zalando-incubator · demonCoder95 · Aug 28, 2025 · Jul 28, 2025 · Jul 29, 2025 · Jul 30, 2025
diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
@@ -158,6 +158,11 @@ Resources:
     Type: 'AWS::EC2::SecurityGroup'
   EKSCluster:
     Type: AWS::EKS::Cluster
+{{- if eq .Cluster.ConfigItems.eks_control_plane_logging "true" }}
+{{- if eq .Cluster.ConfigItems.eks_control_plane_logging_migration "true" }}
+    DependsOn: ControlPlaneLogGroup
+{{- end }}
+{{- end }}
     Properties:
       Name: "{{.Cluster.Name}}"
       Version: "1.32"
@@ -1535,6 +1540,9 @@ Resources:
         - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-DenyDefault"
         - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-AllowPowerUser"
         - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-AllowPowerUserCustom"
+        {{- if eq .Cluster.Name "playground" }}
+        - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-AllowPowerUser-Playground"
+        {{- end }}
       RoleName: "{{.Cluster.LocalID}}-deployment"
     Type: 'AWS::IAM::Role'
   DeploymentServiceBucket:
@@ -1686,6 +1694,9 @@ Resources:
         - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-DenyDefault"
         - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-AllowPowerUser"
         - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-AllowPowerUserCustom"
+        {{- if eq .Cluster.Name "playground" }}
+        - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ZalandoCloud-AllowPowerUser-Playground"
+        {{- end }}
 {{- if eq .Cluster.ConfigItems.deployment_service_ml_experiments_enabled "true"}}
   DeploymentControllerMLExperimentDeploymentRole:
     Type: AWS::IAM::Role
@@ -3023,6 +3034,16 @@ Resources:
                 - BucketArn: !GetAtt AuditTrailBucket.Arn
 {{- end }}
 
+{{- if eq .Cluster.ConfigItems.eks_control_plane_logging "true" }}
+{{- if eq .Cluster.ConfigItems.eks_control_plane_logging_migration "true" }}
+  ControlPlaneLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: "/aws/eks/{{.Cluster.LocalID}}/cluster"
+      RetentionInDays: 545
+{{- end }}
+{{- end }}
+
 {{- if index .Cluster.ConfigItems "session_manager_destination_arn" }}
   SessionManagerLogGroup:
     Type: AWS::Logs::LogGroup

diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -258,8 +258,12 @@ skipper_pod_deletion_cost_controller_poll_timeout: "60s"
 skipper_pod_deletion_cost_controller_resync_enable: "true"
 skipper_pod_deletion_cost_controller_resync_interval: "1h"
 
-# polarsignals - only enabled for testing teapot
+# polarsignals - only enabled for some clusters
+# right now only installed on skipper-ingress nodes
 polarsignals_enabled: "false"
+polarsignals_apikey: ""
+polarsignals_memory: 200Mi
+polarsignals_cpu: 50m
 
 # Kube-Metrics-Adapter
 ## Scheduled scaling metrics: ramp up/down over this period of time
@@ -1283,6 +1287,7 @@ wiz_node_feature_rollout : "false"
 
 # EKS specific configuration
 eks_control_plane_logging: "true"
+eks_control_plane_logging_migration: "false"
 eks_ip_family: "ipv4"
 eks_zalando_iam_aws_proxy_cpu: "100m"
 eks_zalando_iam_aws_proxy_memory: "512Mi"

diff --git a/cluster/manifests/02-admission-control/config.yaml b/cluster/manifests/02-admission-control/config.yaml
@@ -125,6 +125,9 @@ data:
 {{- if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true" }}
   pod.pod-security-policy.privileged-service-accounts.wiz_wiz-sensor: ""
 {{- end }}
+{{- if eq .Cluster.ConfigItems.polarsignals_enabled "true" }}
+  pod.pod-security-policy.privileged-service-accounts.polarsignals_polarsignals-agent: ""
+{{- end }}
 
   pod.pod-security-policy.allowed-restricted-capabilities.AUDIT_WRITE: ""
   pod.pod-security-policy.allowed-restricted-capabilities.CHOWN: ""

diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -30,6 +30,23 @@ post_apply:
   namespace: cron
   kind: LimitRange
 {{ end }}
+{{ if ne .Cluster.ConfigItems.polarsignals_enabled "true" }}
+- name: polarsignals
+  namespace: polarsignals
+  kind: Secret
+- name: polarsignals-agent
+  namespace: polarsignals
+  kind: DaemonSet
+- name: polarsignals-agent
+  namespace: polarsignals
+  kind: ServiceAccount
+- name: polarsignals-agent
+  kind: ClusterRole
+- name: polarsignals-agent
+  kind: ClusterRoleBinding
+- name: polarsignals
+  kind: Namespace
+{{ end }}
 {{ if ne .Cluster.ConfigItems.downscaler_enabled "true" }}
 - name: kube-downscaler
   namespace: kube-system

diff --git a/cluster/manifests/ingress-controller/deployment.yaml b/cluster/manifests/ingress-controller/deployment.yaml
@@ -1,4 +1,4 @@
-# {{ $image := "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/kube-ingress-aws-controller:v0.18.7" }}
+# {{ $image := "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/kube-ingress-aws-controller:v0.18.8" }}
 # {{ $version := index (split $image ":") 1 }}
 
