diff --git a/docs/howto/upgrade-cluster/aws.md b/docs/howto/upgrade-cluster/aws.md index 9333c10984..f8695be4d8 100644 --- a/docs/howto/upgrade-cluster/aws.md +++ b/docs/howto/upgrade-cluster/aws.md @@ -101,26 +101,20 @@ now upgraded. #### 4.2. Upgrade EKS add-ons -As documented in `eksctl`'s documentation[^1], we also need to upgrade three EKS -add-ons managed by `eksctl` (by EKS these are considered self-managed add-ons), -and one declared in our config (by EKS this is considered a managed add-on). - -These upgrades are believed to briefly disrupt networking. +As documented in `eksctl`'s documentation[^2], we also need to upgrade EKS +add-ons. This upgrade is believed to very briefly disrupt networking. ```bash -# upgrade the kube-proxy daemonset (takes ~5s) -eksctl utils update-kube-proxy --config-file=$CLUSTER_NAME.eksctl.yaml --approve - -# upgrade the aws-node daemonset (takes ~5s) -eksctl utils update-aws-node --config-file=$CLUSTER_NAME.eksctl.yaml --approve - -# upgrade the coredns deployment (takes ~5s) -eksctl utils update-coredns --config-file=$CLUSTER_NAME.eksctl.yaml --approve - -# upgrade the aws-ebs-csi-driver addon's deployment and daemonset (takes ~60s) +# upgrade all EKS addons (takes up to a few minutes) eksctl update addon --config-file=$CLUSTER_NAME.eksctl.yaml ``` +```{note} +Since November 2024, the add-ons are systematically installed as EKS managed +add-ons and not self-managed as they were before when `eksctl` installed them +without involving EKS. +``` + #### 4.3. Repeat to upgrade multiple minor versions If you need to upgrade multiple minor versions, repeat the previous steps diff --git a/docs/hub-deployment-guide/new-cluster/new-cluster.md b/docs/hub-deployment-guide/new-cluster/new-cluster.md index 6df9af7f1a..65aa93993e 100644 --- a/docs/hub-deployment-guide/new-cluster/new-cluster.md +++ b/docs/hub-deployment-guide/new-cluster/new-cluster.md @@ -712,17 +712,3 @@ kubectl get node It should show you the provisioned node on the cluster if everything works out ok. ```` ````` - -## AWS only: Expandable storage class - -The default storage class that is created when we deploy a cluster to AWS does permit auto-expansion of persistent volumes. -This can cause problems when we want to expand the size of a disk, say used by Prometheus to store metrics data. -We will therefore patch the default storage class to permite auto-expansion. - -```bash -# Gain k8s access to the cluster -deployer use-cluster-credentials $CLUSTER_NAME - -# Patch the storage class -kubectl patch storageclass gp2 --patch '{\"allowVolumeExpansion\": true}' -``` diff --git a/eksctl/2i2c-aws-us.jsonnet b/eksctl/2i2c-aws-us.jsonnet index c2c9852438..ba1a4797da 100644 --- a/eksctl/2i2c-aws-us.jsonnet +++ b/eksctl/2i2c-aws-us.jsonnet @@ -213,6 +213,10 @@ local daskNodes = [ name: "2i2c-aws-us", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -223,20 +227,48 @@ local daskNodes = [ // eksctl create addon --config-file=2i2c-aws-us.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/catalystproject-africa.jsonnet b/eksctl/catalystproject-africa.jsonnet index 789c954ef7..f25fb3890d 100644 --- a/eksctl/catalystproject-africa.jsonnet +++ b/eksctl/catalystproject-africa.jsonnet @@ -78,6 +78,10 @@ local daskNodes = []; name: "catalystproject-africa", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -88,20 +92,48 @@ local daskNodes = []; // eksctl create addon --config-file=catalystproject-africa.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/earthscope.jsonnet b/eksctl/earthscope.jsonnet index 0ff252182a..a9b0340f4c 100644 --- a/eksctl/earthscope.jsonnet +++ b/eksctl/earthscope.jsonnet @@ -117,6 +117,7 @@ local daskNodes = [ version: "1.30", tags+: { "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, "earthscope:application:name": "geolab", "earthscope:application:owner": "research-onramp-to-the-cloud" }, @@ -130,20 +131,48 @@ local daskNodes = [ // eksctl create addon --config-file=earthscope.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/gridsst.jsonnet b/eksctl/gridsst.jsonnet index efa35edb23..4dcbf2296b 100644 --- a/eksctl/gridsst.jsonnet +++ b/eksctl/gridsst.jsonnet @@ -74,6 +74,10 @@ local daskNodes = [ name: "gridsst", region: clusterRegion, version: "1.29", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -84,20 +88,48 @@ local daskNodes = [ // eksctl create addon --config-file=gridsst.