Merge remote-tracking branch 'origin/master' into benisrae/eks-deprec…

…ate-kubectl-disabled
aws · Aug 6, 2020 · 369c8c5 · 369c8c5
2 parents 281b1b5 + b80c271
commit 369c8c5
Show file tree

Hide file tree

Showing 10 changed files with 262 additions and 102 deletions.
diff --git a/packages/@aws-cdk/aws-batch/README.md b/packages/@aws-cdk/aws-batch/README.md
@@ -138,6 +138,36 @@ Below is an example:
 const computeEnv = batch.ComputeEnvironment.fromComputeEnvironmentArn(this, 'imported-compute-env', 'arn:aws:batch:us-east-1:555555555555:compute-environment/My-Compute-Env');
 ```
 
+### Change the baseline AMI of the compute resources
+
+Ocassionally, you will need to deviate from the default processing AMI.
+
+ECS Optimized Amazon Linux 2 example:
+
+```ts
+const myComputeEnv = new batch.ComputeEnvironment(this, 'ComputeEnv', {
+  computeResources: {
+    image: new ecs.EcsOptimizedAmi({
+      generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
+    }),
+    vpc,
+  }
+});
+```
+
+Custom based AMI example:
+
+```ts
+const myComputeEnv = new batch.ComputeEnvironment(this, 'ComputeEnv', {
+  computeResources: {
+    image: ec2.MachineImage.genericLinux({
+      "[aws-region]": "[ami-ID]",
+    })
+    vpc,
+  }
+});
+```
+
 ## Job Queue
 
 Jobs are always submitted to a specific queue. This means that you have to create a queue before you can start submitting jobs. Each queue is mapped to at least one (and no more than three) compute environment. When the job is scheduled for execution, AWS Batch will select the compute environment based on ordinal priority and available capacity in each environment.

diff --git a/packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts b/packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts
@@ -42,6 +42,13 @@ export interface ApplicationLoadBalancedServiceBaseProps {
    */
   readonly publicLoadBalancer?: boolean;
 
+  /**
+   * Determines whether or not the Security Group for the Load Balancer's Listener will be open to all traffic by default.
+   *
+   * @default true -- The security group allows ingress from all IP addresses.
+   */
+  readonly openListener?: boolean;
+
   /**
    * The desired number of instantiations of the task definition to keep running on the service.
    * The minimum value is 1
@@ -323,7 +330,7 @@ export abstract class ApplicationLoadBalancedServiceBase extends cdk.Construct {
     this.listener = loadBalancer.addListener('PublicListener', {
       protocol,
       port: props.listenerPort,
-      open: true,
+      open: props.openListener ?? true,
     });
     this.targetGroup = this.listener.addTargets('ECS', targetProps);
 

diff --git a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts
@@ -1,4 +1,4 @@
-import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
+import { arrayWith, expect, haveResource, haveResourceLike, objectLike } from '@aws-cdk/assert';
 import { Certificate } from '@aws-cdk/aws-certificatemanager';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as ecs from '@aws-cdk/aws-ecs';
@@ -1048,4 +1048,58 @@ export = {
 
     test.done();
   },
+
+  'test ECS loadbalanced construct default/open security group'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') });
+
+    // WHEN
+    new ecsPatterns.ApplicationLoadBalancedEc2Service(stack, 'Service', {
+      cluster,
+      memoryReservationMiB: 1024,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+    });
+
+    // THEN - Stack contains no ingress security group rules
+    expect(stack).to(haveResourceLike('AWS::EC2::SecurityGroup', {
+      SecurityGroupIngress: [{
+        CidrIp: '0.0.0.0/0',
+        FromPort: 80,
+        IpProtocol: 'tcp',
+        ToPort: 80,
+      }],
+    }));
+
+    test.done();
+  },
+
+  'test ECS loadbalanced construct closed security group'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') });
+
+    // WHEN
+    new ecsPatterns.ApplicationLoadBalancedEc2Service(stack, 'Service', {
+      cluster,
+      memoryReservationMiB: 1024,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+      openListener: false,
+    });
+
+    // THEN - Stack contains no ingress security group rules
+    expect(stack).notTo(haveResourceLike('AWS::EC2::SecurityGroup', {
+      SecurityGroupIngress: arrayWith(objectLike({})),
+    }));
+
+    test.done();
+  },
 };
diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md
@@ -1,4 +1,5 @@
 ## Amazon EKS Construct Library
+
 <!--BEGIN STABILITY BANNER-->
 ---
 
@@ -29,6 +30,7 @@ const cluster = new eks.Cluster(this, 'hello-eks', {
   version: eks.KubernetesVersion.V1_16,
 });
 
+// apply a kubernetes manifest to the cluster
 cluster.addResource('mypod', {
   apiVersion: 'v1',
   kind: 'Pod',
@@ -45,6 +47,46 @@ cluster.addResource('mypod', {
 });
 ```
 
