Skip to content

Commit 17cdb73

Browse files
demonCoder95demonCoder95
authored
Merge pull request #8900 from zalando-incubator/karpenter-v1.0.5
Update to Karpenter v1.0.5 [1/X]
2 parents e6c1047 + 44d3cfe commit 17cdb73

18 files changed

+2336
-640
lines changed

cluster/cluster.yaml

Lines changed: 38 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -662,20 +662,36 @@ Resources:
662662
"Version": "2012-10-17",
663663
"Statement": [
664664
{
665-
"Sid": "AllowScopedEC2InstanceActions",
665+
"Sid": "AllowScopedEC2InstanceAccessActions",
666666
"Effect": "Allow",
667667
"Resource": [
668668
"arn:${AWS::Partition}:ec2:${AWS::Region}::image/*",
669669
"arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*",
670670
"arn:${AWS::Partition}:ec2:${AWS::Region}:*:security-group/*",
671-
"arn:${AWS::Partition}:ec2:${AWS::Region}:*:subnet/*",
672-
"arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*"
671+
"arn:${AWS::Partition}:ec2:${AWS::Region}:*:subnet/*"
673672
],
674673
"Action": [
675674
"ec2:RunInstances",
676675
"ec2:CreateFleet"
677676
]
678677
},
678+
{
679+
"Sid": "AllowScopedEC2LaunchTemplateAccessActions",
680+
"Effect": "Allow",
681+
"Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:launch-template/*",
682+
"Action": [
683+
"ec2:RunInstances",
684+
"ec2:CreateFleet"
685+
],
686+
"Condition": {
687+
"StringEquals": {
688+
"aws:ResourceTag/kubernetes.io/cluster/{{.Cluster.ID}}": "owned"
689+
},
690+
"StringLike": {
691+
"aws:ResourceTag/karpenter.sh/nodepool": "*"
692+
}
693+
}
694+
},
679695
{
680696
"Sid": "AllowScopedEC2InstanceActionsWithTags",
681697
"Effect": "Allow",
@@ -694,7 +710,8 @@ Resources:
694710
],
695711
"Condition": {
696712
"StringEquals": {
697-
"aws:RequestTag/kubernetes.io/cluster/{{.Cluster.ID}}": "owned"
713+
"aws:RequestTag/kubernetes.io/cluster/{{.Cluster.ID}}": "owned",
714+
"aws:RequestTag/eks:eks-cluster-name": "{{.Cluster.ID}}"
698715
},
699716
"StringLike": {
700717
"aws:RequestTag/karpenter.sh/nodepool": "*"
@@ -716,6 +733,7 @@ Resources:
716733
"Condition": {
717734
"StringEquals": {
718735
"aws:RequestTag/kubernetes.io/cluster/{{.Cluster.ID}}": "owned",
736+
"aws:RequestTag/eks:eks-cluster-name": "{{.Cluster.ID}}",
719737
"ec2:CreateAction": [
720738
"RunInstances",
721739
"CreateFleet",
@@ -739,8 +757,12 @@ Resources:
739757
"StringLike": {
740758
"aws:ResourceTag/karpenter.sh/nodepool": "*"
741759
},
760+
"StringEqualsIfExists": {
761+
"aws:RequestTag/eks:eks-cluster-name": "{{.Cluster.ID}}"
762+
},
742763
"ForAllValues:StringEquals": {
743764
"aws:TagKeys": [
765+
"eks:eks-cluster-name",
744766
"karpenter.sh/nodeclaim",
745767
"Name"
746768
]
@@ -824,13 +846,14 @@ Resources:
824846
{
825847
"Sid": "AllowScopedInstanceProfileCreationActions",
826848
"Effect": "Allow",
827-
"Resource": "*",
849+
"Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*",
828850
"Action": [
829851
"iam:CreateInstanceProfile"
830852
],
831853
"Condition": {
832854
"StringEquals": {
833855
"aws:RequestTag/kubernetes.io/cluster/{{.Cluster.ID}}": "owned",
856+
"aws:RequestTag/eks:eks-cluster-name": "{{.Cluster.ID}}",
834857
"aws:RequestTag/topology.kubernetes.io/region": "${AWS::Region}"
835858
},
836859
"StringLike": {
@@ -841,7 +864,7 @@ Resources:
841864
{
842865
"Sid": "AllowScopedInstanceProfileTagActions",
843866
"Effect": "Allow",
844-
"Resource": "*",
867+
"Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*",
845868
"Action": [
846869
"iam:TagInstanceProfile"
847870
],
@@ -850,6 +873,7 @@ Resources:
850873
"aws:ResourceTag/kubernetes.io/cluster/{{.Cluster.ID}}": "owned",
851874
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS::Region}",
852875
"aws:RequestTag/kubernetes.io/cluster/{{.Cluster.ID}}": "owned",
876+
"aws:RequestTag/eks:eks-cluster-name": "{{.Cluster.ID}}",
853877
"aws:RequestTag/topology.kubernetes.io/region": "${AWS::Region}"
854878
},
855879
"StringLike": {
@@ -861,7 +885,7 @@ Resources:
861885
{
862886
"Sid": "AllowScopedInstanceProfileActions",
863887
"Effect": "Allow",
864-
"Resource": "*",
888+
"Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*",
865889
"Action": [
866890
"iam:AddRoleToInstanceProfile",
867891
"iam:RemoveRoleFromInstanceProfile",
@@ -880,8 +904,14 @@ Resources:
880904
{
881905
"Sid": "AllowInstanceProfileReadActions",
882906
"Effect": "Allow",
883-
"Resource": "*",
907+
"Resource": "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*",
884908
"Action": "iam:GetInstanceProfile"
909+
},
910+
{
911+
"Sid": "AllowAPIServerEndpointDiscovery",
912+
"Effect": "Allow",
913+
"Resource": "arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/{{.Cluster.ID}}",
914+
"Action": "eks:DescribeCluster"
885915
}
886916
]
887917
}

