Skip to content

Commit

Permalink
chore(eks): add alb-controller v2.3.1 (aws#18147)
Browse files Browse the repository at this point in the history 
Add [alb-controller v2.3.1](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.3.1).
The content of `packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.3.1.json` comes from [here](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.3.1/docs/install/iam_policy.json).

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@kirintwn @TikiTDO
kirintwn authored and TikiTDO committed Feb 21, 2022
1 parent 461519d commit 77184a6
Show file tree
Hide file tree
Showing 9 changed files with 232 additions and 10 deletions.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-eks/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -539,7 +539,7 @@ To deploy the controller on your EKS cluster, configure the `albController` prop
new eks.Cluster(this, 'HelloEKS', {
version: eks.KubernetesVersion.V1_21,
albController: {
version: eks.AlbControllerVersion.V2_3_0,
version: eks.AlbControllerVersion.V2_3_1,
},
});
```
Expand Down
217 changes: 217 additions & 0 deletions packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.3.1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,217 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}
5 changes: 5 additions & 0 deletions packages/@aws-cdk/aws-eks/lib/alb-controller.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,11 @@ export class AlbControllerVersion {
*/
public static readonly V2_3_0 = new AlbControllerVersion('v2.3.0', false);

/**
* v2.3.1
*/
public static readonly V2_3_1 = new AlbControllerVersion('v2.3.1', false);

/**
* Specify a custom version.
* Use this if the version you need is not available in one of the predefined versions.
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-eks/test/alb-controller.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ test('can configure a custom repository', () => {

AlbController.create(stack, {
cluster,
version: AlbControllerVersion.V2_3_0,
version: AlbControllerVersion.V2_3_1,
repository: 'custom',
});

Expand All @@ -53,7 +53,7 @@ test('can configure a custom repository', () => {
{
Ref: 'ClusterDefaultVpcFA9F2722',
},
'","image":{"repository":"custom","tag":"v2.3.0"}}',
'","image":{"repository":"custom","tag":"v2.3.1"}}',
],
],
},
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-eks/test/cluster.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ describe('cluster', () => {
const cluster = new eks.Cluster(stack, 'Cluster', {
version: CLUSTER_VERSION,
albController: {
version: eks.AlbControllerVersion.V2_3_0,
version: eks.AlbControllerVersion.V2_3_1,
},
});

Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1678,7 +1678,7 @@
{
"Ref": "Vpc8378EB38"
},
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.0\"}}"
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}"
]
]
},
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-eks/test/integ.alb-controller.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ class EksClusterAlbControllerStack extends TestStack {
vpc,
version: eks.KubernetesVersion.V1_21,
albController: {
version: eks.AlbControllerVersion.V2_3_0,
version: eks.AlbControllerVersion.V2_3_1,
},
});

Expand Down Expand Up @@ -59,4 +59,4 @@ class EksClusterAlbControllerStack extends TestStack {

const app = new App();
new EksClusterAlbControllerStack(app, 'aws-cdk-eks-cluster-alb-controller-test');
app.synth();
app.synth();
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-eks/test/integ.eks-inference.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2043,7 +2043,7 @@
{
"Ref": "Vpc8378EB38"
},
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.0\"}}"
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}"
]
]
},
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-eks/test/integ.eks-inference.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class EksClusterInferenceStack extends TestStack {
vpc,
version: eks.KubernetesVersion.V1_21,
albController: {
version: eks.AlbControllerVersion.V2_3_0,
version: eks.AlbControllerVersion.V2_3_1,
},
});

Expand All @@ -29,4 +29,4 @@ class EksClusterInferenceStack extends TestStack {

const app = new App();
new EksClusterInferenceStack(app, 'aws-cdk-eks-cluster-inference-test');
app.synth();
app.synth();

0 comments on commit 77184a6

Please sign in to comment.