Add defaulting webhooks for core apis

aws · Oct 3, 2023 · 73bbc0b · 73bbc0b
1 parent 14ee7fe
commit 73bbc0b
Show file tree

Hide file tree

Showing 9 changed files with 154 additions and 37 deletions.
diff --git a/charts/karpenter/templates/aggregate-clusterrole.yaml b/charts/karpenter/templates/aggregate-clusterrole.yaml
@@ -19,6 +19,6 @@ rules:
   - apiGroups: ["karpenter.k8s.aws"]
     resources: ["awsnodetemplates"]
     verbs: ["get", "list", "watch", "create", "delete", "patch"]
-  - apiGroups: ["compute.k8s.aws"]
-    resources: ["nodeclasses"]
+  - apiGroups: ["karpenter.k8s.aws"]
+    resources: ["ec2nodeclasses"]
     verbs: ["get", "list", "watch", "create", "delete", "patch"]
diff --git a/charts/karpenter/templates/webhooks-core.yaml b/charts/karpenter/templates/webhooks-core.yaml
@@ -24,12 +24,36 @@ webhooks:
           - karpenter.sh
         apiVersions:
           - v1alpha5
+        operations:
+          - CREATE
+          - UPDATE
         resources:
           - provisioners
           - provisioners/status
+        scope: '*'
+      - apiGroups:
+          - karpenter.sh
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        resources:
+          - nodeclaims
+          - nodeclaims/status
+        scope: '*'
+      - apiGroups:
+          - karpenter.sh
+        apiVersions:
+          - v1beta1
         operations:
           - CREATE
           - UPDATE
+        resources:
+          - nodepools
+          - nodepools/status
+        scope: '*'
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration

diff --git a/charts/karpenter/templates/webhooks.yaml b/charts/karpenter/templates/webhooks.yaml
@@ -20,6 +20,17 @@ webhooks:
     failurePolicy: Fail
     sideEffects: None
     rules:
+      - apiGroups:
+          - karpenter.k8s.aws
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - ec2nodeclasses
+          - ec2nodeclasses/status
+        scope: '*'
       - apiGroups:
           - karpenter.k8s.aws
         apiVersions:
@@ -35,12 +46,13 @@ webhooks:
           - karpenter.sh
         apiVersions:
           - v1alpha5
-        resources:
-          - provisioners
-          - provisioners/status
         operations:
           - CREATE
           - UPDATE
+        resources:
+          - provisioners
+          - provisioners/status
+        scope: '*'
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -63,6 +75,17 @@ webhooks:
     failurePolicy: Fail
     sideEffects: None
     rules:
+      - apiGroups:
+          - karpenter.k8s.aws
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - nodeclasses
+          - nodeclasses/status
+        scope: '*'
       - apiGroups:
           - karpenter.k8s.aws
         apiVersions:
@@ -78,10 +101,34 @@ webhooks:
           - karpenter.sh
         apiVersions:
           - v1alpha5
+        operations:
+          - CREATE
+          - UPDATE
         resources:
-          - provisioners
-          - provisioners/status
+          - nodepools
+          - nodepools/status
+        scope: '*'
+      - apiGroups:
+          - karpenter.sh
+        apiVersions:
+          - v1beta1
         operations:
           - CREATE
           - UPDATE
+          - DELETE
+        resources:
+          - nodeclaims
+          - nodeclaims/status
+        scope: '*'
+      - apiGroups:
+          - karpenter.sh
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - nodepools
+          - nodepools/status
+        scope: '*'
 {{- end }}
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -65,6 +65,7 @@ func main() {
 			op.SubnetProvider,
 			op.SecurityGroupProvider,
 			op.InstanceProfileProvider,
+			op.InstanceProvider,
 			op.PricingProvider,
 			op.AMIProvider,
 		)...).

diff --git a/designs/v1beta1-api.md b/designs/v1beta1-api.md
@@ -153,11 +153,11 @@ spec:
       owner: amazon
   subnetSelectorTerms:
     - tags:
-        compute.k8s.aws/discovery: cluster-name
+        karpenter.sh/discovery: cluster-name
     - id: subnet-1234
   securityGroupSelectorTerms:
     - tags:
-        compute.k8s.aws/discovery: cluster-name
+        karpenter.sh/discovery: cluster-name
     - name: default-security-group
   role: karpenter-node-role
   userData: |
@@ -253,7 +253,7 @@ spec:
   nodeClass:
     name: default
     kind: EC2NodeClass
-    apiVersion: compute.k8s.aws/v1beta1
+    apiVersion: karpenter.k8s.aws/v1beta1
   taints:
     - key: example.com/special-taint
       effect: NoSchedule

diff --git a/pkg/apis/v1beta1/labels.go b/pkg/apis/v1beta1/labels.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 	"regexp"
 