+In order to interact with your cluster through `kubectl`, you can use the `aws
+eks update-kubeconfig` [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/eks/update-kubeconfig.html) command
+to configure your local kubeconfig.
+
+The EKS module will define a CloudFormation output in your stack which contains
+the command to run. For example:
+
+```
+Outputs:
+ClusterConfigCommand43AAE40F = aws eks update-kubeconfig --name cluster-xxxxx --role-arn arn:aws:iam::112233445566:role/yyyyy
+```
+
+> The IAM role specified in this command is called the "**masters role**". This is
+> an IAM role that is associated with the `system:masters` [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) 
+> group and has super-user access to the cluster.
+>
+> You can specify this role using the `mastersRole` option, or otherwise a role will be 
+> automatically created for you. This role can be assumed by anyone in the account with
+> `sts:AssumeRole` permissions for this role.
+
+Execute the `aws eks update-kubeconfig ...` command in your terminal to create a
+local kubeconfig:
+
+```console
+$ aws eks update-kubeconfig --name cluster-xxxxx --role-arn arn:aws:iam::112233445566:role/yyyyy
+Added new context arn:aws:eks:rrrrr:112233445566:cluster/cluster-xxxxx to /home/boom/.kube/config
+```
+
+And now you can simply use `kubectl`:
+
+```console
+$ kubectl get all -n kube-system
+NAME                           READY   STATUS    RESTARTS   AGE
+pod/aws-node-fpmwv             1/1     Running   0          21m
+pod/aws-node-m9htf             1/1     Running   0          21m
+pod/coredns-5cb4fb54c7-q222j   1/1     Running   0          23m
+pod/coredns-5cb4fb54c7-v9nxx   1/1     Running   0          23m
+...
+```
+
 ### Endpoint Access
 
 You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) by using the `endpointAccess` property:
@@ -58,7 +100,6 @@ const cluster = new eks.Cluster(this, 'hello-eks', {
 
 The default value is `eks.EndpointAccess.PUBLIC_AND_PRIVATE`. Which means the cluster endpoint is accessible from outside of your VPC, and worker node traffic to the endpoint will stay within your VPC.
 
