Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add additional permissions to Karpenter EKS IRSA role for native node termination handling support #304

Merged
merged 8 commits into from
Nov 21, 2022
Merged

feat: Add additional permissions to Karpenter EKS IRSA role for native node termination handling support #304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
fbc1d13
add new karpenter nth iam policies
FernandoMiguel Nov 8, 2022
1682078
Merge branch 'master' into karpenter-nth
bryantbiggs Nov 15, 2022
9895156
iam reviewed
FernandoMiguel Nov 17, 2022
934284f
add var for karpenter_sqs_queue_arn
FernandoMiguel Nov 17, 2022
b98c7c7
docs
FernandoMiguel Nov 17, 2022
ca409a0
Merge branch 'master' into karpenter-nth
FernandoMiguel Nov 21, 2022
2fd187a
Merge branch 'master' into karpenter-nth
FernandoMiguel Nov 21, 2022
877ead0
fix: Make SQS permissions optional depending on if an SQS ARN is prov…
bryantbiggs Nov 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/iam-role-for-service-accounts-eks/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,7 @@ No modules.
| <a name="input_karpenter_controller_cluster_id"></a> [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | Cluster ID where the Karpenter controller is provisioned/managing | `string` | `"*"` | no |
| <a name="input_karpenter_controller_node_iam_role_arns"></a> [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | <pre>[<br> "*"<br>]</pre> | no |
| <a name="input_karpenter_controller_ssm_parameter_arns"></a> [karpenter\_controller\_ssm\_parameter\_arns](#input\_karpenter\_controller\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | `list(string)` | <pre>[<br> "arn:aws:ssm:*:*:parameter/aws/service/*"<br>]</pre> | no |
| <a name="input_karpenter_sqs_queue_arn"></a> [karpenter\_sqs\_queue\_arn](#input\_karpenter\_sqs\_queue\_arn) | (Optional) ARN of SQS used by Karpenter when native node termination handling is enabled | `string` | `null` | no |
| <a name="input_karpenter_subnet_account_id"></a> [karpenter\_subnet\_account\_id](#input\_karpenter\_subnet\_account\_id) | Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account | `string` | `""` | no |
| <a name="input_karpenter_tag_key"></a> [karpenter\_tag\_key](#input\_karpenter\_tag\_key) | Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner | `string` | `"karpenter.sh/discovery"` | no |
| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
Expand Down
29 changes: 22 additions & 7 deletions modules/iam-role-for-service-accounts-eks/policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -509,24 +509,25 @@ resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" {
# Karpenter Controller Policy
################################################################################

# curl -fsSL https://karpenter.sh/v0.6.1/getting-started/cloudformation.yaml
# https://github.com/aws/karpenter/blob/502d275cc330fb0f2435b124935c49632146d945/website/content/en/v0.19.0/getting-started/getting-started-with-eksctl/cloudformation.yaml#L34
data "aws_iam_policy_document" "karpenter_controller" {
count = var.create_role && var.attach_karpenter_controller_policy ? 1 : 0

statement {
actions = [
"ec2:CreateLaunchTemplate",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateTags",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"pricing:GetProducts",
]

Expand Down Expand Up @@ -583,6 +584,20 @@ data "aws_iam_policy_document" "karpenter_controller" {
actions = ["iam:PassRole"]
resources = var.karpenter_controller_node_iam_role_arns
}

dynamic "statement" {
for_each = var.karpenter_sqs_queue_arn != null ? [1] : []

content {
actions = [
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
]
resources = [var.karpenter_sqs_queue_arn]
}
}
}

resource "aws_iam_policy" "karpenter_controller" {
Expand Down
6 changes: 6 additions & 0 deletions modules/iam-role-for-service-accounts-eks/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,12 @@ variable "karpenter_subnet_account_id" {
default = ""
}

variable "karpenter_sqs_queue_arn" {
description = "(Optional) ARN of SQS used by Karpenter when native node termination handling is enabled"
type = string
default = null
}

# AWS Load Balancer Controller
variable "attach_load_balancer_controller_policy" {
description = "Determines whether to attach the Load Balancer Controller policy to the role"
Expand Down