-	"github.com/aws/aws-sdk-go/service/ec2"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 
@@ -56,8 +55,6 @@ const (
 )
 
 var (
-	CapacityTypeSpot       = ec2.DefaultTargetCapacityTypeSpot
-	CapacityTypeOnDemand   = ec2.DefaultTargetCapacityTypeOnDemand
 	AWSToKubeArchitectures = map[string]string{
 		"x86_64":                  v1beta1.ArchitectureAmd64,
 		v1beta1.ArchitectureArm64: v1beta1.ArchitectureArm64,
@@ -78,20 +75,12 @@ var (
 		regexp.MustCompile(fmt.Sprintf("^%s$", regexp.QuoteMeta(v1beta1.NodePoolLabelKey))),
 		regexp.MustCompile(fmt.Sprintf("^%s$", regexp.QuoteMeta(v1beta1.ManagedByAnnotationKey))),
 	}
-	AMIFamilyBottlerocket = "Bottlerocket"
-	AMIFamilyAL2          = "AL2"
-	AMIFamilyUbuntu       = "Ubuntu"
-	AMIFamilyWindows2019  = "Windows2019"
-	AMIFamilyWindows2022  = "Windows2022"
-	AMIFamilyCustom       = "Custom"
-	SupportedAMIFamilies  = []string{
-		AMIFamilyBottlerocket,
-		AMIFamilyAL2,
-		AMIFamilyUbuntu,
-		AMIFamilyWindows2019,
-		AMIFamilyWindows2022,
-		AMIFamilyCustom,
-	}
+	AMIFamilyBottlerocket                      = "Bottlerocket"
+	AMIFamilyAL2                               = "AL2"
+	AMIFamilyUbuntu                            = "Ubuntu"
+	AMIFamilyWindows2019                       = "Windows2019"
+	AMIFamilyWindows2022                       = "Windows2022"
+	AMIFamilyCustom                            = "Custom"
 	Windows2019                                = "2019"
 	Windows2022                                = "2022"
 	WindowsCore                                = "Core"

diff --git a/pkg/controllers/controllers.go b/pkg/controllers/controllers.go
@@ -30,8 +30,10 @@ import (
 	"github.com/aws/karpenter/pkg/controllers/interruption"
 	nodeclaimgarbagecollection "github.com/aws/karpenter/pkg/controllers/nodeclaim/garbagecollection"
 	nodeclaimlink "github.com/aws/karpenter/pkg/controllers/nodeclaim/link"
+	nodeclaimtagging "github.com/aws/karpenter/pkg/controllers/nodeclaim/tagging"
 	"github.com/aws/karpenter/pkg/controllers/nodeclass"
 	"github.com/aws/karpenter/pkg/providers/amifamily"
+	"github.com/aws/karpenter/pkg/providers/instance"
 	"github.com/aws/karpenter/pkg/providers/instanceprofile"
 	"github.com/aws/karpenter/pkg/providers/pricing"
 	"github.com/aws/karpenter/pkg/providers/securitygroup"
@@ -43,8 +45,8 @@ import (
 
 func NewControllers(ctx context.Context, sess *session.Session, clk clock.Clock, kubeClient client.Client, recorder events.Recorder,
 	unavailableOfferings *cache.UnavailableOfferings, cloudProvider *cloudprovider.CloudProvider, subnetProvider *subnet.Provider,
-	securityGroupProvider *securitygroup.Provider, instanceProfileProvider *instanceprofile.Provider, pricingProvider *pricing.Provider,
-	amiProvider *amifamily.Provider) []controller.Controller {
+	securityGroupProvider *securitygroup.Provider, instanceProfileProvider *instanceprofile.Provider, instanceProvider *instance.Provider,
+	pricingProvider *pricing.Provider, amiProvider *amifamily.Provider) []controller.Controller {
 
 	logging.FromContext(ctx).With("version", project.Version).Debugf("discovered version")
 
@@ -54,6 +56,7 @@ func NewControllers(ctx context.Context, sess *session.Session, clk clock.Clock,
 		nodeclass.NewNodeClassController(kubeClient, recorder, subnetProvider, securityGroupProvider, amiProvider, instanceProfileProvider),
 		linkController,
 		nodeclaimgarbagecollection.NewController(kubeClient, cloudProvider, linkController),
+		nodeclaimtagging.NewController(kubeClient, instanceProvider),
 	}
 	if settings.FromContext(ctx).InterruptionQueueName != "" {
 		controllers = append(controllers, interruption.NewController(kubeClient, clk, recorder, interruption.NewSQSProvider(sqs.New(sess)), unavailableOfferings))

