Skip to content

Commit

Permalink
Attach the legacy controller policy in E2E
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonathan-innis
jonathan-innis committed Oct 6, 2023
1 parent f5426c7 commit e3ac33b
Show file tree
Hide file tree
Showing 4 changed files with 193 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .github/actions/e2e/cleanup/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ runs:
-r \
aws ec2 delete-security-group \
--group-id
- name: delete-iam-alpha-policy
shell: bash
run: |
aws iam delete-policy --policy-arn "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicyLegacy-${{ inputs.cluster_name }}" || true
- name: delete-iam-policies-stack
shell: bash
run: |
Expand Down
13 changes: 13 additions & 0 deletions .github/actions/e2e/create-cluster/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,18 @@ runs:
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides "ClusterName=${{ inputs.cluster_name }}" \
--tags "testing/type=e2e" "github.com/run-url=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" "karpenter.sh/discovery=${{ inputs.cluster_name }}"
- name: deploy alpha (legacy) policy
shell: bash
run: |
export AWS_PARTITION=aws
export AWS_REGION=${{ inputs.region }}
export AWS_ACCOUNT_ID=${{ inputs.account_id }}
export CLUSTER_NAME=${{ inputs.cluster_name }}
POLICY_DOCUMENT=$(envsubst < .github/actions/e2e/create-cluster/alpha-controller-policy.json)
POLICY_NAME="KarpenterControllerPolicyLegacy-${CLUSTER_NAME}"
echo "Creating policy $POLICY_NAME..."
aws iam create-policy --policy-name "$POLICY_NAME" --policy-document "$POLICY_DOCUMENT"
- name: create or upgrade cluster
shell: bash
run: |
Expand Down Expand Up @@ -104,6 +116,7 @@ runs:
namespace: karpenter
attachPolicyARNs:
- "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-${{ inputs.cluster_name }}"
- "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicyLegacy-${{ inputs.cluster_name }}"
permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
roleName: karpenter-irsa-${{ inputs.cluster_name }}
roleOnly: true
Expand Down
166 changes: 166 additions & 0 deletions .github/actions/e2e/create-cluster/alpha-controller-policy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowScopedEC2InstanceActions",
"Effect": "Allow",
"Resource": [
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}::image/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}::snapshot/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:spot-instances-request/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:security-group/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:subnet/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
],
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
]
},
{
"Sid": "AllowScopedEC2InstanceActionsWithTags",
"Effect": "Allow",
"Resource": [
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
],
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/provisioner-name": "*"
}
}
},
{
"Sid": "AllowScopedResourceCreationTagging",
"Effect": "Allow",
"Resource": [
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
],
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned",
"ec2:CreateAction": [
"RunInstances",
"CreateFleet",
"CreateLaunchTemplate"
]
},
"StringLike": {
"aws:RequestTag/karpenter.sh/provisioner-name": "*"
}
}
},
{
"Sid": "AllowMachineMigrationTagging",
"Effect": "Allow",
"Resource": "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned",
"aws:RequestTag/karpenter.sh/managed-by": "${CLUSTER_NAME}"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/provisioner-name": "*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"karpenter.sh/provisioner-name",
"karpenter.sh/managed-by"
]
}
}
},
{
"Sid": "AllowScopedDeletion",
"Effect": "Allow",
"Resource": [
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*",
"arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*"
],
"Action": [
"ec2:TerminateInstances",
"ec2:DeleteLaunchTemplate"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned"
},
"StringLike": {
"aws:ResourceTag/karpenter.sh/provisioner-name": "*"
}
}
},
{
"Sid": "AllowRegionalReadActions",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "${AWS_REGION}"
}
}
},
{
"Sid": "AllowSSMReadActions",
"Effect": "Allow",
"Resource": "arn:${AWS_PARTITION}:ssm:${AWS_REGION}::parameter/aws/service/*",
"Action": "ssm:GetParameter"
},
{
"Sid": "AllowPricingReadActions",
"Effect": "Allow",
"Resource": "*",
"Action": "pricing:GetProducts"
},
{
"Sid": "AllowInterruptionQueueActions",
"Effect": "Allow",
"Resource": "arn:aws:sqs:${AWS_REGION}:${AWS_ACCOUNT_ID}:${CLUSTER_NAME}",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage"
]
},
{
"Sid": "AllowPassingInstanceRole",
"Effect": "Allow",
"Resource": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}",
"Action": "iam:PassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}
10 changes: 10 additions & 0 deletions ...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,9 @@ Resources:
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned",
"aws:RequestTag/topology.kubernetes.io/region": "${AWS::Region}"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/nodeclass": "*"
}
}
},
Expand All @@ -228,6 +231,10 @@ Resources:
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS::Region}",
"aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned",
"aws:RequestTag/topology.kubernetes.io/region": "${AWS::Region}"
},
"StringLike": {
"aws:ResourceTag/karpenter.sh/nodeclass": "*",
"aws:RequestTag/karpenter.sh/nodeclass": "*"
}
}
},
Expand All @@ -244,6 +251,9 @@ Resources:
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned",
"aws:ResourceTag/topology.kubernetes.io/region": "${AWS::Region}"
},
"StringLike": {
"aws:ResourceTag/karpenter.sh/nodeclass": "*"
}
}
},
Expand Down

0 comments on commit e3ac33b

Please sign in to comment.