feat(eks): support adding k8s resources to imported clusters #9802
Conversation
Allow adding Kubernetes resources such as manifests and Helm charts to imported clusters (`eks.Cluster.fromAttributes`). To enable this behavior, when the cluster is imported, users will have to specify additional information: - `kubectlRole` - an IAM role that can issue kubectl commands against the cluster - `kubectlEnvironment` (optional) - environment variables for `kubectl`. - `kubectlPrivateSubnets` and `kubectlSecurityGroup` - required if the cluster's k8s endpoint is private Resolves #5383
|
@Mergifyio refresh |
|
Command |
|
@eladb Any reason the |
|
@Mergifyio refresh |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Command |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
deleted the
benisrae/eks-add-manifest-to-imported-cluster
branch
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
This is amazing! Thank you for the great work! |
Thanks! Looking forward for feedback :-) |
|
hey, just updated. we have two clusters in our stack. does this mean we cannot update, or is there a way to go around this? |
|
@itajaja This limitation actually short-circuits some problems you might encounter with multiple clusters in a stack with regards to endpoint access configuration. Is it possible for you to split the cluster to different stacks? |
|
what kinds of problems? are they solvable through aws-cdk alone?
it would be quite awkward. |
Currently no. The problem is that having multiple clusters in the same stack would force those clusters to have a publicly accessible endpoint (i.e only Apologies for the inconvenience, we have created an issue to gather feedback on this limitation and think of possible solutions. Would be great if you can share your use case. |
…ependency and breaks deployment (#10536) In version [`1.62.0`](https://github.com/aws/aws-cdk/releases/tag/v1.62.0) we introduced the ability to run `kubectl` commands on imported clusters. (See #9802). Part of this change included some refactoring with regards to how we use and create the `KubectlProvider`. Looks like we didn't consistently apply the same logic across all constructs that use it. Case in point: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-manifest.ts#L58 Notice that here we use `this` as the scope to the `getOrCreate` call. Same goes for: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-object-value.ts#L64 However, `KubernetesPatch` use `scope` instead. https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-patch.ts#L74 This means that the entire `scope` of the `KubernetesPatch` now depends, among others, on the `kubectlBarrier`. The scope will usually be either the cluster itself (when using `FargateCluster`), or the entire stack (when using `new KubernetesPatch`). In any case, the scope will most likely contain the cluster VPC. This creates the following dependency cycle: `Cluster => ClusterVpc => KubectlBarrier => Cluster`. The fix aligns the `KubernetesPatch` behavior to all other `kubectl` constructs and uses `this` as the scope, which will only add dependency on the barrier to the custom resource representing the patch. Fixes #10528 Fixes #10537 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ependency and breaks deployment (#10536) In version [`1.62.0`](https://github.com/aws/aws-cdk/releases/tag/v1.62.0) we introduced the ability to run `kubectl` commands on imported clusters. (See #9802). Part of this change included some refactoring with regards to how we use and create the `KubectlProvider`. Looks like we didn't consistently apply the same logic across all constructs that use it. Case in point: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-manifest.ts#L58 Notice that here we use `this` as the scope to the `getOrCreate` call. Same goes for: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-object-value.ts#L64 However, `KubernetesPatch` use `scope` instead. https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-patch.ts#L74 This means that the entire `scope` of the `KubernetesPatch` now depends, among others, on the `kubectlBarrier`. The scope will usually be either the cluster itself (when using `FargateCluster`), or the entire stack (when using `new KubernetesPatch`). In any case, the scope will most likely contain the cluster VPC. This creates the following dependency cycle: `Cluster => ClusterVpc => KubectlBarrier => Cluster`. The fix aligns the `KubernetesPatch` behavior to all other `kubectl` constructs and uses `this` as the scope, which will only add dependency on the barrier to the custom resource representing the patch. Fixes #10528 Fixes #10537 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Allow adding Kubernetes resources such as manifests and Helm charts to imported clusters (
eks.Cluster.fromAttributes).To enable this behavior, when the cluster is imported, users will have to specify additional information:
kubectlRole- an IAM role that can issue kubectl commands against the clusterkubectlEnvironment(optional) - environment variables forkubectl.kubectlPrivateSubnetsandkubectlSecurityGroup- required if the cluster's k8s endpoint is privateResolves #5383
BREAKING CHANGE: when importing EKS clusters using
eks.Cluster.fromClusterAttributes, theclusterArnattribute is not supported anymore, and will always be derived fromclusterName.eks.Clusteris allowed per CloudFormation stack.securityGroupsattribute ofClusterAttributesis nowsecurityGroupIds.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license