feat (Karpenter Add-on): v0.35 update, Node Role custom policies, and other fixes #947
Conversation
…o node role only if VPC CNI does not exist
|
@youngjeong46 -- Rather than requiring unverified JSON for the extra node role policies, are we able to add an option to pass in an array of iam ManagedPolicy names (string name to feed to fromAwsManagedPolicyName) as another pathway? |
| // Set up Instance Profile | ||
| const instanceProfileName = md5.Md5.hashStr(stackName+region); | ||
| const karpenterInstanceProfile = new iam.CfnInstanceProfile(cluster, 'karpenter-instance-profile', { | ||
| const karpenterInstanceProfile = new iam.CfnInstanceProfile(clusterInfo.cluster, 'karpenter-instance-profile', { | ||
| roles: [karpenterNodeRole.roleName], | ||
| instanceProfileName: `KarpenterNodeInstanceProfile-${instanceProfileName}`, | ||
| path: '/' | ||
| }); | ||
|
|
There was a problem hiding this comment.
We need to add here:
karpenterInstanceProfile.node.addDependency(karpenterNodeRole);
or else cdk will fail to delete the resource later.
There was a problem hiding this comment.
Actually, a better fix would be to use iam.InstanceProfile, instead of the CfnInstanceProfile.
The name of the profile & cdk item need to both change as part of that sort of change, so you might need to add something to the md5 hash above to ensure unique.
eg.
const instanceProfileName = md5.Md5.hashStr(stackName+region + clusterInfo.cluster.clusterName);
const karpenterInstanceProfile = new iam.CfnInstanceProfile(clusterInfo.cluster, 'karpenter-iam-instance-profile', {
| ], | ||
| const karpenterNodeRole = new iam.Role(clusterInfo.cluster, 'karpenter-node-role', { | ||
| assumedBy: new iam.ServicePrincipal(`ec2.${clusterInfo.cluster.stack.urlSuffix}`), | ||
| managedPolicies: DEFAULT_KARPENTER_NODE_ROLE_POLICIES, |
There was a problem hiding this comment.
Can we allow adding to the list of managed policies here, via the config of the addon?
eg. When using the CloudwatchInsights addon, you need to add:
iam.ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy"),
iam.ManagedPolicy.fromAwsManagedPolicyName("AWSXrayWriteOnlyAccess")
Much easier to add 2 lines like that than exporting the entire policy and putting in a folder.
|
@youngjeong46 please take a look when you are back. Since it is addressing a few issues, potentially missing features and update to 0.35. the complexity of the karpenter addon is affecting maintainability of this addon. |
|
@youngjeong46 thank you very much for your effort, if you are doing a refactor would you be able to address the following bug as well: #1039 Thank you. |
Issue #, if available: Fixes #859 #893 #945
Description of changes:
This PR makes the following changes in the Karpenter Add-on:
instanceStorePolicyunder EC2NodeClass not setting correctly when not provided.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.