Merge pull request #6950 from zalando-incubator/aws-cloud-controller-manager

Add aws-cloud-controller-manager [1/2]

Author: linki

cluster/cluster.yaml

@@ -1414,6 +1414,89 @@ Resources:
             Version: 2012-10-17
           PolicyName: root
     Type: 'AWS::IAM::Role'
+  CloudControllerManagerIAMRole:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Federated: !Sub "arn:aws:iam::${AWS::AccountId}:oidc-provider/{{.Cluster.LocalID}}.{{.Values.hosted_zone}}"
+            Action:
+              - "sts:AssumeRoleWithWebIdentity"
+            Condition:
+              StringEquals:
+                "{{ .Cluster.LocalID }}.{{ .Values.hosted_zone }}:aud": "sts.amazonaws.com"
+                "{{ .Cluster.LocalID }}.{{ .Values.hosted_zone }}:sub": "system:serviceaccount:kube-system:cloud-controller-manager"
+        Version: 2012-10-17
+      Path: /
+      Policies:
+      # https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies
+      - PolicyDocument:
+          Statement:
+          - Effect: Allow
+            Action:
+            - "autoscaling:DescribeAutoScalingGroups"
+            - "autoscaling:DescribeLaunchConfigurations"
+            - "autoscaling:DescribeTags"
+            - "ec2:DescribeInstances"
+            - "ec2:DescribeRegions"
+            - "ec2:DescribeRouteTables"
+            - "ec2:DescribeSecurityGroups"
+            - "ec2:DescribeSubnets"
+            - "ec2:DescribeVolumes"
+            - "ec2:DescribeAvailabilityZones"
+            - "ec2:CreateSecurityGroup"
+            - "ec2:CreateTags"
+            - "ec2:CreateVolume"
+            - "ec2:ModifyInstanceAttribute"
+            - "ec2:ModifyVolume"
+            - "ec2:AttachVolume"
+            - "ec2:AuthorizeSecurityGroupIngress"
+            - "ec2:CreateRoute"
+            - "ec2:DeleteRoute"
+            - "ec2:DeleteSecurityGroup"
+            - "ec2:DeleteVolume"
+            - "ec2:DetachVolume"
+            - "ec2:RevokeSecurityGroupIngress"
+            - "ec2:DescribeVpcs"
+            - "elasticloadbalancing:AddTags"
+            - "elasticloadbalancing:AttachLoadBalancerToSubnets"
+            - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer"
+            - "elasticloadbalancing:CreateLoadBalancer"
+            - "elasticloadbalancing:CreateLoadBalancerPolicy"
+            - "elasticloadbalancing:CreateLoadBalancerListeners"
+            - "elasticloadbalancing:ConfigureHealthCheck"
+            - "elasticloadbalancing:DeleteLoadBalancer"
+            - "elasticloadbalancing:DeleteLoadBalancerListeners"
+            - "elasticloadbalancing:DescribeLoadBalancers"
+            - "elasticloadbalancing:DescribeLoadBalancerAttributes"
+            - "elasticloadbalancing:DetachLoadBalancerFromSubnets"
+            - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
+            - "elasticloadbalancing:ModifyLoadBalancerAttributes"
+            - "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
+            - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
+            - "elasticloadbalancing:AddTags"
+            - "elasticloadbalancing:CreateListener"
+            - "elasticloadbalancing:CreateTargetGroup"
+            - "elasticloadbalancing:DeleteListener"
+            - "elasticloadbalancing:DeleteTargetGroup"
+            - "elasticloadbalancing:DescribeListeners"
+            - "elasticloadbalancing:DescribeLoadBalancerPolicies"
+            - "elasticloadbalancing:DescribeTargetGroups"
+            - "elasticloadbalancing:DescribeTargetHealth"
+            - "elasticloadbalancing:ModifyListener"
+            - "elasticloadbalancing:ModifyTargetGroup"
+            - "elasticloadbalancing:RegisterTargets"
+            - "elasticloadbalancing:DeregisterTargets"
+            - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
+            - "iam:CreateServiceLinkedRole"
+            - "kms:DescribeKey"
+            Resource:
+            - "*"
+          Version: 2012-10-17
+        PolicyName: root
+      RoleName: "{{.Cluster.LocalID}}-cloud-controller-manager"
+    Type: "AWS::IAM::Role"
   ETCDS3BackupIAMRole:
     Properties:
       AssumeRolePolicyDocument:

cluster/config-defaults.yaml

@@ -429,6 +429,12 @@ kubernetes_lifecycle_metrics_mem_min: "120Mi"
 kube_node_ready_controller_cpu: "50m"
 kube_node_ready_controller_memory: "200Mi"
 
