diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content index 086eab51ed191..0a8004e508ab5 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content @@ -56,7 +56,7 @@ spec: useServiceAccountExternalPermissions: true karpenter: enabled: true - image: public.ecr.aws/karpenter/controller:v0.28.1 + image: public.ecr.aws/karpenter/controller:v0.30.0 logEncoding: console logLevel: debug keyStore: memfs://clusters.example.com/minimal.example.com/pki diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index 00feef64cf00b..5ff5e697776e8 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -120,7 +120,7 @@ spec: version: 9.99.0 - id: k8s-1.19 manifest: karpenter.sh/k8s-1.19.yaml - manifestHash: aab89cad4f4a52b8620f581548694a6fc096bdbd1a297310beda01b57d3550ae + manifestHash: 7bc4829a29758e7f7a9126f7baaa28b2343a470e48c79e0d900045c17ed77ace name: karpenter.sh prune: kinds: @@ -168,11 +168,13 @@ spec: kind: Role labelSelector: addon.kops.k8s.io/name=karpenter.sh,app.kubernetes.io/managed-by=kops namespaces: + - kube-node-lease - kube-system - group: rbac.authorization.k8s.io kind: RoleBinding labelSelector: addon.kops.k8s.io/name=karpenter.sh,app.kubernetes.io/managed-by=kops namespaces: + - kube-node-lease - kube-system selector: k8s-addon: karpenter.sh diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content index a1d5a31764ab5..1de31e3c04054 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: addon.kops.k8s.io/name: karpenter.sh @@ -20,7 +20,15 @@ spec: singular: provisioner scope: Cluster versions: - - name: v1alpha5 + - additionalPrinterColumns: + - jsonPath: .spec.providerRef.name + name: Template + type: string + - jsonPath: .spec.weight + name: Weight + priority: 1 + type: string + name: v1alpha5 schema: openAPIV3Schema: description: Provisioner is the Schema for the Provisioners API @@ -382,7 +390,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: addon.kops.k8s.io/name: karpenter.sh @@ -702,7 +710,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: addon.kops.k8s.io/name: karpenter.sh @@ -1068,8 +1076,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1091,8 +1099,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1108,8 +1116,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-cert namespace: kube-system @@ -1151,8 +1159,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: config-logging namespace: kube-system @@ -1161,6 +1169,9 @@ metadata: apiVersion: v1 data: + aws.assumeRoleARN: "" + aws.assumeRoleDuration: 15m + aws.clusterCABundle: "" aws.clusterEndpoint: https://api.internal.minimal.example.com aws.clusterName: minimal.example.com aws.defaultInstanceProfile: "" @@ -1171,6 +1182,7 @@ data: aws.vmMemoryOverheadPercent: "0.075" batchIdleDuration: 1s batchMaxDuration: 10s + featureGates.driftEnabled: "false" kind: ConfigMap metadata: creationTimestamp: null @@ -1179,8 +1191,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-global-settings namespace: kube-system @@ -1196,8 +1208,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh rbac.authorization.k8s.io/aggregate-to-admin: "true" name: karpenter-admin @@ -1239,8 +1251,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-core rules: @@ -1307,12 +1319,20 @@ rules: - apiGroups: - karpenter.sh resources: - - provisioners/status - machines - machines/status verbs: - create - delete + - update + - patch +- apiGroups: + - karpenter.sh + resources: + - provisioners + - provisioners/status + verbs: + - update - patch - apiGroups: - "" @@ -1356,8 +1376,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter rules: @@ -1388,6 +1408,7 @@ rules: - apiGroups: - karpenter.k8s.aws resources: + - awsnodetemplates - awsnodetemplates/status verbs: - patch @@ -1404,8 +1425,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-core roleRef: @@ -1428,8 +1449,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter roleRef: @@ -1452,8 +1473,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1531,8 +1552,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-dns namespace: kube-system @@ -1548,6 +1569,38 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: karpenter.sh + app.kubernetes.io/instance: karpenter + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: karpenter + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 + k8s-addon: karpenter.sh + name: karpenter-lease + namespace: kube-node-lease +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -1557,8 +1610,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1582,8 +1635,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-dns namespace: kube-system @@ -1598,6 +1651,31 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: karpenter.sh + app.kubernetes.io/instance: karpenter + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: karpenter + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 + k8s-addon: karpenter.sh + name: karpenter-lease + namespace: kube-node-lease +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: karpenter-lease +subjects: +- kind: ServiceAccount + name: karpenter + namespace: kube-system + +--- + apiVersion: v1 kind: Service metadata: @@ -1607,19 +1685,19 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system spec: ports: - name: http-metrics - port: 8080 + port: 8000 protocol: TCP targetPort: http-metrics - name: https-webhook - port: 443 + port: 8443 protocol: TCP targetPort: https-webhook selector: @@ -1638,8 +1716,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1718,7 +1796,7 @@ spec: value: arn:aws-test:iam::123456789012:role/karpenter.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: public.ecr.aws/karpenter/controller:v0.28.1 + image: public.ecr.aws/karpenter/controller:v0.30.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -1741,6 +1819,7 @@ spec: httpGet: path: /readyz port: http + initialDelaySeconds: 5 timeoutSeconds: 30 resources: limits: @@ -1748,14 +1827,25 @@ spec: requests: cpu: 500m memory: 1Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/run/secrets/amazonaws.com/ name: token-amazonaws-com readOnly: true - dnsPolicy: ClusterFirst + dnsPolicy: Default priorityClassName: system-cluster-critical securityContext: - fsGroup: 1000 + fsGroup: 65536 + runAsGroup: 65536 + runAsNonRoot: true + runAsUser: 65536 + seccompProfile: + type: RuntimeDefault serviceAccountName: karpenter tolerations: - key: node-role.kubernetes.io/master @@ -1772,13 +1862,6 @@ spec: maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/instance: karpenter - app.kubernetes.io/name: karpenter - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - name: token-amazonaws-com projected: @@ -1800,8 +1883,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: defaulting.webhook.karpenter.k8s.aws webhooks: @@ -1811,6 +1894,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: defaulting.webhook.karpenter.k8s.aws rules: @@ -1848,8 +1932,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: validation.webhook.karpenter.sh webhooks: @@ -1859,6 +1943,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: validation.webhook.karpenter.sh rules: @@ -1885,8 +1970,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: validation.webhook.config.karpenter.sh webhooks: @@ -1896,12 +1981,12 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: validation.webhook.config.karpenter.sh objectSelector: matchLabels: - app.kubernetes.io/instance: karpenter - app.kubernetes.io/name: karpenter + app.kubernetes.io/part-of: karpenter sideEffects: None --- @@ -1915,8 +2000,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: validation.webhook.karpenter.k8s.aws webhooks: @@ -1926,6 +2011,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: validation.webhook.karpenter.k8s.aws rules: