From eb841ecf506dc69827b8c36feb304c0694fb562c Mon Sep 17 00:00:00 2001 From: Jonathan Innis Date: Mon, 27 Nov 2023 18:25:02 -0800 Subject: [PATCH] Drop unneccesary perms from role --- .github/actions/e2e/create-cluster/action.yaml | 2 +- .github/actions/e2e/install-karpenter/action.yaml | 9 ++++++--- charts/karpenter/templates/deployment.yaml | 3 +-- charts/karpenter/templates/role.yaml | 13 ++++--------- charts/karpenter/values.yaml | 4 ++-- .../content/en/preview/upgrading/upgrade-guide.md | 2 +- 6 files changed, 15 insertions(+), 18 deletions(-) diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml index dea255d48563..a20dd50d440c 100644 --- a/.github/actions/e2e/create-cluster/action.yaml +++ b/.github/actions/e2e/create-cluster/action.yaml @@ -113,7 +113,7 @@ runs: serviceAccounts: - metadata: name: karpenter - namespace: karpenter + namespace: kube-system attachPolicyARNs: - "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-${{ inputs.cluster_name }}" permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary" diff --git a/.github/actions/e2e/install-karpenter/action.yaml b/.github/actions/e2e/install-karpenter/action.yaml index 0dfa06064ee7..c659de8509ee 100644 --- a/.github/actions/e2e/install-karpenter/action.yaml +++ b/.github/actions/e2e/install-karpenter/action.yaml @@ -45,12 +45,15 @@ runs: shell: bash run: | aws eks update-kubeconfig --name "${{ inputs.cluster_name }}" - helm upgrade --install karpenter oci://${{ inputs.ecr_account_id }}.dkr.ecr.${{ inputs.ecr_region }}.amazonaws.com/karpenter/snapshot/karpenter \ - -n karpenter \ + + # Parse minor version to determine whether to enable the webhooks + + + helm upgrade --install karpenter oci://${{ inputs.ecr_account_id }}.dkr.ecr.${{ inputs.ecr_region }}.amazonaws.com/karpenter/snapshot/karpenter \ + -n kube-system \ --version "v0-$(git rev-parse HEAD)" \ --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::${{ inputs.account_id }}:role/karpenter-irsa-${{ inputs.cluster_name }}" \ --set settings.clusterName="${{ inputs.cluster_name }}" \ - --set settings.aws.defaultInstanceProfile="KarpenterNodeInstanceProfile-${{ inputs.cluster_name }}" \ --set settings.interruptionQueue="${{ inputs.cluster_name }}" \ --set controller.resources.requests.cpu=3 \ --set controller.resources.requests.memory=3Gi \ diff --git a/charts/karpenter/templates/deployment.yaml b/charts/karpenter/templates/deployment.yaml index 9f7fcf958d3b..d32a9665cbfa 100644 --- a/charts/karpenter/templates/deployment.yaml +++ b/charts/karpenter/templates/deployment.yaml @@ -77,9 +77,8 @@ spec: value: "{{ .Values.webhook.port }}" - name: WEBHOOK_METRICS_PORT value: "{{ .Values.webhook.metrics.port }}" - {{- else }} - name: DISABLE_WEBHOOK - value: "true" + value: "false" {{- end }} {{- with .Values.logLevel }} - name: LOG_LEVEL diff --git a/charts/karpenter/templates/role.yaml b/charts/karpenter/templates/role.yaml index 29731e3138e5..bdcf4670865d 100644 --- a/charts/karpenter/templates/role.yaml +++ b/charts/karpenter/templates/role.yaml @@ -14,21 +14,19 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch"] +{{- if .Values.webhook.enabled }} - apiGroups: [""] resources: ["configmaps", "namespaces", "secrets"] verbs: ["get", "list", "watch"] +{{- end }} # Write {{- if .Values.webhook.enabled }} - apiGroups: [""] resources: ["secrets"] verbs: ["update"] - resourceNames: ["{{ include "karpenter.fullname" . }}-cert"] -{{- end }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["update", "patch", "delete"] resourceNames: - - config-logging + - "{{ include "karpenter.fullname" . }}-cert" +{{- end }} - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["patch", "update"] @@ -49,9 +47,6 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/charts/karpenter/values.yaml b/charts/karpenter/values.yaml index b11a16efd7e2..3855c294000f 100644 --- a/charts/karpenter/values.yaml +++ b/charts/karpenter/values.yaml @@ -147,7 +147,7 @@ logLevel: info # -- Log configuration (Deprecated: Logging configuration will be dropped by v1, use logLevel instead) logConfig: # -- Whether to enable provisioning and mounting the log ConfigMap - enabled: true + enabled: false # -- Log outputPaths - defaults to stdout only outputPaths: - stdout @@ -159,7 +159,7 @@ logConfig: # -- Component-based log configuration logLevel: # -- Global log level, defaults to 'info' - global: info + global: debug # -- Controller log level, defaults to 'info' controller: info # -- Error log level, defaults to 'error' diff --git a/website/content/en/preview/upgrading/upgrade-guide.md b/website/content/en/preview/upgrading/upgrade-guide.md index bf1cadcbbef2..71795b1c444a 100644 --- a/website/content/en/preview/upgrading/upgrade-guide.md +++ b/website/content/en/preview/upgrading/upgrade-guide.md @@ -40,7 +40,7 @@ kubectl apply -f https://raw.githubusercontent.com/aws/karpenter{{< githubRelRef * `v0.33.x` disables mutating and validating webhooks by default in favor of using [Common Expression Language for CRD validation](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation). The Common Expression Language Validation Feature [is enabled by default on EKS 1.25](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules). If you are using Kubernetes version >= 1.25, no further action is required. If you are using a Kubernetes version below 1.25, you now need to set `DISABLE_WEBHOOK=false` in your container environment variables or `--set webhook.enabled=true` if using Helm. View the [Webhook Support Deprecated in Favor of CEL Section of the v1beta1 Migration Guide]({{}}). * `v0.33.x` drops support for passing settings through the `karpenter-global-settings` ConfigMap. You should pass settings through the container environment variables in the Karpenter deployment manifest. View the [Global Settings Section of the v1beta1 Migration Guide]({{}}) for more details. * `v0.33.x` enables `Drift=true` by default in the `FEATURE_GATES`. If you previously didn't enable the feature gate, Karpenter will now check if there is a difference between the desired state of your nodes declared in your NodePool and the actual state of your nodes. View the [Drift Section of Disruption Conceptual Docs]({{}}) for more details. -* `v0.33.x` drops looking up the `zap-logger-config` through ConfigMap discovery. Instead, Karpenter now expects the logging config to be mounted on the filesystem if you are using this to configure Zap logging. Note that setting the Zap logging config is a deprecated feature in beta and is planned to be dropped at v1. View the [Logging Configuration Section of the v1beta1 Migration Guide]({{}}) for more details. +* `v0.33.x` drops looking up the `zap-logger-config` through ConfigMap discovery. Instead, Karpenter now expects the logging config to be mounted on the filesystem if you are using this to configure Zap logging. This is not enabled by default, but can be enabled through `--set logConfig.enabled=true` in the helm values. Note that setting the Zap logging config is a deprecated feature in beta and is planned to be dropped at v1. View the [Logging Configuration Section of the v1beta1 Migration Guide]({{}}) for more details. * `v0.33.x` change the default `LOG_LEVEL` from `debug` to `info` by default. If you are still enabling logging configuration through the `zap-logger-config`, no action is required. ### Upgrading to v0.32.0+