cluster/config-defaults.yaml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,6 @@ karpenter_controller_memory: "256Mi"
3838
karpenter_log_level: "error"
3939
# restrict the maximum number of pods for karpenter nodes
4040
karpenter_max_pods_per_node: "32"
41-
#
42-
# Karpenter version for controlling roll-out, can be "current" or "legacy"
43-
# current => 0.37.0-main-26.patched
44-
# legacy => 0.36.2-main-25.patched
45-
karpenter_version: "current"
4641

4742
# configure whether karpenter should assume instances with local storage use
4843
# RAID0 for ephemeral pod storage.

cluster/manifests/01-admission-control/config.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,7 @@ data:
197197
{{- end}}
198198

199199
node.node-not-ready-taint.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_node_not_ready_taint }}"
200+
node.karpenter-unregistered-taint.enable: "true"
200201
node.extended-node-restriction.enable: "true"
201202

202203
{{- range $group, $provider := nodeLifeCycleProviderPerNodePoolGroup .Cluster.NodePools }}

cluster/manifests/deletions.yaml

Lines changed: 0 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -132,37 +132,6 @@ post_apply:
132132
namespace: kubenurse
133133
kind: Service
134134
{{- end }}
135-
# for karpenter >=v0.33.0 webhooks and settings configmaps have been removed
136-
# https://karpenter.sh/v0.32/upgrading/v1beta1-migration/#webhook-support-deprecated-in-favor-of-cel
137-
# https://karpenter.sh/v0.32/upgrading/v1beta1-migration/#global-settings
138-
- name: karpenter-logging-config
139-
kind: ConfigMap
140-
namespace: kube-system
141-
- name: karpenter-webhook
142-
kind: ClusterRole
143-
- name: karpenter-webhook
144-
kind: ClusterRoleBinding
145-
- name: karpenter-webhook
146-
kind: ClusterRole
147-
- name: karpenter-webhook
148-
kind: ClusterRoleBinding
149-
- name: karpenter-global-settings
150-
kind: ConfigMap
151-
namespace: kube-system
152-
- name: config-logging
153-
kind: ConfigMap
154-
namespace: kube-system
155-
- name: karpenter-cert
156-
kind: Secret
157-
namespace: kube-system
158-
- name: defaulting.webhook.karpenter.k8s.aws
159-
kind: MutatingWebhookConfiguration
160-
- name: validation.webhook.karpenter.k8s.aws
161-
kind: ValidatingWebhookConfiguration
162-
- name: validation.webhook.config.karpenter.sh
163-
kind: ValidatingWebhookConfiguration
164-
- name: validation.webhook.karpenter.sh
165-
kind: ValidatingWebhookConfiguration
166135
{{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "false" }}
167136
- name: provisioners.karpenter.sh
168137
kind: CustomResourceDefinition

