Skip to content

Commit

Permalink
feat(eks): alb controller include versions 2.4.2 - 2.5.1 (#25330)
Browse files Browse the repository at this point in the history 
## Motivation:
We should provide users with all available ALB controller versions for use with aws-eks. This change does not prohibit users from using previous ALB controller versions. Instead, this adds support for versions 2.4.2 - 2.5.1. Previous ALB controller versions can be specified by using the static "of" method as part of the AlbControllerVersion class, e.g., AlbControllerVersion.of().

## Testing:
Updated existing ALB controller integrity test to use ALB controller version 2.5.1. 

Closes #25307

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@colifran
colifran committed May 15, 2023
1 parent 25bd120 commit 83c4c36
Show file tree
Hide file tree
Showing 17 changed files with 2,006 additions and 32 deletions.
24 changes: 22 additions & 2 deletions ...st/integ.alb-controller.js.snapshot/aws-cdk-eks-cluster-alb-controller-test.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1368,6 +1368,26 @@
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
]
},
{
"Action": "elasticloadbalancing:AddTags",
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
]
},
{
"Action": [
"elasticloadbalancing:DeregisterTargets",
Expand Down Expand Up @@ -1454,7 +1474,7 @@
},
"Release": "aws-load-balancer-controller",
"Chart": "aws-load-balancer-controller",
"Version": "1.4.1",
"Version": "1.5.2",
"Wait": true,
"Timeout": "900s",
"Values": {
Expand All @@ -1473,7 +1493,7 @@
{
"Ref": "Vpc8378EB38"
},
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.5.1\"}}"
]
]
},
Expand Down
20 changes: 20 additions & 0 deletions ...-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3385,6 +3385,26 @@
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
]
},
{
"Action": "elasticloadbalancing:AddTags",
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
]
},
{
"Action": [
"elasticloadbalancing:DeregisterTargets",
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ class EksClusterAlbControllerStack extends Stack {
vpc,
...getClusterVersionConfig(this),
albController: {
version: eks.AlbControllerVersion.V2_4_1,
version: eks.AlbControllerVersion.V2_5_1,
},
});

Expand Down
24 changes: 22 additions & 2 deletions ...eks/test/integ.eks-inference.js.snapshot/aws-cdk-eks-cluster-inference-test.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1703,6 +1703,26 @@
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
]
},
{
"Action": "elasticloadbalancing:AddTags",
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
]
},
{
"Action": [
"elasticloadbalancing:DeregisterTargets",
Expand Down Expand Up @@ -1809,7 +1829,7 @@
},
"Release": "aws-load-balancer-controller",
"Chart": "aws-load-balancer-controller",
"Version": "1.4.1",
"Version": "1.5.2",
"Wait": true,
"Timeout": "900s",
"Values": {
Expand All @@ -1828,7 +1848,7 @@
{
"Ref": "Vpc8378EB38"
},
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.5.1\"}}"
]
]
},
Expand Down
20 changes: 20 additions & 0 deletions ...s-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-inference.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3842,6 +3842,26 @@
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
]
},
{
"Action": "elasticloadbalancing:AddTags",
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
]
},
{
"Action": [
"elasticloadbalancing:DeregisterTargets",
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-inference.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ class EksClusterInferenceStack extends Stack {
vpc,
...getClusterVersionConfig(this),
albController: {
version: eks.AlbControllerVersion.V2_4_1,
version: eks.AlbControllerVersion.V2_5_1,
},
});

Expand Down
2 changes: 1 addition & 1 deletion packages/aws-cdk-lib/aws-eks/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -518,7 +518,7 @@ The default value is `eks.EndpointAccess.PUBLIC_AND_PRIVATE`. Which means the cl

### Alb Controller

Some Kubernetes resources are commonly implemented on AWS with the help of the [ALB Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/).
Some Kubernetes resources are commonly implemented on AWS with the help of the [ALB Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/).

From the docs:

Expand Down
219 changes: 219 additions & 0 deletions packages/aws-cdk-lib/aws-eks/lib/addons/alb-iam_policy-v2.4.2.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}
Loading

0 comments on commit 83c4c36

Please sign in to comment.