From 4eb115feb6f2f6cd6d0faddcc0e4abd0630d6489 Mon Sep 17 00:00:00 2001 From: Connor Catlett Date: Thu, 26 Feb 2026 16:49:33 +0000 Subject: [PATCH] Improve eksctl config and migrate to pod identities Signed-off-by: Connor Catlett --- hack/e2e/config.sh | 4 ++++ hack/e2e/eksctl/cluster.yaml | 44 ++++++++++++------------------------ hack/e2e/eksctl/values.yaml | 2 -- 3 files changed, 19 insertions(+), 31 deletions(-) diff --git a/hack/e2e/config.sh b/hack/e2e/config.sh index 308649a87e..81e9a1b3b9 100644 --- a/hack/e2e/config.sh +++ b/hack/e2e/config.sh @@ -67,6 +67,10 @@ IMAGE_ARCH=${IMAGE_ARCH:-amd64} DEPLOY_METHOD=${DEPLOY_METHOD:-"helm"} HELM_CT_TEST=${HELM_CT_TEST:-"false"} HELM_EXTRA_FLAGS=${HELM_EXTRA_FLAGS:-} +# When using IRSA, eksctl creates the service account +if [[ -n "${USE_IRSA:-}" ]]; then + HELM_EXTRA_FLAGS="${HELM_EXTRA_FLAGS} --set controller.serviceAccount.create=false" +fi COLLECT_METRICS=${COLLECT_METRICS:-"false"} TEST_PATH=${TEST_PATH:-"./tests/e2e-kubernetes/..."} diff --git a/hack/e2e/eksctl/cluster.yaml b/hack/e2e/eksctl/cluster.yaml index 3d32cd45ed..240b7c7b2e 100644 --- a/hack/e2e/eksctl/cluster.yaml +++ b/hack/e2e/eksctl/cluster.yaml @@ -19,8 +19,11 @@ metadata: region: {{ .Env.REGION }} version: "{{ .Env.K8S_VERSION }}" availabilityZones: [{{ .Env.ZONES }}] +autoModeConfig: + enabled: false iam: vpcResourceControllerPolicy: true +{{- if env.Getenv "USE_IRSA" }} withOIDC: true serviceAccounts: - metadata: @@ -28,35 +31,15 @@ iam: namespace: kube-system wellKnownPolicies: ebsCSIController: true - attachPolicy: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - ec2:CopyVolumes - Resource: "arn:aws:ec2:*:*:volume/vol-*" - - Effect: Allow - Action: - - ec2:CopyVolumes - Resource: "arn:aws:ec2:*:*:volume/*" - Condition: - StringLike: - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" - - Effect: Allow - Action: - - ec2:CopyVolumes - Resource: "arn:aws:ec2:*:*:volume/*" - Condition: - StringLike: - "aws:RequestTag/CSIVolumeName": "*" - - Effect: Allow - Action: - - ec2:CreateTags - Resource: - - "arn:aws:ec2:*:*:volume/*" - Condition: - StringEquals: - "ec2:CreateAction": "CopyVolumes" +{{- else }} + podIdentityAssociations: + - namespace: kube-system + serviceAccountName: ebs-csi-controller-sa + wellKnownPolicies: + ebsCSIController: true +addons: + - name: eks-pod-identity-agent +{{- end }} managedNodeGroups: - name: ng-linux amiFamily: {{ .Env.AMI_FAMILY }} @@ -78,6 +61,7 @@ managedNodeGroups: instanceTypes: [m5.2xlarge] ssh: allow: false + enableSsm: true {{- end }} nodeGroups: {{- if env.Getenv "OUTPOST_ARN" }} @@ -93,6 +77,7 @@ nodeGroups: instanceType: {{ .Env.OUTPOST_INSTANCE_TYPE }} ssh: allow: false + enableSsm: true outpostARN: {{ .Env.OUTPOST_ARN }} {{- end }} {{- if and (eq .Env.WINDOWS "true") (env.Getenv "WINDOWS_AMI") }} @@ -105,4 +90,5 @@ nodeGroups: instanceType: m5.2xlarge ssh: allow: false + enableSsm: true {{- end }} diff --git a/hack/e2e/eksctl/values.yaml b/hack/e2e/eksctl/values.yaml index 755d7c2f0d..77228fe557 100644 --- a/hack/e2e/eksctl/values.yaml +++ b/hack/e2e/eksctl/values.yaml @@ -14,7 +14,5 @@ controller: logLevel: 5 - serviceAccount: - create: false # let eksctl create it node: logLevel: 5