Currently, the EKS API only accepts a single value in the set. From 2b76513587b435c8c18df945025eae396da8eae5 Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Fri, 10 May 2024 16:19:26 -0700 Subject: [PATCH 4/8] chore: run `make build_dotnet` --- sdk/dotnet/ManagedNodeGroup.cs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sdk/dotnet/ManagedNodeGroup.cs b/sdk/dotnet/ManagedNodeGroup.cs index 7368b9fd7..40d3e88eb 100644 --- a/sdk/dotnet/ManagedNodeGroup.cs +++ b/sdk/dotnet/ManagedNodeGroup.cs @@ -90,6 +90,15 @@ public sealed class ManagedNodeGroupArgs : global::Pulumi.ResourceArgs [Input("diskSize")] public Input? DiskSize { get; set; } + /// + /// Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + /// Defaults to `false`. + /// + /// Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + /// + [Input("enableIMDSv2")] + public bool? EnableIMDSv2 { get; set; } + /// /// Force version update if existing pods are unable to be drained due to a pod disruption budget issue. /// From cdb1594534d1f95dd62e818748fcd87bc6c17b99 Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Fri, 10 May 2024 16:19:59 -0700 Subject: [PATCH 5/8] chore: run `make build_java` --- .../com/pulumi/eks/ManagedNodeGroupArgs.java | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/sdk/java/src/main/java/com/pulumi/eks/ManagedNodeGroupArgs.java b/sdk/java/src/main/java/com/pulumi/eks/ManagedNodeGroupArgs.java index 55fb523c1..0059d787b 100644 --- a/sdk/java/src/main/java/com/pulumi/eks/ManagedNodeGroupArgs.java +++ b/sdk/java/src/main/java/com/pulumi/eks/ManagedNodeGroupArgs.java @@ -121,6 +121,27 @@ public Optional> diskSize() { return Optional.ofNullable(this.diskSize); } + /** + * Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + * Defaults to `false`. + * + * Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + * + */ + @Import(name="enableIMDSv2") + private @Nullable Boolean enableIMDSv2; + + /** + * @return Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + * Defaults to `false`. + * + * Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + * + */ + public Optional enableIMDSv2() { + return Optional.ofNullable(this.enableIMDSv2); + } + /** * Force version update if existing pods are unable to be drained due to a pod disruption budget issue. * @@ -400,6 +421,7 @@ private ManagedNodeGroupArgs(ManagedNodeGroupArgs $) { this.cluster = $.cluster; this.clusterName = $.clusterName; this.diskSize = $.diskSize; + this.enableIMDSv2 = $.enableIMDSv2; this.forceUpdateVersion = $.forceUpdateVersion; this.instanceTypes = $.instanceTypes; this.kubeletExtraArgs = $.kubeletExtraArgs; @@ -574,6 +596,20 @@ public Builder diskSize(Integer diskSize) { return diskSize(Output.of(diskSize)); } + /** + * @param enableIMDSv2 Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. + * Defaults to `false`. + * + * Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. + * + * @return builder + * + */ + public Builder enableIMDSv2(@Nullable Boolean enableIMDSv2) { + $.enableIMDSv2 = enableIMDSv2; + return this; + } + /** * @param forceUpdateVersion Force version update if existing pods are unable to be drained due to a pod disruption budget issue. * From 3873b533b196387fcac37e53d04619956527a748 Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Fri, 17 May 2024 13:12:27 -0700 Subject: [PATCH 6/8] chore: run `make lint` --- nodejs/eks/babel.config.js | 7 +- nodejs/eks/cluster.ts | 102 +-- nodejs/eks/cmd/provider/cni.test.ts | 4 +- nodejs/eks/cni/README.md | 2 +- nodejs/eks/cni/aws-k8s-cni.yaml | 1080 ++++++++++++++------------- nodejs/eks/dependencies.ts | 11 +- nodejs/eks/nodegroup.ts | 36 +- 7 files changed, 642 insertions(+), 600 deletions(-) diff --git a/nodejs/eks/babel.config.js b/nodejs/eks/babel.config.js index a50f0807c..9545b5983 100644 --- a/nodejs/eks/babel.config.js +++ b/nodejs/eks/babel.config.js @@ -1,6 +1,3 @@ module.exports = { - presets: [ - ['@babel/preset-env', {targets: {node: 'current'}}], - '@babel/preset-typescript', - ], - }; \ No newline at end of file + presets: [["@babel/preset-env", { targets: { node: "current" } }], "@babel/preset-typescript"], +}; diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index 197770650..9c0a2743c 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -562,14 +562,14 @@ export function createCore( let kubernetesNetworkConfig: | pulumi.Output | undefined; - if (args.kubernetesServiceIpAddressRange || args.ipFamily ) { - kubernetesNetworkConfig = pulumi.all([args.kubernetesServiceIpAddressRange, args.ipFamily]).apply( - ([serviceIpv4Cidr, ipFamily = "ipv4"]) => ({ - serviceIpv4Cidr: ipFamily === "ipv4" ? serviceIpv4Cidr : undefined, // only applicable for IPv4 IP family - ipFamily: ipFamily - }), - ); - } + if (args.kubernetesServiceIpAddressRange || args.ipFamily) { + kubernetesNetworkConfig = pulumi + .all([args.kubernetesServiceIpAddressRange, args.ipFamily]) + .apply(([serviceIpv4Cidr, ipFamily = "ipv4"]) => ({ + serviceIpv4Cidr: ipFamily === "ipv4" ? serviceIpv4Cidr : undefined, // only applicable