-
 ### Capacity
 
 By default, `eks.Cluster` is created with a managed nodegroup with x2 `m5.large` instances. You must specify the kubernetes version for the cluster with the `version` property.
@@ -208,7 +249,6 @@ When adding capacity, you can specify options for
 which is responsible for associating the node to the EKS cluster. For example,
 you can use `kubeletExtraArgs` to add custom node labels or taints.
 
-
 ```ts
 // up to ten spot instances
 cluster.addCapacity('spot', {
@@ -224,86 +264,6 @@ cluster.addCapacity('spot', {
 To disable bootstrapping altogether (i.e. to fully customize user-data), set `bootstrapEnabled` to `false` when you add
 the capacity.
 
-### Masters Role
-
-The Amazon EKS construct library allows you to specify an IAM role that will be
-granted `system:masters` privileges on your cluster.
-
-Without specifying a `mastersRole`, you will not be able to interact manually
-with the cluster.
-
-The following example defines an IAM role that can be assumed by all users
-in the account and shows how to use the `mastersRole` property to map this
-role to the Kubernetes `system:masters` group:
-
-```ts
-// first define the role
-const clusterAdmin = new iam.Role(this, 'AdminRole', {
-  assumedBy: new iam.AccountRootPrincipal()
-});
-
-// now define the cluster and map role to "masters" RBAC group
-new eks.Cluster(this, 'Cluster', {
-  mastersRole: clusterAdmin,
-  version: eks.KubernetesVersion.V1_16,
-});
-```
-
-When you `cdk deploy` this CDK app, you will notice that an output will be printed
-with the `update-kubeconfig` command.
-
-Something like this:
-
-```
-Outputs:
-eks-integ-defaults.ClusterConfigCommand43AAE40F = aws eks update-kubeconfig --name cluster-ba7c166b-c4f3-421c-bf8a-6812e4036a33 --role-arn arn:aws:iam::112233445566:role/eks-integ-defaults-Role1ABCC5F0-1EFK2W5ZJD98Y
-```
-
-Copy & paste the "`aws eks update-kubeconfig ...`" command to your shell in
-order to connect to your EKS cluster with the "masters" role.
-
-Now, given [AWS CLI](https://aws.amazon.com/cli/) is configured to use AWS
-credentials for a user that is trusted by the masters role, you should be able
-to interact with your cluster through `kubectl` (the above example will trust
-all users in the account).
-
-For example:
-
-```console
-$ aws eks update-kubeconfig --name cluster-ba7c166b-c4f3-421c-bf8a-6812e4036a33 --role-arn arn:aws:iam::112233445566:role/eks-integ-defaults-Role1ABCC5F0-1EFK2W5ZJD98Y
-Added new context arn:aws:eks:eu-west-2:112233445566:cluster/cluster-ba7c166b-c4f3-421c-bf8a-6812e4036a33 to /Users/boom/.kube/config
-
-$ kubectl get nodes # list all nodes
-NAME                                         STATUS   ROLES    AGE   VERSION
-ip-10-0-147-66.eu-west-2.compute.internal    Ready    <none>   21m   v1.13.7-eks-c57ff8
-ip-10-0-169-151.eu-west-2.compute.internal   Ready    <none>   21m   v1.13.7-eks-c57ff8
-
-$ kubectl get all -n kube-system
-NAME                           READY   STATUS    RESTARTS   AGE
-pod/aws-node-fpmwv             1/1     Running   0          21m
-pod/aws-node-m9htf             1/1     Running   0          21m
-pod/coredns-5cb4fb54c7-q222j   1/1     Running   0          23m
-pod/coredns-5cb4fb54c7-v9nxx   1/1     Running   0          23m
-pod/kube-proxy-d4jrh           1/1     Running   0          21m
-pod/kube-proxy-q7hh7           1/1     Running   0          21m
-
-NAME               TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
-service/kube-dns   ClusterIP   172.20.0.10   <none>        53/UDP,53/TCP   23m
-
-NAME                        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
-daemonset.apps/aws-node     2         2         2       2            2           <none>          23m
-daemonset.apps/kube-proxy   2         2         2       2            2           <none>          23m
-
-NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
-deployment.apps/coredns   2/2     2            2           23m
-
-NAME                                 DESIRED   CURRENT   READY   AGE
-replicaset.apps/coredns-5cb4fb54c7   2         2         2       23m
-```
-
-For your convenience, an AWS CloudFormation output will automatically be
-included in your template and will be printed when running `cdk deploy`.
-
 ### Kubernetes Resources
 
 The `KubernetesResource` construct or `cluster.addResource` method can be used

diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts
@@ -197,11 +197,8 @@ export interface ClusterOptions extends CommonClusterOptions {
    *
    * @see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
    *
-   * @default - By default, it will only possible to update this Kubernetes
-   *            system by adding resources to this cluster via `addResource` or
-   *            by defining `KubernetesResource` resources in your AWS CDK app.
-   *            Use this if you wish to grant cluster administration privileges
-   *            to another role.
+   * @default - a role that assumable by anyone with permissions in the same
+   * account will automatically be defined
    */
   readonly mastersRole?: iam.IRole;
 
@@ -681,17 +678,22 @@ export class Cluster extends Resource implements ICluster {
       new CfnOutput(this, 'ClusterName', { value: this.clusterName });
     }
 
-    // map the IAM role to the `system:masters` group.
-    if (props.mastersRole) {
-      this.awsAuth.addMastersRole(props.mastersRole);
+    // if an explicit role is not configured, define a masters role that can
+    // be assumed by anyone in the account (with sts:AssumeRole permissions of
+    // course)
+    const mastersRole = props.mastersRole ?? new iam.Role(this, 'MastersRole', {
+      assumedBy: new iam.AccountRootPrincipal(),
+    });
 
-      if (props.outputMastersRoleArn) {
-        new CfnOutput(this, 'MastersRoleArn', { value: props.mastersRole.roleArn });
-      }
+    // map the IAM role to the `system:masters` group.
+    this.awsAuth.addMastersRole(mastersRole);
 
-      commonCommandOptions.push(`--role-arn ${props.mastersRole.roleArn}`);
+    if (props.outputMastersRoleArn) {
+      new CfnOutput(this, 'MastersRoleArn', { value: mastersRole.roleArn });
     }
 
+    commonCommandOptions.push(`--role-arn ${mastersRole.roleArn}`);
+
     // allocate default capacity if non-zero (or default).
     const minCapacity = props.defaultCapacity === undefined ? DEFAULT_CAPACITY_COUNT : props.defaultCapacity;
     if (minCapacity > 0) {