Skip to content

Commit

Permalink
Add AWS LoadBalancerController
Browse files Browse the repository at this point in the history
  • Loading branch information
Ole Markus With committed Feb 1, 2021
1 parent 40ae752 commit 01b3053
Show file tree
Hide file tree
Showing 14 changed files with 1,416 additions and 1 deletion.
13 changes: 13 additions & 0 deletions docs/addons.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,19 @@ The following addons are managed by kOps and will be upgraded following the kOps

### Available addons

#### AWS Load Balancer Controller
{{ kops_feature_table(kops_added_default='1.19') }}

AWS Load Balancer Controller offers additional functionality for provisioning ELBs.

```yaml
spec:
awsLoadBalancerController:
enabled: true
```
Read more in the [official documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/).
#### Cluster autoscaler
{{ kops_feature_table(kops_added_default='1.19', k8s_min='1.15') }}
Expand Down
16 changes: 16 additions & 0 deletions k8s/crds/kops.k8s.io_clusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -201,12 +201,28 @@ spec:
rbac:
type: object
type: object
awsLoadBalancerController:
description: AWSLoadbalancerControllerConfig determines the AWS LB
controller configuration.
properties:
enabled:
description: 'Enabled enables the loadbalancer controller. Default:
false'
type: boolean
image:
description: 'Image is the docker container used. Default: v2.0.0'
type: string
type: object
certManager:
description: CertManager determines the metrics server configuration.
properties:
enabled:
description: 'Enabled enables the cert manager. Default: false'
type: boolean
image:
description: 'Image is the docker container used. Default: the
latest supported image for the specified kubernetes version.'
type: string
type: object
channel:
description: The Channel we are following
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/kops/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,8 @@ type ClusterSpec struct {
MetricsServer *MetricsServerConfig `json:"metricsServer,omitempty"`
// CertManager determines the metrics server configuration.
CertManager *CertManagerConfig `json:"certManager,omitempty"`
// AWSLoadbalancerControllerConfig determines the AWS LB controller configuration.
AWSLoadBalancerController *AWSLoadBalancerControllerConfig `json:"awsLoadBalancerController,omitempty"`

// Networking configuration
Networking *NetworkingSpec `json:"networking,omitempty"`
Expand Down
14 changes: 14 additions & 0 deletions pkg/apis/kops/componentconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -901,6 +901,20 @@ type CertManagerConfig struct {
// Enabled enables the cert manager.
// Default: false
Enabled *bool `json:"enabled,omitempty"`

// Image is the docker container used.
// Default: the latest supported image for the specified kubernetes version.
Image *string `json:"image,omitempty"`
}

// AWSLoadBalancerControllerConfig determines the AWS LB controller configuration.
type AWSLoadBalancerControllerConfig struct {
// Enabled enables the loadbalancer controller.
// Default: false
Enabled *bool `json:"enabled,omitempty"`
// Image is the docker container used.
// Default: v2.0.0
Image *string `json:"image,omitempty"`
}

// HasAdmissionController checks if a specific admission controller is enabled
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/kops/v1alpha2/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,8 @@ type ClusterSpec struct {
MetricsServer *MetricsServerConfig `json:"metricsServer,omitempty"`
// CertManager determines the metrics server configuration.
CertManager *CertManagerConfig `json:"certManager,omitempty"`
// AWSLoadbalancerControllerConfig determines the AWS LB controller configuration.
AWSLoadBalancerController *AWSLoadBalancerControllerConfig `json:"awsLoadBalancerController,omitempty"`

// Networking configuration
Networking *NetworkingSpec `json:"networking,omitempty"`
Expand Down
14 changes: 14 additions & 0 deletions pkg/apis/kops/v1alpha2/componentconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -900,6 +900,20 @@ type CertManagerConfig struct {
// Enabled enables the cert manager.
// Default: false
Enabled *bool `json:"enabled,omitempty"`

// Image is the docker container used.
// Default: the latest supported image for the specified kubernetes version.
Image *string `json:"image,omitempty"`
}

// AWSLoadBalancerControllerConfig determines the AWS LB controller configuration.
type AWSLoadBalancerControllerConfig struct {
// Enabled enables the loadbalancer controller.
// Default: false
Enabled *bool `json:"enabled,omitempty"`
// Image is the docker container used.
// Default: v2.0.0
Image *string `json:"image,omitempty"`
}

// HasAdmissionController checks if a specific admission controller is enabled
Expand Down
52 changes: 52 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 14 additions & 1 deletion pkg/apis/kops/validation/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,10 +160,14 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
}

if spec.MetricsServer != nil {
allErrs = append(allErrs, validateMetricsServer(c, spec.MetricsServer, fieldPath.Child("nodeTerminationHandler"))...)
allErrs = append(allErrs, validateMetricsServer(c, spec.MetricsServer, fieldPath.Child("metricsServer"))...)

}

if spec.AWSLoadBalancerController != nil {
allErrs = append(allErrs, validateAWSLoadBalancerController(c, spec.AWSLoadBalancerController, fieldPath.Child("awsLoadBalanceController"))...)

}
// IAM additional policies
if spec.AdditionalPolicies != nil {
for k, v := range *spec.AdditionalPolicies {
Expand Down Expand Up @@ -1289,3 +1293,12 @@ func validateMetricsServer(cluster *kops.Cluster, spec *kops.MetricsServerConfig
}
return allErrs
}

func validateAWSLoadBalancerController(cluster *kops.Cluster, spec *kops.AWSLoadBalancerControllerConfig, fldPath *field.Path) (allErrs field.ErrorList) {
if spec != nil && fi.BoolValue(spec.Enabled) {
if !components.IsCertManagerEnabled(cluster) {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("insecure"), "AWS Load Balancer Controller requires that cert manager is enabled"))
}
}
return allErrs
}
36 changes: 36 additions & 0 deletions pkg/apis/kops/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 34 additions & 0 deletions pkg/model/iam/iam_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,10 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
addCalicoSrcDstCheckPermissions(p)
}

if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) {
addAWSLoadbalancerControllerPermissions(p, b.Cluster.GetName())
}

return p, nil
}

Expand Down Expand Up @@ -671,6 +675,36 @@ func addCalicoSrcDstCheckPermissions(p *Policy) {
})
}

func addAWSLoadbalancerControllerPermissions(p *Policy, clusterName string) {
p.Statement = append(p.Statement, &Statement{
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"ec2:AuthorizeSecurityGroupIngress", // aws.go
"ec2:DeleteSecurityGroup", // aws.go
"ec2:RevokeSecurityGroupIngress", // aws.go
),
Resource: stringorslice.Slice([]string{"*"}),
Condition: Condition{
"StringEquals": map[string]string{
"ec2:ResourceTag/elbv2.k8s.aws/cluster": clusterName,
},
},
},

&Statement{
Effect: StatementEffectAllow,
Action: stringorslice.Of(
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:CreateRule",
),
Resource: stringorslice.Slice([]string{"*"}),
})
}

// addLegacyDNSControllerPermissions adds legacy IAM permissions used by the node roles.
func addLegacyDNSControllerPermissions(b *PolicyBuilder, p *Policy) {
// Legacy IAM permissions for node roles
Expand Down
Loading

0 comments on commit 01b3053

Please sign in to comment.