for IPv4 IP family + ipFamily: ipFamily, + })); + } // Create the EKS cluster const eksCluster = new aws.eks.Cluster( @@ -657,54 +657,54 @@ export function createCore( // its worker nodes have come up. const genKubeconfig = (useProfileName: boolean) => { const kubeconfig = pulumi - .all([ - eksCluster.name, - endpoint, - eksCluster.certificateAuthority, - args.providerCredentialOpts, - ]) - .apply( - ([ - clusterName, - clusterEndpoint, - clusterCertificateAuthority, - providerCredentialOpts, - ]) => { - let config = {}; - - if (args.creationRoleProvider) { - config = args.creationRoleProvider.role.arn.apply((arn) => { - const opts: KubeconfigOptions = { roleArn: arn }; - return generateKubeconfig( + .all([ + eksCluster.name, + endpoint, + eksCluster.certificateAuthority, + args.providerCredentialOpts, + ]) + .apply( + ([ + clusterName, + clusterEndpoint, + clusterCertificateAuthority, + providerCredentialOpts, + ]) => { + let config = {}; + + if (args.creationRoleProvider) { + config = args.creationRoleProvider.role.arn.apply((arn) => { + const opts: KubeconfigOptions = { roleArn: arn }; + return generateKubeconfig( + clusterName, + clusterEndpoint, + useProfileName, + clusterCertificateAuthority?.data, + opts, + ); + }); + } else if (providerCredentialOpts) { + config = generateKubeconfig( clusterName, clusterEndpoint, useProfileName, clusterCertificateAuthority?.data, - opts, + providerCredentialOpts, ); - }); - } else if (providerCredentialOpts) { - config = generateKubeconfig( - clusterName, - clusterEndpoint, - useProfileName, - clusterCertificateAuthority?.data, - providerCredentialOpts, - ); - } else { - config = generateKubeconfig( - clusterName, - clusterEndpoint, - useProfileName, - clusterCertificateAuthority?.data, - ); - } - return config; - }, - ); - + } else { + config = generateKubeconfig( + clusterName, + clusterEndpoint, + useProfileName, + clusterCertificateAuthority?.data, + ); + } + return config; + }, + ); + return kubeconfig; - } + }; // We need 2 forms of kubeconfig, one with the profile name and one without. The one with the profile name // is required to interact with the cluster by this provider. The one without is used by the user to interact @@ -1311,7 +1311,7 @@ export interface ClusterOptions { /** * The security group to use for the cluster API endpoint. If not provided, a new security group will be created * with full internet egress and ingress from node groups. - * + * * Note: The security group resource should not contain any inline ingress or egress rules. */ clusterSecurityGroup?: aws.ec2.SecurityGroup; diff --git a/nodejs/eks/cmd/provider/cni.test.ts b/nodejs/eks/cmd/provider/cni.test.ts index b7db50280..91dc6d3aa 100644 --- a/nodejs/eks/cmd/provider/cni.test.ts +++ b/nodejs/eks/cmd/provider/cni.test.ts @@ -34,7 +34,7 @@ describe("updateImage", () => { }; expect(testCode).not.toThrow(); - expect(testCode()).toBe(updatedManifest) + expect(testCode()).toBe(updatedManifest); }); }); @@ -636,4 +636,4 @@ spec: operator: NotIn values: - fargate -`; \ No newline at end of file +`; diff --git a/nodejs/eks/cni/README.md b/nodejs/eks/cni/README.md index f0f69ad8d..70267590b 100644 --- a/nodejs/eks/cni/README.md +++ b/nodejs/eks/cni/README.md @@ -3,4 +3,4 @@ The CNI manfiest used has divergence between the Pulumi's [approach](https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/cni/aws-k8s-cni.yaml), and what AWS does by [default](https://github.com/aws/amazon-vpc-cni-k8s/issues/755) for Fargate clusters. -Pulumi's fork of the manifest removes certain lines from the upstream manifest. This is showcased in our forked copy by commenting out such lines. \ No newline at end of file +Pulumi's fork of the manifest removes certain lines from the upstream manifest. This is showcased in our forked copy by commenting out such lines. diff --git a/nodejs/eks/cni/aws-k8s-cni.yaml b/nodejs/eks/cni/aws-k8s-cni.yaml index f9aaa9890..42a0ad4ab 100644 --- a/nodejs/eks/cni/aws-k8s-cni.yaml +++ b/nodejs/eks/cni/aws-k8s-cni.yaml @@ -5,572 +5,598 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: eniconfigs.crd.k8s.amazonaws.com + name: eniconfigs.crd.k8s.amazonaws.com spec: - scope: Cluster - group: crd.k8s.amazonaws.com - preserveUnknownFields: false - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - names: - plural: eniconfigs - singular: eniconfig - kind: ENIConfig + scope: Cluster + group: crd.k8s.amazonaws.com + preserveUnknownFields: false + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + plural: eniconfigs + singular: eniconfig + kind: ENIConfig --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null - labels: - app.kubernetes.io/name: amazon-network-policy-controller-k8s - name: policyendpoints.networking.k8s.aws + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + labels: + app.kubernetes.io/name: amazon-network-policy-controller-k8s + name: policyendpoints.networking.k8s.aws spec: - group: networking.k8s.aws - names: - kind: PolicyEndpoint - listKind: PolicyEndpointList - plural: policyendpoints - singular: policyendpoint - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: PolicyEndpoint is the Schema for the policyendpoints API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicyEndpointSpec defines the desired state of PolicyEndpoint - properties: - egress: - description: Egress is the list of egress rules containing resolved - network addresses - items: - description: EndpointInfo defines the network endpoint information - for the policy ingress/egress - properties: - cidr: - description: CIDR is the network address(s) of the endpoint - type: string - except: - description: Except is the exceptions to the CIDR ranges mentioned - above. - items: - type: string - type: array - ports: - description: Ports is the list of ports - items: - description: Port contains information about the transport - port/protocol - properties: - endPort: - description: Endport specifies the port range port to - endPort port must be defined and an integer, endPort - > port - format: int32 - type: integer - port: - description: Port specifies the numerical port for the - protocol. If empty applies to all ports - format: int32 - type: integer - protocol: - default: TCP - description: Protocol specifies the transport protocol, - default TCP - type: string - type: object - type: array - required: - - cidr - type: object - type: array - ingress: - description: Ingress is the list of ingress rules containing resolved - network addresses - items: - description: EndpointInfo defines the network endpoint information - for the policy ingress/egress + group: networking.k8s.aws + names: + kind: PolicyEndpoint + listKind: PolicyEndpointList + plural: policyendpoints + singular: policyendpoint + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PolicyEndpoint is the Schema for the policyendpoints API properties: - cidr: - description: CIDR is the network address(s) of the endpoint - type: string - except: - description: Except is the exceptions to the CIDR ranges mentioned - above. - items: - type: string - type: array - ports: - description: Ports is the list of ports - items: - description: Port contains information about the transport - port/protocol - properties: - endPort: - description: Endport specifies the port range port to - endPort port must be defined and an integer, endPort - > port - format: int32 - type: integer - port: - description: Port specifies the numerical port for the - protocol. If empty applies to all ports - format: int32 - type: integer - protocol: - default: TCP - description: Protocol specifies the transport protocol, - default TCP - type: string - type: object - type: array - required: - - cidr - type: object - type: array - podIsolation: - description: PodIsolation specifies whether the pod needs to be isolated - for a particular traffic direction Ingress or Egress, or both. If - default isolation is not specified, and there are no ingress/egress - rules, then the pod is not isolated from the point of view of this - policy. This follows the NetworkPolicy spec.PolicyTypes. - items: - description: PolicyType string describes the NetworkPolicy type - This type is beta-level in 1.8 - type: string - type: array - podSelector: - description: PodSelector is the podSelector from the policy resource - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + kind: + description: "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelectorEndpoints: - description: PodSelectorEndpoints contains information about the pods - matching the podSelector - items: - description: PodEndpoint defines the summary information for the - pods - properties: - hostIP: - description: HostIP is the IP address of the host the pod is - currently running on - type: string - name: - description: Name is the pod name - type: string - namespace: - description: Namespace is the pod namespace - type: string - podIP: - description: PodIP is the IP address of the pod - type: string - required: - - hostIP - - name - - namespace - - podIP + metadata: + type: object + spec: + description: PolicyEndpointSpec defines the desired state of PolicyEndpoint + properties: + egress: + description: + Egress is the list of egress rules containing resolved + network addresses + items: + description: + EndpointInfo defines the network endpoint information + for the policy ingress/egress + properties: + cidr: + description: CIDR is the network address(s) of the endpoint + type: string + except: + description: + Except is the exceptions to the CIDR ranges mentioned + above. + items: + type: string + type: array + ports: + description: Ports is the list of ports + items: + description: + Port contains information about the transport + port/protocol + properties: + endPort: + description: + Endport specifies the port range port to + endPort port must be defined and an integer, endPort + > port + format: int32 + type: integer + port: + description: + Port specifies the numerical port for the + protocol. If empty applies to all ports + format: int32 + type: integer + protocol: + default: TCP + description: + Protocol specifies the transport protocol, + default TCP + type: string + type: object + type: array + required: + - cidr + type: object + type: array + ingress: + description: + Ingress is the list of ingress rules containing resolved + network addresses + items: + description: + EndpointInfo defines the network endpoint information + for the policy ingress/egress + properties: + cidr: + description: CIDR is the network address(s) of the endpoint + type: string + except: + description: + Except is the exceptions to the CIDR ranges mentioned + above. + items: + type: string + type: array + ports: + description: Ports is the list of ports + items: + description: + Port contains information about the transport + port/protocol + properties: + endPort: + description: + Endport specifies the port range port to + endPort port must be defined and an integer, endPort + > port + format: int32 + type: integer + port: + description: + Port specifies the numerical port for the + protocol. If empty applies to all ports + format: int32 + type: integer + protocol: + default: TCP + description: + Protocol specifies the transport protocol, + default TCP + type: string + type: object + type: array + required: + - cidr + type: object + type: array + podIsolation: + description: + PodIsolation specifies whether the pod needs to be isolated + for a particular traffic direction Ingress or Egress, or both. If + default isolation is not specified, and there are no ingress/egress + rules, then the pod is not isolated from the point of view of this + policy. This follows the NetworkPolicy spec.PolicyTypes. + items: + description: + PolicyType string describes the NetworkPolicy type + This type is beta-level in 1.8 + type: string + type: array + podSelector: + description: PodSelector is the podSelector from the policy resource + properties: + matchExpressions: + description: + matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: + A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: + key is the label key that the selector applies + to. + type: string + operator: + description: + operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelectorEndpoints: + description: + PodSelectorEndpoints contains information about the pods + matching the podSelector + items: + description: + PodEndpoint defines the summary information for the + pods + properties: + hostIP: + description: + HostIP is the IP address of the host the pod is + currently running on + type: string + name: + description: Name is the pod name + type: string + namespace: + description: Namespace is the pod namespace + type: string + podIP: + description: PodIP is the IP address of the pod + type: string + required: + - hostIP + - name + - namespace + - podIP + type: object + type: array + policyRef: + description: + PolicyRef is a reference to the Kubernetes NetworkPolicy + resource. + properties: + name: + description: Name is the name of the Policy + type: string + namespace: + description: Namespace is the namespace of the Policy + type: string + required: + - name + - namespace + type: object + required: + - policyRef + type: object + status: + description: PolicyEndpointStatus defines the observed state of PolicyEndpoint + type: object type: object - type: array - policyRef: - description: PolicyRef is a reference to the Kubernetes NetworkPolicy - resource. - properties: - name: - description: Name is the name of the Policy - type: string - namespace: - description: Namespace is the namespace of the Policy - type: string - required: - - name - - namespace - type: object - required: - - policyRef - type: object - status: - description: PolicyEndpointStatus defines the observed state of PolicyEndpoint - type: object - type: object - served: true - storage: true - subresources: - status: {} + served: true + storage: true + subresources: + status: {} --- # Source: aws-vpc-cni/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: aws-node - namespace: kube-system - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.16.0" + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.16.0" --- # Source: aws-vpc-cni/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: amazon-vpc-cni - namespace: kube-system - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.16.0" + name: amazon-vpc-cni + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.16.0" data: - enable-windows-ipam: "false" - enable-network-policy-controller: "false" - enable-windows-prefix-delegation: "false" - warm-prefix-target: "0" - warm-ip-target: "1" - minimum-ip-target: "3" - branch-eni-cooldown: "60" + enable-windows-ipam: "false" + enable-network-policy-controller: "false" + enable-windows-prefix-delegation: "false" + warm-prefix-target: "0" + warm-ip-target: "1" + minimum-ip-target: "3" + branch-eni-cooldown: "60" --- # Source: aws-vpc-cni/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: aws-node - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.16.0" + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.16.0" rules: - - apiGroups: - - crd.k8s.amazonaws.com - resources: - - eniconfigs - verbs: ["list", "watch", "get"] - - apiGroups: [""] - resources: - - namespaces - verbs: ["list", "watch", "get"] - - apiGroups: [""] - resources: - - pods - verbs: ["list", "watch", "get"] - - apiGroups: [""] - resources: - - nodes - verbs: ["list", "watch", "get"] - - apiGroups: ["", "events.k8s.io"] - resources: - - events - verbs: ["create", "patch", "list"] - - apiGroups: ["networking.k8s.aws"] - resources: - - policyendpoints - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.aws"] - resources: - - policyendpoints/status - verbs: ["get"] - - apiGroups: - - vpcresources.k8s.aws - resources: - - cninodes - verbs: ["get", "list", "watch", "patch"] + - apiGroups: + - crd.k8s.amazonaws.com + resources: + - eniconfigs + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - pods + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch", "get"] + - apiGroups: ["", "events.k8s.io"] + resources: + - events + verbs: ["create", "patch", "list"] + - apiGroups: ["networking.k8s.aws"] + resources: + - policyendpoints + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.aws"] + resources: + - policyendpoints/status + verbs: ["get"] + - apiGroups: + - vpcresources.k8s.aws + resources: + - cninodes + verbs: ["get", "list", "watch", "patch"] --- # Source: aws-vpc-cni/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: aws-node - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.16.0" + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.16.0" roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aws-node -subjects: - - kind: ServiceAccount + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: aws-node - namespace: kube-system +subjects: + - kind: ServiceAccount + name: aws-node + namespace: kube-system --- # Source: aws-vpc-cni/templates/daemonset.yaml kind: DaemonSet apiVersion: apps/v1 metadata: - name: aws-node - namespace: kube-system - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.16.0" -spec: - updateStrategy: - rollingUpdate: - maxUnavailable: 10% - type: RollingUpdate - selector: - matchLabels: - k8s-app: aws-node - template: - metadata: - labels: + name: aws-node + namespace: kube-system + labels: app.kubernetes.io/name: aws-node app.kubernetes.io/instance: aws-vpc-cni k8s-app: aws-node - spec: - priorityClassName: "system-node-critical" - serviceAccountName: aws-node - hostNetwork: true - initContainers: - - name: aws-vpc-cni-init - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.16.0 - env: [] - # env: - # - name: DISABLE_TCP_EARLY_DEMUX - # value: "false" - # - name: ENABLE_IPv6 - # value: "false" - securityContext: - privileged: true - resources: - requests: - cpu: 25m - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - terminationGracePeriodSeconds: 10 - tolerations: - - operator: Exists - securityContext: - {} - containers: - - name: aws-node - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.16.0 - ports: - - containerPort: 61678 - name: metrics - livenessProbe: - exec: - command: - - /app/grpc-health-probe - - -addr=:50051 - - -connect-timeout=5s - - -rpc-timeout=5s - initialDelaySeconds: 60 - timeoutSeconds: 10 - readinessProbe: - exec: - command: - - /app/grpc-health-probe - - -addr=:50051 - - -connect-timeout=5s - - -rpc-timeout=5s - initialDelaySeconds: 1 - timeoutSeconds: 10 - env: - - name: ADDITIONAL_ENI_TAGS - value: "{}" - # - name: AWS_VPC_CNI_NODE_PORT_SUPPORT - # value: "true" - # - name: AWS_VPC_ENI_MTU - # value: "9001" - # - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG - # value: "false" - # - name: AWS_VPC_K8S_CNI_EXTERNALSNAT - # value: "false" - # - name: AWS_VPC_K8S_CNI_LOGLEVEL - # value: "DEBUG" - # - name: AWS_VPC_K8S_CNI_LOG_FILE - # value: "/host/var/log/aws-routed-eni/ipamd.log" - - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT - value: "prng" - # - name: AWS_VPC_K8S_CNI_VETHPREFIX - # value: "eni" - # - name: AWS_VPC_K8S_PLUGIN_LOG_FILE - # value: "/var/log/aws-routed-eni/plugin.log" - # - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL - # value: "DEBUG" - - name: DISABLE_INTROSPECTION - value: "false" - - name: DISABLE_METRICS - value: "false" - - name: DISABLE_NETWORK_RESOURCE_PROVISIONING - value: "false" - - name: ENABLE_IPv4 - value: "true" - # - name: ENABLE_IPv6 - # value: "false" - # - name: ENABLE_POD_ENI - # value: "false" - # - name: ENABLE_PREFIX_DELEGATION - # value: "false" - - name: VPC_CNI_VERSION - value: "v1.16.0" - # - name: WARM_ENI_TARGET - # value: "1" - - name: WARM_PREFIX_TARGET - value: "1" - - name: MY_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: MY_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - resources: - requests: - cpu: 25m - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /host/var/log/aws-routed-eni - name: log-dir - - mountPath: /var/run/aws-node - name: run-dir - - mountPath: /run/xtables.lock - name: xtables-lock - - name: aws-eks-nodeagent - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.0.7 - env: - - name: MY_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - args: - - --enable-ipv6=false - - --enable-network-policy=false - - --enable-cloudwatch-logs=false - - --enable-policy-event-logs=false - - --metrics-bind-addr=:8162 - - --health-probe-bind-addr=:8163 - - --conntrack-cache-cleanup-period=300 - resources: - requests: - cpu: 25m - securityContext: - capabilities: - add: - - NET_ADMIN - privileged: true - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /sys/fs/bpf - name: bpf-pin-path - - mountPath: /var/log/aws-routed-eni - name: log-dir - - mountPath: /var/run/aws-node - name: run-dir - volumes: - - name: bpf-pin-path - hostPath: - path: /sys/fs/bpf - - name: cni-bin-dir - hostPath: - path: /opt/cni/bin - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - - name: log-dir - hostPath: - path: /var/log/aws-routed-eni - type: DirectoryOrCreate - - name: run-dir - hostPath: - path: /var/run/aws-node - type: DirectoryOrCreate - - name: xtables-lock - hostPath: - path: /run/xtables.lock - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate \ No newline at end of file + app.kubernetes.io/version: "v1.16.0" +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate + selector: + matchLabels: + k8s-app: aws-node + template: + metadata: + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + spec: + priorityClassName: "system-node-critical" + serviceAccountName: aws-node + hostNetwork: true + initContainers: + - name: aws-vpc-cni-init + image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.16.0 + env: [] + # env: + # - name: DISABLE_TCP_EARLY_DEMUX + # value: "false" + # - name: ENABLE_IPv6 + # value: "false" + securityContext: + privileged: true + resources: + requests: + cpu: 25m + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + terminationGracePeriodSeconds: 10 + tolerations: + - operator: Exists + securityContext: {} + containers: + - name: aws-node + image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.16.0 + ports: + - containerPort: 61678 + name: metrics + livenessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=5s + - -rpc-timeout=5s + initialDelaySeconds: 60 + timeoutSeconds: 10 + readinessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=5s + - -rpc-timeout=5s + initialDelaySeconds: 1 + timeoutSeconds: 10 + env: + - name: ADDITIONAL_ENI_TAGS + value: "{}" + # - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + # value: "true" + # - name: AWS_VPC_ENI_MTU + # value: "9001" + # - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + # value: "false" + # - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + # value: "false" + # - name: AWS_VPC_K8S_CNI_LOGLEVEL + # value: "DEBUG" + # - name: AWS_VPC_K8S_CNI_LOG_FILE + # value: "/host/var/log/aws-routed-eni/ipamd.log" + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: "prng" + # - name: AWS_VPC_K8S_CNI_VETHPREFIX + # value: "eni" + # - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + # value: "/var/log/aws-routed-eni/plugin.log" + # - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + # value: "DEBUG" + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: DISABLE_NETWORK_RESOURCE_PROVISIONING + value: "false" + - name: ENABLE_IPv4 + value: "true" + # - name: ENABLE_IPv6 + # value: "false" + # - name: ENABLE_POD_ENI + # value: "false" + # - name: ENABLE_PREFIX_DELEGATION + # value: "false" + - name: VPC_CNI_VERSION + value: "v1.16.0" + # - name: WARM_ENI_TARGET + # value: "1" + - name: WARM_PREFIX_TARGET + value: "1" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + resources: + requests: + cpu: 25m + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /host/var/log/aws-routed-eni + name: log-dir + - mountPath: /var/run/aws-node + name: run-dir + - mountPath: /run/xtables.lock + name: xtables-lock + - name: aws-eks-nodeagent + image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.0.7 + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + args: + - --enable-ipv6=false + - --enable-network-policy=false + - --enable-cloudwatch-logs=false + - --enable-policy-event-logs=false + - --metrics-bind-addr=:8162 + - --health-probe-bind-addr=:8163 + - --conntrack-cache-cleanup-period=300 + resources: + requests: + cpu: 25m + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: true + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /sys/fs/bpf + name: bpf-pin-path + - mountPath: /var/log/aws-routed-eni + name: log-dir + - mountPath: /var/run/aws-node + name: run-dir + volumes: + - name: bpf-pin-path + hostPath: + path: /sys/fs/bpf + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + - name: log-dir + hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + - name: run-dir + hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + - name: xtables-lock + hostPath: + path: /run/xtables.lock + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate diff --git a/nodejs/eks/dependencies.ts b/nodejs/eks/dependencies.ts