Skip to content

Commit

Permalink
AWS: Enable EKS Pod Identity (#6137)
Browse files Browse the repository at this point in the history 
* AWS: Enable EKS Pod Identity

Enable EKS Pod Identity for EKS cluster `k8s-infra-kops-prow-build`.

See: https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

* Bump AWS terraform provider

Bump provider get support of EKS Pod Identity

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

* Create AWS Role for EKS Pod Identity

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

* Define namespace and service account for kOps prowjobs.

Create a dedicated namespace for the prowjobs scheduled by prow.k8s.io

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

---------

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
  • Loading branch information
@ameukam
ameukam committed Dec 4, 2023
1 parent ec283fe commit d829056
Show file tree
Hide file tree
Showing 6 changed files with 70 additions and 3 deletions.
22 changes: 20 additions & 2 deletions infra/aws/terraform/kops-infra-ci/eks.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ module "eks" {

eks_managed_node_group_defaults = {
ami_type = "AL2_x86_64"
instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
instance_types = ["m7i.large", "m5.large", "m5n.large", "m5zn.large"]

iam_role_attach_cni_policy = true
}
Expand All @@ -99,7 +99,7 @@ module "eks" {
}

capacity_type = "ON_DEMAND"
instance_types = ["r6i.2xlarge"]
instance_types = ["r7i.2xlarge"]
ami_type = "BOTTLEROCKET_x86_64"
platform = "bottlerocket"

Expand Down Expand Up @@ -142,6 +142,24 @@ module "eks" {
})
}

resource "aws_eks_addon" "eks_pod_identity" {
provider = aws.kops-local-ci

cluster_name = module.eks.cluster_name
addon_name = "eks-pod-identity-agent"
addon_version = "v1.0.0-eksbuild.1"
resolve_conflicts_on_update = "OVERWRITE"
}

resource "aws_eks_pod_identity_association" "kops_prow_build" {
provider = aws.kops-local-ci

cluster_name = module.eks.cluster_name
namespace = "test-pods"
service_account = "prowjob-default-sa"
role_arn = aws_iam_role.eks_pod_identity_role.arn
}


module "vpc_cni_irsa" {
providers = { aws = aws.kops-infra-ci }
Expand Down
34 changes: 34 additions & 0 deletions infra/aws/terraform/kops-infra-ci/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,37 @@ resource "aws_iam_role" "google_prow_trust_role" {
max_session_duration = 43200
assume_role_policy = data.aws_iam_policy_document.google_prow_trust_policy.json
}


// Leveraging EKS Pod Identity feature allow kOps prowjobs to run E2E tests
data "aws_iam_policy_document" "eks_pod_identity_policy" {
provider = aws.kops-infra-ci

statement {
effect = "Allow"

principals {
type = "Service"
identifiers = ["pods.eks.amazonaws.com"]
}

actions = [
"sts:AssumeRole",
"sts:TagSession"
]
}
}

resource "aws_iam_role" "eks_pod_identity_role" {
provider = aws.kops-infra-ci

name = "EKSPodIdentityRole"
assume_role_policy = data.aws_iam_policy_document.eks_pod_identity_policy.json
}

resource "aws_iam_role_policy_attachment" "eks_pod_identity_policy" {
provider = aws.kops-infra-ci

policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
role = aws_iam_role.eks_pod_identity_role.name
}
6 changes: 6 additions & 0 deletions infra/aws/terraform/kops-infra-ci/providers.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,12 @@ provider "aws" {
}
}

provider "aws" {
region = "us-east-2"
alias = "kops-local-ci"
profile = "kops-ci"
}

provider "kubernetes" {
host = module.eks.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
Expand Down
4 changes: 4 additions & 0 deletions infra/aws/terraform/kops-infra-ci/resources/00-namespaces.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-pods
5 changes: 5 additions & 0 deletions infra/aws/terraform/kops-infra-ci/resources/sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "prowjob-default-sa"
namespace: "test-pods"
2 changes: 1 addition & 1 deletion infra/aws/terraform/kops-infra-ci/terraform.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.11.0"
version = "~> 5.29.0"
}
}
}

0 comments on commit d829056

Please sign in to comment.