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/jupyter-health.jsonnet b/eksctl/jupyter-health.jsonnet index 3474a54f01..71856b4b52 100644 --- a/eksctl/jupyter-health.jsonnet +++ b/eksctl/jupyter-health.jsonnet @@ -39,6 +39,10 @@ local daskNodes = []; name: "jupyter-health", region: clusterRegion, version: "1.29", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -49,20 +53,48 @@ local daskNodes = []; // eksctl create addon --config-file=jupyter-health.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/jupyter-meets-the-earth.jsonnet b/eksctl/jupyter-meets-the-earth.jsonnet index 0f2949f1f9..41186f4b43 100644 --- a/eksctl/jupyter-meets-the-earth.jsonnet +++ b/eksctl/jupyter-meets-the-earth.jsonnet @@ -210,6 +210,10 @@ local daskNodes = [ name: "jupyter-meets-the-earth", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -220,20 +224,48 @@ local daskNodes = [ // eksctl create addon --config-file=jupyter-meets-the-earth.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/kitware.jsonnet b/eksctl/kitware.jsonnet index 0abe031d88..312e4f40b3 100644 --- a/eksctl/kitware.jsonnet +++ b/eksctl/kitware.jsonnet @@ -102,6 +102,10 @@ local daskNodes = []; name: "kitware", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -112,20 +116,48 @@ local daskNodes = []; // eksctl create addon --config-file=kitware.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/nasa-cryo.jsonnet b/eksctl/nasa-cryo.jsonnet index 5046edac8b..b52f23cccd 100644 --- a/eksctl/nasa-cryo.jsonnet +++ b/eksctl/nasa-cryo.jsonnet @@ -116,6 +116,10 @@ local daskNodes = [ name: "nasa-cryo", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -126,20 +130,48 @@ local daskNodes = [ // eksctl create addon --config-file=nasa-cryo.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/nasa-ghg.jsonnet b/eksctl/nasa-ghg.jsonnet index eccc34179c..6f5f3e6d20 100644 --- a/eksctl/nasa-ghg.jsonnet +++ b/eksctl/nasa-ghg.jsonnet @@ -84,6 +84,10 @@ local daskNodes = [ name: "nasa-ghg-hub", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -94,20 +98,48 @@ local daskNodes = [ // eksctl create addon --config-file=nasa-ghg.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/nasa-veda.jsonnet b/eksctl/nasa-veda.jsonnet index 2940536722..bc8cfbcb7a 100644 --- a/eksctl/nasa-veda.jsonnet +++ b/eksctl/nasa-veda.jsonnet @@ -134,6 +134,10 @@ local daskNodes = [ name: "nasa-veda", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -144,20 +148,48 @@ local daskNodes = [ // eksctl create addon --config-file=nasa-veda.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/nmfs-openscapes.jsonnet b/eksctl/nmfs-openscapes.jsonnet index 0b16b29b34..9a780d8fff 100644 --- a/eksctl/nmfs-openscapes.jsonnet +++ b/eksctl/nmfs-openscapes.jsonnet @@ -89,18 +89,26 @@ local daskNodes = []; { version: "latest", tags: $.metadata.tags } + addon for addon in [ + { name: "coredns" }, + { name: "kube-proxy" }, { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // name: "vpc-cni", - # FIXME: network policy enforcement doesn't work, what's wrong - # isn't clear. + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml configurationValues: ||| - enableNetworkPolicy: "true" + enableNetworkPolicy: "false" |||, - attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], }, - { name: "coredns" }, - { name: "kube-proxy" }, { // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that // couple to AWS EBS based storage, without it expect to see pods diff --git a/eksctl/openscapes.jsonnet b/eksctl/openscapes.jsonnet index 14b1326aa0..8710599cb7 100644 --- a/eksctl/openscapes.jsonnet +++ b/eksctl/openscapes.jsonnet @@ -119,6 +119,10 @@ local daskNodes = [ name: "openscapeshub", region: clusterRegion, version: "1.29", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -129,20 +133,48 @@ local daskNodes = [ // eksctl create addon --config-file=openscapes.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/opensci.jsonnet b/eksctl/opensci.jsonnet index 89b27022d3..96537b1753 100644 --- a/eksctl/opensci.jsonnet +++ b/eksctl/opensci.jsonnet @@ -143,6 +143,10 @@ local daskNodes = [ name: "opensci", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -153,20 +157,48 @@ local daskNodes = [ // eksctl create addon --config-file=opensci.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/projectpythia.jsonnet b/eksctl/projectpythia.jsonnet index 95f564e649..d5b97283d9 100644 --- a/eksctl/projectpythia.jsonnet +++ b/eksctl/projectpythia.jsonnet @@ -51,6 +51,10 @@ local daskNodes = []; name: "projectpythia", region: clusterRegion, version: "1.29", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -61,20 +65,48 @@ local daskNodes = []; // eksctl create addon --config-file=projectpythia.