Skip to content

Commit

Permalink
feat(eks): alb-controller v2.4.1 (#19653)
Browse files Browse the repository at this point in the history
Add [alb-controller v2.4.1](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.1).

 The content of `packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.4.1.json` comes from [here](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/install/iam_policy.json).


----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
jeffb4 authored Mar 31, 2022
1 parent 99924af commit 1ec08df
Show file tree
Hide file tree
Showing 9 changed files with 234 additions and 10 deletions.
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -539,7 +539,7 @@ To deploy the controller on your EKS cluster, configure the `albController` prop
new eks.Cluster(this, 'HelloEKS', {
version: eks.KubernetesVersion.V1_21,
albController: {
version: eks.AlbControllerVersion.V2_3_1,
version: eks.AlbControllerVersion.V2_4_1,
},
});
```
Expand Down Expand Up @@ -1417,7 +1417,7 @@ Kubernetes [endpoint access](#endpoint-access), you must also specify:

## Logging

EKS supports cluster logging for 5 different types of events:
EKS supports cluster logging for 5 different types of events:

* API requests to the cluster.
* Cluster access via the Kubernetes API.
Expand Down
219 changes: 219 additions & 0 deletions packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.4.1.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}
7 changes: 6 additions & 1 deletion packages/@aws-cdk/aws-eks/lib/alb-controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,11 @@ export class AlbControllerVersion {
*/
public static readonly V2_3_1 = new AlbControllerVersion('v2.3.1', false);

/**
* v2.4.1
*/
public static readonly V2_4_1 = new AlbControllerVersion('v2.4.1', false);

/**
* Specify a custom version.
* Use this if the version you need is not available in one of the predefined versions.
Expand All @@ -101,7 +106,7 @@ export class AlbControllerVersion {
/**
* Whether or not its a custom version.
*/
public readonly custom: boolean) {}
public readonly custom: boolean) { }
}

/**
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-eks/test/alb-controller.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ test('can configure a custom repository', () => {

AlbController.create(stack, {
cluster,
version: AlbControllerVersion.V2_3_1,
version: AlbControllerVersion.V2_4_1,
repository: 'custom',
});

Expand All @@ -53,7 +53,7 @@ test('can configure a custom repository', () => {
{
Ref: 'ClusterDefaultVpcFA9F2722',
},
'","image":{"repository":"custom","tag":"v2.3.1"}}',
'","image":{"repository":"custom","tag":"v2.4.1"}}',
],
],
},
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-eks/test/cluster.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ describe('cluster', () => {
const cluster = new eks.Cluster(stack, 'Cluster', {
version: CLUSTER_VERSION,
albController: {
version: eks.AlbControllerVersion.V2_3_1,
version: eks.AlbControllerVersion.V2_4_1,
},
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1615,7 +1615,7 @@
{
"Ref": "Vpc8378EB38"
},
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}"
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
]
]
},
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-eks/test/integ.alb-controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ class EksClusterAlbControllerStack extends TestStack {
vpc,
version: eks.KubernetesVersion.V1_21,
albController: {
version: eks.AlbControllerVersion.V2_3_1,
version: eks.AlbControllerVersion.V2_4_1,
},
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1980,7 +1980,7 @@
{
"Ref": "Vpc8378EB38"
},
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}"
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
]
]
},
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-eks/test/integ.eks-inference.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class EksClusterInferenceStack extends TestStack {
vpc,
version: eks.KubernetesVersion.V1_21,
albController: {
version: eks.AlbControllerVersion.V2_3_1,
version: eks.AlbControllerVersion.V2_4_1,
},
});

Expand Down

0 comments on commit 1ec08df

Please sign in to comment.