diff --git a/pkg/webhooks/webhooks.go b/pkg/webhooks/webhooks.go
@@ -28,6 +28,7 @@ import (
 	corev1alpha5 "github.com/aws/karpenter-core/pkg/apis/v1alpha5"
 	"github.com/aws/karpenter/pkg/apis/v1alpha1"
 	"github.com/aws/karpenter/pkg/apis/v1alpha5"
+	"github.com/aws/karpenter/pkg/apis/v1beta1"
 )
 
 func NewWebhooks() []knativeinjection.ControllerConstructor {
@@ -60,4 +61,5 @@ func NewCRDValidationWebhook(ctx context.Context, _ configmap.Watcher) *controll
 var Resources = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 	v1alpha1.SchemeGroupVersion.WithKind("AWSNodeTemplate"): &v1alpha1.AWSNodeTemplate{},
 	corev1alpha5.SchemeGroupVersion.WithKind("Provisioner"): &v1alpha5.Provisioner{},
+	v1beta1.SchemeGroupVersion.WithKind("EC2NodeClass"):     &v1beta1.EC2NodeClass{},
 }
diff --git a/...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml b/...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -77,7 +77,7 @@ Resources:
                   "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned"
                 },
                 "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
+                  "aws:RequestTag/karpenter.sh/nodepool": "*"
                 }
               }
             },
@@ -102,27 +102,26 @@ Resources:
                   ]
                 },
                 "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
+                  "aws:RequestTag/karpenter.sh/nodepool": "*"
                 }
               }
             },
             {
-              "Sid": "AllowMachineMigrationTagging",
+              "Sid": "AllowScopedResourceTagging",
               "Effect": "Allow",
               "Resource": "arn:${AWS::Partition}:ec2:${AWS::Region}:*:instance/*",
               "Action": "ec2:CreateTags",
               "Condition": {
                 "StringEquals": {
                   "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned",
-                  "aws:RequestTag/karpenter.sh/managed-by": "${ClusterName}"
                 },
                 "StringLike": {
-                  "aws:RequestTag/karpenter.sh/provisioner-name": "*"
+                  "aws:ResourceTag/karpenter.sh/nodepool": "*"
                 },
                 "ForAllValues:StringEquals": {
                   "aws:TagKeys": [
-                    "karpenter.sh/provisioner-name",
-                    "karpenter.sh/managed-by"
+                    "karpenter.k8s.aws/nodeclaim",
+                    "Name"
                   ]
                 }
               }
@@ -143,7 +142,7 @@ Resources:
                   "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned"
                 },
                 "StringLike": {
-                  "aws:ResourceTag/karpenter.sh/provisioner-name": "*"
+                  "aws:ResourceTag/karpenter.sh/nodepool": "*"
                 }
               }
             },
@@ -202,6 +201,58 @@ Resources:
                 }
               }
             },
+            {
+              "Sid": "AllowScopedInstanceProfileCreationActions",
+              "Effect": "Allow",
+              "Resource": "*",
+              "Action": [
+                "iam:CreateInstanceProfile"
+              ],
+              "Condition": {
+                "StringEquals": {
+                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned",
+                  "aws:RequestTag/topology.kubernetes.io/region": "${AWS::Region}"
+                }
+              }
+            },
+            {
+              "Sid": "AllowScopedInstanceProfileTagActions",
+              "Effect": "Allow",
+              "Resource": "*",
+              "Action": [
+                "iam:TagInstanceProfile"
+              ],
+              "Condition": {
+                "StringEquals": {
+                  "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned",
+                  "aws:ResourceTag/topology.kubernetes.io/region": "${AWS::Region}",
+                  "aws:RequestTag/kubernetes.io/cluster/${ClusterName}": "owned",
+                  "aws:RequestTag/topology.kubernetes.io/region": "${AWS::Region}"
+                }
+              }
+            },
+            {
+              "Sid": "AllowScopedInstanceProfileActions",
+              "Effect": "Allow",
+              "Resource": "*",
+              "Action": [
+                "iam:AddRoleToInstanceProfile",
+                "iam:RemoveRoleFromInstanceProfile",
+                "iam:DeleteInstanceProfile"
+              ],
+              "Condition": {
+                "StringEquals": {
+                  "aws:ResourceTag/kubernetes.io/cluster/${ClusterName}": "owned",
+                  "aws:ResourceTag/topology.kubernetes.io/region": "${AWS::Region}"
+                }
+              }
+            },
+            {
+              "Sid": "AllowInstanceProfileReadActions",
+              "Effect": "Allow",
+              "Resource": "*",
+              "Action": "iam:GetInstanceProfile"
+            },
             {
               "Sid": "AllowAPIServerEndpointDiscovery",
               "Effect": "Allow",