cluster/manifests/z-karpenter/01-serviceaccount.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "true"}}
22
---
3-
# Source: karpenter/templates/01-serviceaccount.yaml
3+
# Source: karpenter/templates/serviceaccount.yaml
44
apiVersion: v1
55
kind: ServiceAccount
66
metadata:

cluster/manifests/z-karpenter/02-role.yaml

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "true"}}
22

33
---
4-
# Source: karpenter/templates/02-role.yaml
4+
# Source: karpenter/templates/role.yaml
55
apiVersion: rbac.authorization.k8s.io/v1
66
kind: Role
77
metadata:
@@ -15,7 +15,15 @@ rules:
1515
- apiGroups: ["coordination.k8s.io"]
1616
resources: ["leases"]
1717
verbs: ["get", "watch"]
18+
- apiGroups: [""]
19+
resources: ["configmaps", "secrets"]
20+
verbs: ["get", "list", "watch"]
1821
# Write
22+
- apiGroups: [""]
23+
resources: ["secrets"]
24+
verbs: ["update"]
25+
resourceNames:
26+
- "karpenter-cert"
1927
- apiGroups: ["coordination.k8s.io"]
2028
resources: ["leases"]
2129
verbs: ["patch", "update"]
@@ -27,7 +35,7 @@ rules:
2735
resources: ["leases"]
2836
verbs: ["create"]
2937
---
30-
# Source: karpenter/templates/02-role.yaml
38+
# Source: karpenter/templates/role.yaml
3139
apiVersion: rbac.authorization.k8s.io/v1
3240
kind: Role
3341
metadata:
@@ -43,7 +51,7 @@ rules:
4351
resourceNames: ["kube-dns"]
4452
verbs: ["get"]
4553
---
46-
# Source: karpenter/templates/02-role.yaml
54+
# Source: karpenter/templates/role.yaml
4755
apiVersion: rbac.authorization.k8s.io/v1
4856
kind: Role
4957
metadata:
@@ -61,4 +69,4 @@ rules:
6169
- apiGroups: ["coordination.k8s.io"]
6270
resources: ["leases"]
6371
verbs: ["delete"]
64-
{{end}}
72+
{{end}}

cluster/manifests/z-karpenter/03-rolebinding.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "true"}}
22
---
3-
# Source: karpenter/templates/03-rolebinding.yaml
3+
# Source: karpenter/templates/rolebinding.yaml
44
apiVersion: rbac.authorization.k8s.io/v1
55
kind: RoleBinding
66
metadata:
@@ -18,7 +18,7 @@ subjects:
1818
name: karpenter
1919
namespace: kube-system
2020
---
21-
# Source: karpenter/templates/03-rolebinding.yaml
21+
# Source: karpenter/templates/rolebinding.yaml
2222
apiVersion: rbac.authorization.k8s.io/v1
2323
kind: RoleBinding
2424
metadata:
@@ -36,7 +36,7 @@ subjects:
3636
name: karpenter
3737
namespace: kube-system
3838
---
39-
# Source: karpenter/templates/03-rolebinding.yaml
39+
# Source: karpenter/templates/rolebinding.yaml
4040
apiVersion: rbac.authorization.k8s.io/v1
4141
kind: RoleBinding
4242
metadata:
@@ -53,4 +53,4 @@ subjects:
5353
- kind: ServiceAccount
5454
name: karpenter
5555
namespace: kube-system
56-
{{end}}
56+
{{end}}

