Merge pull request #8902 from zalando-incubator/karpenter-v1.1

Update to Karpenter v1.1.1 [3/x]

Author: demonCoder95

cluster/manifests/deletions.yaml

@@ -132,6 +132,16 @@ post_apply:
   namespace: kubenurse
   kind: Service
 {{- end }}
+# Remove karpenter webhook related resources which are not used since v1.1.1
+- name: karpenter-lease
+  kind: Role
+  namespace: kube-node-lease
+- name: karpenter-lease
+  kind: RoleBinding
+  namespace: kube-node-lease
+- name: karpenter-cert
+  kind: Secret
+  namespace: kube-system
 {{ if eq .Cluster.ConfigItems.karpenter_pools_enabled "false" }}
 - name: provisioners.karpenter.sh
   kind: CustomResourceDefinition
@@ -391,3 +401,6 @@ post_apply:
   kind: ServiceAccount
   namespace: kube-system
 {{- end}}
+- name: karpenter-v1-migrator
+  namespace: "kube-system"
+  kind: CronJob

cluster/manifests/z-karpenter/02-role.yaml

@@ -15,15 +15,7 @@ rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "watch"]
-  - apiGroups: [""]
-    resources: ["configmaps", "secrets"]
-    verbs: ["get", "list", "watch"]
   # Write
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["update"]
-    resourceNames:
-      - "karpenter-cert"
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["patch", "update"]
@@ -50,23 +42,4 @@ rules:
     resources: ["services"]
     resourceNames: ["kube-dns"]
     verbs: ["get"]
----
-# Source: karpenter/templates/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: karpenter-lease
-  namespace: kube-node-lease
-  labels:
-    application: kubernetes
-    component: karpenter
-rules:
-  # Read
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["get", "list", "watch"]
-  # Write
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["delete"]
 {{end}}

cluster/manifests/z-karpenter/03-rolebinding.yaml

@@ -35,22 +35,4 @@ subjects:
   - kind: ServiceAccount
     name: karpenter
     namespace: kube-system
----
-# Source: karpenter/templates/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: karpenter-lease
-  namespace: kube-node-lease
-  labels:
-    application: kubernetes
-    component: karpenter
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: karpenter-lease
-subjects:
-  - kind: ServiceAccount
-    name: karpenter
-    namespace: kube-system
 {{end}}

cluster/manifests/z-karpenter/05-clusterrole-core.yaml

@@ -22,12 +22,12 @@ rules:
   - apiGroups: ["apps"]
     resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
     verbs: ["list", "watch"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "watch", "list"]
   - apiGroups: ["policy"]
     resources: ["poddisruptionbudgets"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", list, "watch"]
   # Write
   - apiGroups: ["karpenter.sh"]
     resources: ["nodeclaims", "nodeclaims/status"]
@@ -47,14 +47,6 @@ rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["delete"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions/status"]
-    resourceNames: ["ec2nodeclasses.karpenter.k8s.aws", "nodepools.karpenter.sh", "nodeclaims.karpenter.sh"]
-    verbs: ["patch"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    resourceNames: ["ec2nodeclasses.karpenter.k8s.aws", "nodepools.karpenter.sh", "nodeclaims.karpenter.sh"]
-    verbs: ["update"]
 ---
 # Source: karpenter/templates/clusterrole-core.yaml
 apiVersion: rbac.authorization.k8s.io/v1