Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor for clarity #33

Merged
merged 1 commit into from
Sep 14, 2020
Merged

Refactor for clarity #33

merged 1 commit into from
Sep 14, 2020

Conversation

Nuru
Copy link
Sponsor Contributor

@Nuru Nuru commented Sep 13, 2020
edited

breaking changes

Previously, setting enable_cluster_autoscaler = true turned on tagging sufficient for the Kubernetes Cluster Autoscaler to discover and manage the node group, and also added a policy to the node group worker role that allowed the workers to perform the autoscaling function. Since pods by default use the EC2 instance role, which in EKS node groups is the node group worker role, this allowed the Kubernetes Cluster Autoscaler to work from any node, but also allowed any rogue pod to perform autoscaling actions.

With this release, enable_cluster_autoscaler is deprecated and its functions are replaced with 2 new variables:

  • cluster_autoscaler_enabled, when true, causes this module to perform the labeling and tagging needed for the Kubernetes Cluster Autoscaler to discover and manage the node group
  • worker_role_autoscale_iam_enabled, when true, causes this module to add the IAM policy to the worker IAM role to enable the workers (and by default, any pods running on the workers) to perform autoscaling operations

Going forward, we recommend not using enable_cluster_autoscaler (it will eventually be removed) and leaving worker_role_autoscale_iam_enabled at its default value of false. If you want to use the Kubernetes Cluster Autoscaler, set cluster_autoscaler_enabled = true and use EKS IAM roles for service accounts to give the Cluster Autoscaler service account IAM permissions to perform autoscaling operations. Our Terraform module terraform-aws-eks-iam-role is available to help with this.

what

  • Refactor, separating out launch template and IAM parts
  • Rename some things for clarity and consistency
  • Refine random_pet keepers
  • Disable by default the permission for workers to perform autoscaling operations

why

  • main.tf was too complex
  • Cloud Posse standard is for feature selection booleans to be named with _enabled at the end
  • Change in any keepers will cause the node group to be replaced
  • Workers should not be performing autoscaling operations, those should be done only by a specific service account

references

@Nuru Nuru added terraform/0.13 Module requires Terraform 0.13 or later patch A minor, backward compatible change labels Sep 13, 2020
@Nuru Nuru marked this pull request as ready for review September 13, 2020 02:40
@Nuru Nuru requested review from a team as code owners September 13, 2020 02:40
@Nuru Nuru requested review from 3h4x and brcnblc and removed request for a team September 13, 2020 02:40
@Nuru
Copy link
Sponsor Contributor Author

Nuru commented Sep 13, 2020

/test all

@Nuru Nuru merged commit cab5114 into master Sep 14, 2020
@Nuru Nuru deleted the cycle2 branch September 14, 2020 18:25
@Nuru Nuru removed the patch A minor, backward compatible change label Sep 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@osterman osterman osterman approved these changes

@aknysh aknysh aknysh approved these changes

@3h4x 3h4x Awaiting requested review from 3h4x

@brcnblc brcnblc Awaiting requested review from brcnblc

@danjbh danjbh Awaiting requested review from danjbh

@htplbc htplbc Awaiting requested review from htplbc

Assignees
No one assigned
Labels
terraform/0.13 Module requires Terraform 0.13 or later
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Nuru @osterman @aknysh