+# Enable deployment of aws-cloud-controller-manager
+aws_cloud_controller_manager_enabled: "true"
+aws_cloud_controller_manager_cpu: "125m"
+aws_cloud_controller_manager_memory: "512Mi"
+
+
 # Kubernetes Downscaler (for non-production clusters)
 {{if eq .Cluster.Environment "test"}}
 downscaler_default_uptime: "Mon-Fri 07:30-20:30 Europe/Berlin"

cluster/manifests/aws-cloud-controller-manager/daemonset.yaml

@@ -0,0 +1,51 @@
+{{- if eq .Cluster.ConfigItems.aws_cloud_controller_manager_enabled "true" }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: aws-cloud-controller-manager
+  namespace: kube-system
+  labels:
+    application: kubernetes
+    component: aws-cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      daemonset: aws-cloud-controller-manager
+  template:
+    metadata:
+      labels:
+        daemonset: aws-cloud-controller-manager
+        application: kubernetes
+        component: aws-cloud-controller-manager
+    spec:
+      containers:
+      - args:
+        - --v=2
+        - --cloud-provider=aws
+        - --use-service-account-credentials=true
+        - --configure-cloud-routes=false
+        image: container-registry.zalando.net/teapot/aws-cloud-controller-manager-internal:v1.26.1-master-108
+        name: aws-cloud-controller-manager
+        resources:
+          requests:
+            cpu: "{{ .Cluster.ConfigItems.aws_cloud_controller_manager_cpu }}"
+            memory: "{{ .Cluster.ConfigItems.aws_cloud_controller_manager_memory }}"
+          limits:
+            cpu: "{{ .Cluster.ConfigItems.aws_cloud_controller_manager_cpu }}"
+            memory: "{{ .Cluster.ConfigItems.aws_cloud_controller_manager_memory }}"
+      nodeSelector:
+        # node-role.kubernetes.io/control-plane: ""
+        node.kubernetes.io/role: master
+      serviceAccountName: cloud-controller-manager
+      tolerations:
+      - effect: NoSchedule
+        key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+      # - effect: NoSchedule
+      #   key: node-role.kubernetes.io/control-plane
+      - key: node.kubernetes.io/role
+        value: master
+        effect: NoSchedule
+  updateStrategy:
+    type: RollingUpdate
+{{- end }}

cluster/manifests/aws-cloud-controller-manager/rbac.yaml

@@ -0,0 +1,138 @@
+{{- if eq .Cluster.ConfigItems.aws_cloud_controller_manager_enabled "true" }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: kube-system
+  labels:
+    application: kubernetes
+    component: aws-cloud-controller-manager
+  annotations:
+    iam.amazonaws.com/role: "{{ .Cluster.LocalID }}-cloud-controller-manager"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:cloud-controller-manager
+  labels:
+    application: kubernetes
+    component: aws-cloud-controller-manager
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cloud-controller-manager:apiserver-authentication-reader
+  namespace: kube-system
+  labels:
+    application: kubernetes
+    component: aws-cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-controller-manager
+  labels:
+    application: kubernetes
+    component: aws-cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:cloud-controller-manager
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: kube-system
+{{- end }}

cluster/manifests/deletions.yaml

@@ -298,3 +298,18 @@ post_apply:
   kind: PlatformCredentialsSet
   namespace: kube-system
 {{- end }}
+{{- if ne .Cluster.ConfigItems.aws_cloud_controller_manager_enabled "true" }}
+- name: aws-cloud-controller-manager
+  kind: DaemonSet
+  namespace: kube-system
+- name: cloud-controller-manager
+  kind: ServiceAccount
+  namespace: kube-system
+- name: system:cloud-controller-manager
+  kind: ClusterRole
+- name: cloud-controller-manager:apiserver-authentication-reader
+  namespace: kube-system
+  kind: RoleBinding
+- name: system:cloud-controller-manager
+  kind: ClusterRoleBinding
+{{- end }}