diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 1f0840d64a851..1403e56d817fe 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -539,7 +539,7 @@ To deploy the controller on your EKS cluster, configure the `albController` prop new eks.Cluster(this, 'HelloEKS', { version: eks.KubernetesVersion.V1_21, albController: { - version: eks.AlbControllerVersion.V2_3_0, + version: eks.AlbControllerVersion.V2_3_1, }, }); ``` diff --git a/packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.3.1.json b/packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.3.1.json new file mode 100644 index 0000000000000..4e6e4dee8988f --- /dev/null +++ b/packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.3.1.json @@ -0,0 +1,217 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "ec2:GetCoipPoolUsage", + "ec2:DescribeCoipPools", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": "CreateSecurityGroup" + }, + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets" + ], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource": "*" + } + ] +} diff --git a/packages/@aws-cdk/aws-eks/lib/alb-controller.ts b/packages/@aws-cdk/aws-eks/lib/alb-controller.ts index 69418e24bfd57..7841f581990c2 100644 --- a/packages/@aws-cdk/aws-eks/lib/alb-controller.ts +++ b/packages/@aws-cdk/aws-eks/lib/alb-controller.ts @@ -77,6 +77,11 @@ export class AlbControllerVersion { */ public static readonly V2_3_0 = new AlbControllerVersion('v2.3.0', false); + /** + * v2.3.1 + */ + public static readonly V2_3_1 = new AlbControllerVersion('v2.3.1', false); + /** * Specify a custom version. * Use this if the version you need is not available in one of the predefined versions. diff --git a/packages/@aws-cdk/aws-eks/test/alb-controller.test.ts b/packages/@aws-cdk/aws-eks/test/alb-controller.test.ts index 6b5ba464a69a5..7a1720a93f844 100644 --- a/packages/@aws-cdk/aws-eks/test/alb-controller.test.ts +++ b/packages/@aws-cdk/aws-eks/test/alb-controller.test.ts @@ -36,7 +36,7 @@ test('can configure a custom repository', () => { AlbController.create(stack, { cluster, - version: AlbControllerVersion.V2_3_0, + version: AlbControllerVersion.V2_3_1, repository: 'custom', }); @@ -53,7 +53,7 @@ test('can configure a custom repository', () => { { Ref: 'ClusterDefaultVpcFA9F2722', }, - '","image":{"repository":"custom","tag":"v2.3.0"}}', + '","image":{"repository":"custom","tag":"v2.3.1"}}', ], ], }, diff --git a/packages/@aws-cdk/aws-eks/test/cluster.test.ts b/packages/@aws-cdk/aws-eks/test/cluster.test.ts index 5520d86d532ef..e3c32b1e345c2 100644 --- a/packages/@aws-cdk/aws-eks/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-eks/test/cluster.test.ts @@ -28,7 +28,7 @@ describe('cluster', () => { const cluster = new eks.Cluster(stack, 'Cluster', { version: CLUSTER_VERSION, albController: { - version: eks.AlbControllerVersion.V2_3_0, + version: eks.AlbControllerVersion.V2_3_1, }, }); diff --git a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json index 3c59987aa297b..9d6734c074f69 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json @@ -1678,7 +1678,7 @@ { "Ref": "Vpc8378EB38" }, - "\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.0\"}}" + "\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}" ] ] }, diff --git a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.ts b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.ts index ffa49a586eb6e..2fdd7ef81899b 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.ts @@ -19,7 +19,7 @@ class EksClusterAlbControllerStack extends TestStack { vpc, version: eks.KubernetesVersion.V1_21, albController: { - version: eks.AlbControllerVersion.V2_3_0, + version: eks.AlbControllerVersion.V2_3_1, }, }); @@ -59,4 +59,4 @@ class EksClusterAlbControllerStack extends TestStack { const app = new App(); new EksClusterAlbControllerStack(app, 'aws-cdk-eks-cluster-alb-controller-test'); -app.synth(); \ No newline at end of file +app.synth(); diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-inference.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-inference.expected.json index 972f83bf64253..5c109d1e3db26 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-inference.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-inference.expected.json @@ -2043,7 +2043,7 @@ { "Ref": "Vpc8378EB38" }, - "\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.0\"}}" + "\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}" ] ] }, diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-inference.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-inference.ts index 7be581bce75ef..13057cdaadbfa 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-inference.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-inference.ts @@ -16,7 +16,7 @@ class EksClusterInferenceStack extends TestStack { vpc, version: eks.KubernetesVersion.V1_21, albController: { - version: eks.AlbControllerVersion.V2_3_0, + version: eks.AlbControllerVersion.V2_3_1, }, }); @@ -29,4 +29,4 @@ class EksClusterInferenceStack extends TestStack { const app = new App(); new EksClusterInferenceStack(app, 'aws-cdk-eks-cluster-inference-test'); -app.synth(); \ No newline at end of file +app.synth();