index b63f40690..529e1262b 100644 --- a/nodejs/eks/dependencies.ts +++ b/nodejs/eks/dependencies.ts @@ -37,10 +37,13 @@ export function assertCompatibleKubectlVersionExists() { ); } - const kubectlVersionJson = childProcess.execSync(`kubectl version --client=true --output=json`, { - stdio: ["pipe", "pipe", "ignore"], - encoding: "utf8", - }); + const kubectlVersionJson = childProcess.execSync( + `kubectl version --client=true --output=json`, + { + stdio: ["pipe", "pipe", "ignore"], + encoding: "utf8", + }, + ); let kctlVersion: KubectlVersion; try { diff --git a/nodejs/eks/nodegroup.ts b/nodejs/eks/nodegroup.ts index 7ec3de580..8db0746b9 100644 --- a/nodejs/eks/nodegroup.ts +++ b/nodejs/eks/nodegroup.ts @@ -1451,7 +1451,7 @@ export type ManagedNodeGroupOptions = Omit< * https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the `--apiserver-endpoint`, * `--b64-cluster-ca` and `--kubelet-extra-args` flags are included automatically based on other configuration * parameters. - * + * * Note that this field conflicts with `launchTemplate`. */ bootstrapExtraArgs?: string; @@ -1460,7 +1460,7 @@ export type ManagedNodeGroupOptions = Omit< * Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance * metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. * Defaults to `false`. - * + * * Note that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should * enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`. */ @@ -1720,7 +1720,14 @@ function createManagedNodeGroupInternal( }; }), subnetIds: subnetIds, - launchTemplate: launchTemplate ? { id: launchTemplate.id, version: launchTemplate.latestVersion.apply((version) => {return `${version}`})} : undefined, + launchTemplate: launchTemplate + ? { + id: launchTemplate.id, + version: launchTemplate.latestVersion.apply((version) => { + return `${version}`; + }), + } + : undefined, }, { parent: parent, dependsOn: ngDeps, provider }, ); @@ -1748,17 +1755,26 @@ function createMNGCustomLaunchTemplate( bootstrapExtraArgs += ` --kubelet-extra-args '${kubeletExtraArgs.join(" ")}'`; } - const userdata = pulumi.all([core.cluster.name, core.cluster.endpoint, core.cluster.certificateAuthority.data, args.clusterName]).apply(([clusterName, clusterEndpoint, clusterCertAuthority, argsClusterName]) => { - return `#!/bin/bash + const userdata = pulumi + .all([ + core.cluster.name, + core.cluster.endpoint, + core.cluster.certificateAuthority.data, + args.clusterName, + ]) + .apply(([clusterName, clusterEndpoint, clusterCertAuthority, argsClusterName]) => { + return `#!/bin/bash - /etc/eks/bootstrap.sh --apiserver-endpoint "${clusterEndpoint}" --b64-cluster-ca "${ - clusterCertAuthority - }" "${argsClusterName || clusterName}"${bootstrapExtraArgs} + /etc/eks/bootstrap.sh --apiserver-endpoint "${clusterEndpoint}" --b64-cluster-ca "${clusterCertAuthority}" "${ + argsClusterName || clusterName + }"${bootstrapExtraArgs} `; - }); + }); // Encode the user data as base64. - const encodedUserData = pulumi.output(userdata).apply((ud) => Buffer.from(ud, "utf-8").toString("base64")); + const encodedUserData = pulumi + .output(userdata) + .apply((ud) => Buffer.from(ud, "utf-8").toString("base64")); const nodeLaunchTemplate = new aws.ec2.LaunchTemplate( `${name}-launchTemplate`, From cebac377d312937e7fd222a87db18fb599e3471b Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Fri, 10 May 2024 16:22:22 -0700 Subject: [PATCH 7/8] feat: enable IMDSv2 for managed node groups --- nodejs/eks/nodegroup.ts | 80 +++++++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 34 deletions(-) diff --git a/nodejs/eks/nodegroup.ts b/nodejs/eks/nodegroup.ts index 8db0746b9..a45e66258 100644 --- a/nodejs/eks/nodegroup.ts +++ b/nodejs/eks/nodegroup.ts @@ -1689,14 +1689,17 @@ function createManagedNodeGroupInternal( // Create a custom launch template for the managed node group if the user specifies either kubeletExtraArgs or bootstrapExtraArgs. // If the user sepcifies a custom LaunchTemplate, we throw an error and suggest that the user include this in the launch template that they are providing. // If neither of these are provided, we can use the default launch template for managed node groups. - if (args.launchTemplate && (args.kubeletExtraArgs || args.bootstrapExtraArgs)) { + if ( + args.launchTemplate && + (args.kubeletExtraArgs || args.bootstrapExtraArgs || args.enableIMDSv2) + ) { throw new Error( - "If you provide a custom launch template, you cannot provide kubeletExtraArgs or bootstrapExtraArgs. Please include these in the launch template that you are providing.", + "If you provide a custom launch template, you cannot provide kubeletExtraArgs, bootstrapExtraArgs or enableIMDSv2. Please include these in the launch template that you are providing.", ); } let launchTemplate: aws.ec2.LaunchTemplate | undefined; - if (args.kubeletExtraArgs || args.bootstrapExtraArgs) { + if (args.kubeletExtraArgs || args.bootstrapExtraArgs || args.enableIMDSv2) { launchTemplate = createMNGCustomLaunchTemplate(name, args, core, parent, provider); } @@ -1745,46 +1748,55 @@ function createMNGCustomLaunchTemplate( parent: pulumi.Resource, provider?: pulumi.ProviderResource, ): aws.ec2.LaunchTemplate { - const kubeletExtraArgs = args.kubeletExtraArgs ? args.kubeletExtraArgs.split(" ") : []; - let bootstrapExtraArgs = args.bootstrapExtraArgs ? " " + args.bootstrapExtraArgs : ""; - - if (kubeletExtraArgs.length === 1) { - // For backward compatibility with previous versions of this package, don't wrap a single argument with `''`. - bootstrapExtraArgs += ` --kubelet-extra-args ${kubeletExtraArgs[0]}`; - } else if (kubeletExtraArgs.length > 1) { - bootstrapExtraArgs += ` --kubelet-extra-args '${kubeletExtraArgs.join(" ")}'`; - } + let userData; - const userdata = pulumi - .all([ - core.cluster.name, - core.cluster.endpoint, - core.cluster.certificateAuthority.data, - args.clusterName, - ]) - .apply(([clusterName, clusterEndpoint, clusterCertAuthority, argsClusterName]) => { - return `#!/bin/bash + // If the user specifies either kubeletExtraArgs or bootstrapExtraArgs, we need to create a base64 encoded user data script. + if (args.kubeletExtraArgs || args.bootstrapExtraArgs) { + const kubeletExtraArgs = args.kubeletExtraArgs ? args.kubeletExtraArgs.split(" ") : []; + let bootstrapExtraArgs = args.bootstrapExtraArgs ? " " + args.bootstrapExtraArgs : ""; + + if (kubeletExtraArgs.length === 1) { + // For backward compatibility with previous versions of this package, don't wrap a single argument with `''`. + bootstrapExtraArgs += ` --kubelet-extra-args ${kubeletExtraArgs[0]}`; + } else if (kubeletExtraArgs.length > 1) { + bootstrapExtraArgs += ` --kubelet-extra-args '${kubeletExtraArgs.join(" ")}'`; + } - /etc/eks/bootstrap.sh --apiserver-endpoint "${clusterEndpoint}" --b64-cluster-ca "${clusterCertAuthority}" "${ - argsClusterName || clusterName - }"${bootstrapExtraArgs} - `; - }); + const userdata = pulumi + .all([ + core.cluster.name, + core.cluster.endpoint, + core.cluster.certificateAuthority.data, + args.clusterName, + ]) + .apply(([clusterName, clusterEndpoint, clusterCertAuthority, argsClusterName]) => { + return `#!/bin/bash + + /etc/eks/bootstrap.sh --apiserver-endpoint "${clusterEndpoint}" --b64-cluster-ca "${clusterCertAuthority}" "${ + argsClusterName || clusterName + }"${bootstrapExtraArgs} + `; + }); + + // Encode the user data as base64. + userData = pulumi + .output(userdata) + .apply((ud) => Buffer.from(ud, "utf-8").toString("base64")); + } - // Encode the user data as base64. - const encodedUserData = pulumi - .output(userdata) - .apply((ud) => Buffer.from(ud, "utf-8").toString("base64")); + // If the user specifies enableIMDSv2, we need to set the metadata options in the launch template. + let metadataOptions = args.enableIMDSv2 + ? { httpTokens: "required", httpPutResponseHopLimit: 2, httpEndpoint: "enabled" } + : undefined; - const nodeLaunchTemplate = new aws.ec2.LaunchTemplate( + return new aws.ec2.LaunchTemplate( `${name}-launchTemplate`, { - userData: encodedUserData, + userData, + metadataOptions, }, { parent, provider }, ); - - return nodeLaunchTemplate; } /** From c4ef227455ed64742893962bc65b406b96e5a95a Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Tue, 21 May 2024 12:15:58 -0400 Subject: [PATCH 8/8] chore: lint node code --- nodejs/eks/nodegroup.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nodejs/eks/nodegroup.ts b/nodejs/eks/nodegroup.ts index a45e66258..10200fd28 100644 --- a/nodejs/eks/nodegroup.ts +++ b/nodejs/eks/nodegroup.ts @@ -274,10 +274,10 @@ export interface NodeGroupBaseOptions { /** * Enables/disables detailed monitoring of the EC2 instances. - * + * * With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. * When enabled, you can also get aggregated data across groups of similar instances. - * + * * Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. * For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/. */ @@ -1441,7 +1441,7 @@ export type ManagedNodeGroupOptions = Omit< * Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to * `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. To escape characters in the extra args * value, wrap the value in quotes. For example, `kubeletExtraArgs = '--allowed-unsafe-sysctls "net.core.somaxconn"'`. - * + * * Note that this field conflicts with `launchTemplate`. */ kubeletExtraArgs?: string; @@ -1771,7 +1771,7 @@ function createMNGCustomLaunchTemplate( ]) .apply(([clusterName, clusterEndpoint, clusterCertAuthority, argsClusterName]) => { return `#!/bin/bash - + /etc/eks/bootstrap.sh --apiserver-endpoint "${clusterEndpoint}" --b64-cluster-ca "${clusterCertAuthority}" "${ argsClusterName || clusterName }"${bootstrapExtraArgs} @@ -1785,7 +1785,7 @@ function createMNGCustomLaunchTemplate( } // If the user specifies enableIMDSv2, we need to set the metadata options in the launch template. - let metadataOptions = args.enableIMDSv2 + const metadataOptions = args.enableIMDSv2 ? { httpTokens: "required", httpPutResponseHopLimit: 2, httpEndpoint: "enabled" } : undefined;