cluster/manifests/z-karpenter/04-clusterrole.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "true" }}
22
---
3-
# Source: karpenter/templates/04-clusterrole.yaml
3+
# Source: karpenter/templates/clusterrole.yaml
44
apiVersion: rbac.authorization.k8s.io/v1
55
kind: ClusterRole
66
metadata:
@@ -18,7 +18,7 @@ rules:
1818
resources: ["ec2nodeclasses", "ec2nodeclasses/status"]
1919
verbs: ["patch", "update"]
2020
---
21-
# Source: karpenter/templates/04-clusterrole.yaml
21+
# Source: karpenter/templates/clusterrole.yaml
2222
apiVersion: rbac.authorization.k8s.io/v1
2323
kind: ClusterRoleBinding
2424
metadata:
@@ -34,4 +34,4 @@ subjects:
3434
- kind: ServiceAccount
3535
name: karpenter
3636
namespace: kube-system
37-
{{ end }}
37+
{{ end }}

cluster/manifests/z-karpenter/05-clusterrole-core.yaml

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "true" }}
22
---
3-
# Source: karpenter/templates/05-clusterrole-core.yaml
3+
# Source: karpenter/templates/clusterrole-core.yaml
44
apiVersion: rbac.authorization.k8s.io/v1
55
kind: ClusterRole
66
metadata:
@@ -17,11 +17,14 @@ rules:
1717
resources: ["pods", "nodes", "persistentvolumes", "persistentvolumeclaims", "replicationcontrollers", "namespaces"]
1818
verbs: ["get", "list", "watch"]
1919
- apiGroups: ["storage.k8s.io"]
20-
resources: ["storageclasses", "csinodes"]
20+
resources: ["storageclasses", "csinodes", "volumeattachments"]
2121
verbs: ["get", "watch", "list"]
2222
- apiGroups: ["apps"]
2323
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
2424
verbs: ["list", "watch"]
25+
- apiGroups: ["apiextensions.k8s.io"]
26+
resources: ["customresourcedefinitions"]
27+
verbs: ["get", "watch", "list"]
2528
- apiGroups: ["policy"]
2629
resources: ["poddisruptionbudgets"]
2730
verbs: ["get", "list", "watch"]
@@ -37,12 +40,23 @@ rules:
3740
verbs: ["create", "patch"]
3841
- apiGroups: [""]
3942
resources: ["nodes"]
40-
verbs: ["patch", "delete"]
43+
verbs: ["patch", "delete", "update"]
4144
- apiGroups: [""]
4245
resources: ["pods/eviction"]
4346
verbs: ["create"]
47+
- apiGroups: [""]
48+
resources: ["pods"]
49+
verbs: ["delete"]
50+
- apiGroups: ["apiextensions.k8s.io"]
51+
resources: ["customresourcedefinitions/status"]
52+
resourceNames: ["ec2nodeclasses.karpenter.k8s.aws", "nodepools.karpenter.sh", "nodeclaims.karpenter.sh"]
53+
verbs: ["patch"]
54+
- apiGroups: ["apiextensions.k8s.io"]
55+
resources: ["customresourcedefinitions"]
56+
resourceNames: ["ec2nodeclasses.karpenter.k8s.aws", "nodepools.karpenter.sh", "nodeclaims.karpenter.sh"]
57+
verbs: ["update"]
4458
---
45-
# Source: karpenter/templates/05-clusterrole-core.yaml
59+
# Source: karpenter/templates/clusterrole-core.yaml
4660
apiVersion: rbac.authorization.k8s.io/v1
4761
kind: ClusterRoleBinding
4862
metadata:
@@ -58,4 +72,4 @@ subjects:
5872
- kind: ServiceAccount
5973
name: karpenter
6074
namespace: kube-system
61-
{{end}}
75+
{{end}}

cluster/manifests/z-karpenter/06-aggregate-clusterrole.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "true"}}
22
---
3-
# Source: karpenter/templates/aggregate-04-clusterrole.yaml
3+
# Source: karpenter/templates/aggregate-clusterrole.yaml
44
apiVersion: rbac.authorization.k8s.io/v1
55
kind: ClusterRole
66
metadata:

0 commit comments

Comments
 (0)