Skip to content

Commit

Permalink
Removed dependency on IAM (#389)
Browse files Browse the repository at this point in the history
  • Loading branch information
ellistarn authored Apr 30, 2021
1 parent 5426595 commit 8fefa6b
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 125 deletions.
21 changes: 18 additions & 3 deletions docs/aws/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,22 +40,37 @@ Karpenter relies on [cert-manager](https://github.com/jetstack/cert-manager) for
sh -c "$(curl -fsSL https://raw.githubusercontent.com/awslabs/karpenter/v0.2.2/hack/quick-install.sh)"
```

### Enable IRSA and attach IAM Role to Service Account
Enables IRSA for your cluster. This command is idempotent, but only needs to be executed once per cluster.
### Setup IRSA, Karpenter Controller Role, and Karpenter Node Role
```bash
# Enables IRSA for your cluster. This command is idempotent, but only needs to be executed once per cluster.
eksctl utils associate-iam-oidc-provider \
--region ${AWS_DEFAULT_REGION} \
--cluster ${CLUSTER_NAME} \
--approve

# Setup KarpenterControllerRole
kubectl patch serviceaccount karpenter -n karpenter --patch "$(cat <<-EOM
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::${AWS_ACCOUNT_ID}:role/KarpenterControllerRole-${CLUSTER_NAME}
EOM
)"

kubectl delete pods -n karpenter -l control-plane=karpenter # Restart controller to load credentials
# Setup KarpenterNodeRole
kubectl patch configmap aws-auth -n kube-system --patch "$(cat <<-EOM
data:
mapRoles: |
- rolearn: arn:aws:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
$(kubectl get configmap -n kube-system aws-auth -ojsonpath='{.data.mapRoles}' | sed 's/^/ /')
EOM
)"

# Restart controller to load credentials
kubectl delete pods -n karpenter -l control-plane=karpenter
```

### (Optional) Enable Verbose Logging
Expand Down
5 changes: 2 additions & 3 deletions docs/aws/karpenter.cloudformation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,16 +58,15 @@ Resources:
- "ec2:DescribeInstanceTypes"
- "ec2:DescribeInstanceTypeOfferings"
- "ec2:DescribeAvailabilityZones"
- "iam:GetInstanceProfile"
- "ssm:GetParameter"
KarpenterNodeInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
InstanceProfileName: !Sub "KarpenterNodeInstanceProfile-${ClusterName}"
Path: "/"
Roles:
- Ref: "KarpenterNodeInstanceRole"
KarpenterNodeInstanceRole:
- Ref: "KarpenterNodeRole"
KarpenterNodeRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub "KarpenterNodeRole-${ClusterName}"
Expand Down
6 changes: 0 additions & 6 deletions pkg/cloudprovider/aws/factory.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import (
"github.com/aws/aws-sdk-go/aws/request"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/ssm"
"github.com/awslabs/karpenter/pkg/apis/provisioning/v1alpha1"
"github.com/awslabs/karpenter/pkg/cloudprovider"
Expand Down Expand Up @@ -60,11 +59,6 @@ func NewFactory(options cloudprovider.Options) *Factory {
launchTemplateProvider := &LaunchTemplateProvider{
ec2api: ec2api,
cache: cache.New(CacheTTL, CacheCleanupInterval),
instanceProfileProvider: &InstanceProfileProvider{
iamapi: iam.New(sess),
kubeClient: options.Client,
cache: cache.New(CacheTTL, CacheCleanupInterval),
},
securityGroupProvider: &SecurityGroupProvider{
ec2api: ec2api,
cache: cache.New(CacheTTL, CacheCleanupInterval),
Expand Down
97 changes: 0 additions & 97 deletions pkg/cloudprovider/aws/instanceprofile.go

This file was deleted.

17 changes: 6 additions & 11 deletions pkg/cloudprovider/aws/launchtemplate.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,11 @@ cluster-name = "{{.Name}}"
)

type LaunchTemplateProvider struct {
ec2api ec2iface.EC2API
cache *cache.Cache
instanceProfileProvider *InstanceProfileProvider
securityGroupProvider *SecurityGroupProvider
ssm ssmiface.SSMAPI
clientSet *kubernetes.Clientset
ec2api ec2iface.EC2API
cache *cache.Cache
securityGroupProvider *SecurityGroupProvider
ssm ssmiface.SSMAPI
clientSet *kubernetes.Clientset
}

func launchTemplateName(clusterName string, arch string) string {
Expand Down Expand Up @@ -113,10 +112,6 @@ func (p *LaunchTemplateProvider) createLaunchTemplate(ctx context.Context, clust
if err != nil {
return nil, fmt.Errorf("getting security groups, %w", err)
}
instanceProfile, err := p.instanceProfileProvider.Get(ctx, cluster)
if err != nil {
return nil, fmt.Errorf("getting instance profile, %w", err)
}
amiID, err := p.getAMIID(ctx, arch)
if err != nil {
return nil, fmt.Errorf("getting AMI ID, %w", err)
Expand All @@ -131,7 +126,7 @@ func (p *LaunchTemplateProvider) createLaunchTemplate(ctx context.Context, clust
LaunchTemplateName: aws.String(launchTemplateName(cluster.Name, arch)),
LaunchTemplateData: &ec2.RequestLaunchTemplateData{
IamInstanceProfile: &ec2.LaunchTemplateIamInstanceProfileSpecificationRequest{
Name: instanceProfile.InstanceProfileName,
Name: aws.String(fmt.Sprintf("KarpenterNodeInstanceProfile-%s", cluster.Name)),
},
TagSpecifications: []*ec2.LaunchTemplateTagSpecificationRequest{{
ResourceType: aws.String(ec2.ResourceTypeInstance),
Expand Down
5 changes: 0 additions & 5 deletions pkg/cloudprovider/aws/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,6 @@ var env = test.NewEnvironment(func(e *test.Environment) {
launchTemplateProvider := &LaunchTemplateProvider{
ec2api: fakeEC2API,
cache: launchTemplateCache,
instanceProfileProvider: &InstanceProfileProvider{
iamapi: &fake.IAMAPI{},
kubeClient: e.Manager.GetClient(),
cache: instanceProfileCache,
},
securityGroupProvider: &SecurityGroupProvider{
ec2api: fakeEC2API,
cache: securityGroupCache,
Expand Down

0 comments on commit 8fefa6b

Please sign in to comment.