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/smithsonian.jsonnet b/eksctl/smithsonian.jsonnet index c19cab725d..edc61ad97c 100644 --- a/eksctl/smithsonian.jsonnet +++ b/eksctl/smithsonian.jsonnet @@ -114,6 +114,10 @@ local daskNodes = [ name: "smithsonian", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -124,20 +128,48 @@ local daskNodes = [ // eksctl create addon --config-file=smithsonian.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/strudel.jsonnet b/eksctl/strudel.jsonnet index 48494b1046..cbe43b98e7 100644 --- a/eksctl/strudel.jsonnet +++ b/eksctl/strudel.jsonnet @@ -89,18 +89,26 @@ local daskNodes = []; { version: "latest", tags: $.metadata.tags } + addon for addon in [ + { name: "coredns" }, + { name: "kube-proxy" }, { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // name: "vpc-cni", - # FIXME: network policy enforcement doesn't work, what's wrong - # isn't clear. + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml configurationValues: ||| - enableNetworkPolicy: "true" + enableNetworkPolicy: "false" |||, - attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], }, - { name: "coredns" }, - { name: "kube-proxy" }, { // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that // couple to AWS EBS based storage, without it expect to see pods diff --git a/eksctl/template.jsonnet b/eksctl/template.jsonnet index 9e365a1a9f..a5ce2bdd2b 100644 --- a/eksctl/template.jsonnet +++ b/eksctl/template.jsonnet @@ -87,18 +87,26 @@ local daskNodes = []; { version: "latest", tags: $.metadata.tags } + addon for addon in [ + { name: "coredns" }, + { name: "kube-proxy" }, { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // name: "vpc-cni", - # FIXME: network policy enforcement doesn't work, what's wrong - # isn't clear. + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml configurationValues: ||| - enableNetworkPolicy: "true" + enableNetworkPolicy: "false" |||, - attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], }, - { name: "coredns" }, - { name: "kube-proxy" }, { // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that // couple to AWS EBS based storage, without it expect to see pods diff --git a/eksctl/ubc-eoas.jsonnet b/eksctl/ubc-eoas.jsonnet index 489b41f0fc..930da80cd6 100644 --- a/eksctl/ubc-eoas.jsonnet +++ b/eksctl/ubc-eoas.jsonnet @@ -84,6 +84,10 @@ local daskNodes = []; name: "ubc-eoas", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -94,20 +98,48 @@ local daskNodes = []; // eksctl create addon --config-file=ubc-eoas.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in diff --git a/eksctl/victor.jsonnet b/eksctl/victor.jsonnet index ef47109b21..ffe881c5cf 100644 --- a/eksctl/victor.jsonnet +++ b/eksctl/victor.jsonnet @@ -126,6 +126,10 @@ local daskNodes = [ name: "victor", region: clusterRegion, version: "1.30", + tags+: { + "ManagedBy": "2i2c", + "2i2c.org/cluster-name": $.metadata.name, + }, }, availabilityZones: masterAzs, iam: { @@ -136,20 +140,48 @@ local daskNodes = [ // eksctl create addon --config-file=victor.eksctl.yaml // addons: [ - { - // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that - // couple to AWS EBS based storage, without it expect to see pods - // mounting a PVC failing to schedule and PVC resources that are - // unbound. - // - // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html - // - name: 'aws-ebs-csi-driver', - version: "latest", - wellKnownPolicies: { - ebsCSIController: true, + { version: "latest", tags: $.metadata.tags } + addon + for addon in + [ + { name: "coredns" }, + { name: "kube-proxy" }, + { + // vpc-cni is a Amazon maintained container networking interface + // (CNI), where a CNI is required for k8s networking. The aws-node + // DaemonSet in kube-system stems from installing this. + // + // Related docs: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ + // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html + // + name: "vpc-cni", + attachPolicyARNs: ["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"], + # FIXME: enabling network policy enforcement didn't work as of + # August 2024, what's wrong isn't clear. + # + # configurationValues ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/HEAD/charts/aws-vpc-cni/values.yaml + configurationValues: ||| + enableNetworkPolicy: "false" + |||, }, - }, + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: "aws-ebs-csi-driver", + wellKnownPolicies: { + ebsCSIController: true, + }, + # configurationValues ref: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/HEAD/charts/aws-ebs-csi-driver/values.yaml + configurationValues: ||| + defaultStorageClass: + enabled: true + |||, + }, + ] ], nodeGroups: [ n + {clusterName: $.metadata.name} for n in