 apiVersion: apps/v1

diff --git a/cluster/manifests/polarsignals/01-namespace.yaml b/cluster/manifests/polarsignals/01-namespace.yaml
@@ -0,0 +1,11 @@
+{{ if eq .Cluster.ConfigItems.polarsignals_enabled "true" }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+  name: polarsignals
+{{ end }}
diff --git a/cluster/manifests/polarsignals/02-rbac.yaml b/cluster/manifests/polarsignals/02-rbac.yaml
@@ -0,0 +1,52 @@
+{{ if eq .Cluster.ConfigItems.polarsignals_enabled "true" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    component: agent
+    application: polarsignals
+  name: polarsignals-agent
+  namespace: polarsignals
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    component: agent
+    application: polarsignals
+  name: polarsignals-agent
+  namespace: polarsignals
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    component: agent
+    application: polarsignals
+  name: polarsignals-agent
+  namespace: polarsignals
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: polarsignals-agent
+subjects:
+  - kind: ServiceAccount
+    name: polarsignals-agent
+    namespace: polarsignals
+---
+{{ end }}
diff --git a/cluster/manifests/polarsignals/daemonset.yaml b/cluster/manifests/polarsignals/daemonset.yaml
@@ -0,0 +1,117 @@
+{{ if eq .Cluster.ConfigItems.polarsignals_enabled "true" }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: agent
+    application: polarsignals
+  name: polarsignals-agent
+  namespace: polarsignals
+  annotations:
+    node-ready.cluster.zalando.org/exclude: "true"
+spec:
+  selector:
+    matchLabels:
+      component: agent
+      application: polarsignals
+  template:
+    metadata:
+      labels:
+        component: agent
+        application: polarsignals
+    spec:
+      containers:
+        - args:
+            - /bin/parca-agent
+            - --log-level=info
+            - --node=$(NODE_NAME)
+            - --http-address=:7071
+            - --remote-store-address=grpc.polarsignals.com:443
+            - --remote-store-bearer-token-file=/var/polarsignals-agent/token
+            - --debuginfo-strip
+            - --debuginfo-temp-dir=/tmp
+            - --debuginfo-upload-cache-duration=5m
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          image: container-registry.zalando.net/gwproxy/parca-agent:v0.41.0
+          name: polarsignals-agent
+          ports:
+            - containerPort: 7071
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http
+          resources:
+            limits:
+              cpu: "{{ .Cluster.ConfigItems.polarsignals_cpu}}"
+              memory: "{{ .Cluster.ConfigItems.polarsignals_memory}}"
+            requests:
+              cpu: "{{ .Cluster.ConfigItems.polarsignals_cpu}}"
+              memory: "{{ .Cluster.ConfigItems.polarsignals_memory}}"
+          securityContext:
+            privileged: true
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /run
+              name: run
+            - mountPath: /boot
+              name: boot
+              readOnly: true
+            - mountPath: /lib/modules
+              name: modules
+            - mountPath: /sys/kernel/debug
+              name: debugfs
+            - mountPath: /sys/fs/cgroup
+              name: cgroup
+            - mountPath: /sys/fs/bpf
+              name: bpffs
+            - mountPath: /var/run/dbus/system_bus_socket
+              name: dbus-system
+            - mountPath: /var/polarsignals-agent
+              name: token
+      hostPID: true
+      serviceAccountName: polarsignals-agent
+      nodeSelector:
+        kubernetes.io/os: linux
+        dedicated: skipper-ingress
+      tolerations:
+        - effect: NoSchedule
+          key: dedicated
+          value: skipper-ingress
+        - effect: NoExecute
+          operator: Exists
+      volumes:
+        - emptyDir: {}
+          name: tmp
+        - hostPath:
+            path: /run
+          name: run
+        - hostPath:
+            path: /boot
+          name: boot
+        - hostPath:
+            path: /sys/fs/cgroup
+          name: cgroup
+        - hostPath:
+            path: /lib/modules
+          name: modules
+        - hostPath:
+            path: /sys/fs/bpf
+          name: bpffs
+        - hostPath:
+            path: /sys/kernel/debug
+          name: debugfs
+        - hostPath:
+            path: /var/run/dbus/system_bus_socket
+          name: dbus-system
+        - secret:
+            secretName: polarsignals-agent
+          name: token
+{{ end }}
diff --git a/cluster/manifests/polarsignals/secret.yaml b/cluster/manifests/polarsignals/secret.yaml
@@ -0,0 +1,13 @@
+{{ if eq .Cluster.ConfigItems.polarsignals_enabled "true" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: polarsignals-agent
+  namespace: polarsignals
+  labels:
+    component: agent
+    application: polarsignals
+stringData:
+  token: {{ .Cluster.ConfigItems.polarsignals_apikey }}
+{{ end }}
diff --git a/cluster/manifests/skipper/deployment.yaml b/cluster/manifests/skipper/deployment.yaml
@@ -1,7 +1,7 @@
 {{/* image-updater-bot detects *image variables so use print to disable it for main image */}}
 
 {{ $main_image := print "container-registry.zalando.net/teapot/skipper-internal:" "v0.22.76-1183" }}
-{{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.22.76-1183" }}
+{{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.22.88-1195" }}
 
 {{/* Optional canary arguments separated by "[cf724afc]" to allow whitespaces, e.g. "-foo=has a whitespace[cf724afc]-baz=qux" */}}
 {{ $canary_args := "" }}