From 29dcca335d80e248c57b8efa2c36aaef2e1b1bd2 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 11 Mar 2024 11:02:59 -0400 Subject: [PATCH] fix: Ensure a default `ip_family` value is provided to guarantee a CNI policy is attached to nodes (#2967) --- README.md | 2 +- examples/eks_managed_node_group/main.tf | 2 +- examples/karpenter/main.tf | 5 +++++ modules/eks-managed-node-group/README.md | 2 +- modules/eks-managed-node-group/variables.tf | 2 +- modules/fargate-profile/README.md | 2 +- modules/fargate-profile/variables.tf | 2 +- modules/karpenter/README.md | 2 +- modules/karpenter/variables.tf | 2 +- modules/self-managed-node-group/README.md | 2 +- modules/self-managed-node-group/main.tf | 2 +- modules/self-managed-node-group/variables.tf | 2 +- variables.tf | 2 +- 13 files changed, 17 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index a3fbd76..a640a1a 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `false` | no | | [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [cluster\_identity\_providers](#input\_cluster\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | `any` | `{}` | no | -| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `null` | no | +| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `"ipv4"` | no | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no | | [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source | `any` | `{}` | no | | [cluster\_security\_group\_description](#input\_cluster\_security\_group\_description) | Description of the cluster security group created | `string` | `"EKS cluster security group"` | no | diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf index e31d2b2..e62b7a2 100644 --- a/examples/eks_managed_node_group/main.tf +++ b/examples/eks_managed_node_group/main.tf @@ -364,7 +364,7 @@ module "eks_managed_node_group" { subnet_ids = module.vpc.private_subnets cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id vpc_security_group_ids = [ - module.eks.cluster_security_group_id, + module.eks.node_security_group_id, ] ami_type = "BOTTLEROCKET_x86_64" diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf index bd1540b..e48f04a 100644 --- a/examples/karpenter/main.tf +++ b/examples/karpenter/main.tf @@ -181,6 +181,11 @@ resource "helm_release" "karpenter" { serviceAccount: annotations: eks.amazonaws.com/role-arn: ${module.karpenter.iam_role_arn} + tolerations: + - key: 'eks.amazonaws.com/compute-type' + operator: Equal + value: fargate + effect: "NoSchedule" EOT ] } diff --git a/modules/eks-managed-node-group/README.md b/modules/eks-managed-node-group/README.md index a0ca56e..856b014 100644 --- a/modules/eks-managed-node-group/README.md +++ b/modules/eks-managed-node-group/README.md @@ -110,7 +110,7 @@ module "eks_managed_node_group" { | [capacity\_type](#input\_capacity\_type) | Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT` | `string` | `"ON_DEMAND"` | no | | [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no | | [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no | -| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `null` | no | +| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no | | [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `null` | no | | [cluster\_primary\_security\_group\_id](#input\_cluster\_primary\_security\_group\_id) | The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service | `string` | `null` | no | | [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no | diff --git a/modules/eks-managed-node-group/variables.tf b/modules/eks-managed-node-group/variables.tf index 101e20b..e0f8812 100644 --- a/modules/eks-managed-node-group/variables.tf +++ b/modules/eks-managed-node-group/variables.tf @@ -445,7 +445,7 @@ variable "create_iam_role" { variable "cluster_ip_family" { description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`" type = string - default = null + default = "ipv4" } variable "iam_role_arn" { diff --git a/modules/fargate-profile/README.md b/modules/fargate-profile/README.md index fb4e44a..5c2c882 100644 --- a/modules/fargate-profile/README.md +++ b/modules/fargate-profile/README.md @@ -57,7 +57,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `null` | no | +| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `null` | no | | [create](#input\_create) | Determines whether to create Fargate profile or not | `bool` | `true` | no | | [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no | diff --git a/modules/fargate-profile/variables.tf b/modules/fargate-profile/variables.tf index e22279d..75816b0 100644 --- a/modules/fargate-profile/variables.tf +++ b/modules/fargate-profile/variables.tf @@ -23,7 +23,7 @@ variable "create_iam_role" { variable "cluster_ip_family" { description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`" type = string - default = null + default = "ipv4" } variable "iam_role_arn" { diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md index 5faac77..9d78640 100644 --- a/modules/karpenter/README.md +++ b/modules/karpenter/README.md @@ -128,7 +128,7 @@ No modules. |------|-------------|------|---------|:--------:| | [access\_entry\_type](#input\_access\_entry\_type) | Type of the access entry. `EC2_LINUX`, `FARGATE_LINUX`, or `EC2_WINDOWS`; defaults to `EC2_LINUX` | `string` | `"EC2_LINUX"` | no | | [ami\_id\_ssm\_parameter\_arns](#input\_ami\_id\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that Karpenter controller is allowed read access (for retrieving AMI IDs) | `list(string)` | `[]` | no | -| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. Note: If `ipv6` is specified, the `AmazonEKS_CNI_IPv6_Policy` must exist in the account. This policy is created by the EKS module with `create_cni_ipv6_iam_policy = true` | `string` | `null` | no | +| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. Note: If `ipv6` is specified, the `AmazonEKS_CNI_IPv6_Policy` must exist in the account. This policy is created by the EKS module with `create_cni_ipv6_iam_policy = true` | `string` | `"ipv4"` | no | | [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | `""` | no | | [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no | | [create\_access\_entry](#input\_create\_access\_entry) | Determines whether an access entry is created for the IAM role used by the node IAM role | `bool` | `true` | no | diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf index 8d6bfe7..fc79b1a 100644 --- a/modules/karpenter/variables.tf +++ b/modules/karpenter/variables.tf @@ -185,7 +185,7 @@ variable "create_node_iam_role" { variable "cluster_ip_family" { description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. Note: If `ipv6` is specified, the `AmazonEKS_CNI_IPv6_Policy` must exist in the account. This policy is created by the EKS module with `create_cni_ipv6_iam_policy = true`" type = string - default = null + default = "ipv4" } variable "node_iam_role_arn" { diff --git a/modules/self-managed-node-group/README.md b/modules/self-managed-node-group/README.md index be861a0..eb39752 100644 --- a/modules/self-managed-node-group/README.md +++ b/modules/self-managed-node-group/README.md @@ -91,7 +91,7 @@ module "self_managed_node_group" { | [capacity\_reservation\_specification](#input\_capacity\_reservation\_specification) | Targeting for EC2 capacity reservations | `any` | `{}` | no | | [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no | | [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no | -| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `null` | no | +| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no | | [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `""` | no | | [cluster\_primary\_security\_group\_id](#input\_cluster\_primary\_security\_group\_id) | The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service | `string` | `null` | no | | [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no | diff --git a/modules/self-managed-node-group/main.tf b/modules/self-managed-node-group/main.tf index 9bd1f6a..c7e5ea6 100644 --- a/modules/self-managed-node-group/main.tf +++ b/modules/self-managed-node-group/main.tf @@ -41,7 +41,7 @@ module "user_data" { ################################################################################ data "aws_ec2_instance_type" "this" { - count = var.enable_efa_support && local.instance_type_provided ? 1 : 0 + count = var.create && var.enable_efa_support && local.instance_type_provided ? 1 : 0 instance_type = var.instance_type } diff --git a/modules/self-managed-node-group/variables.tf b/modules/self-managed-node-group/variables.tf index 0449678..7c93702 100644 --- a/modules/self-managed-node-group/variables.tf +++ b/modules/self-managed-node-group/variables.tf @@ -549,7 +549,7 @@ variable "create_iam_instance_profile" { variable "cluster_ip_family" { description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`" type = string - default = null + default = "ipv4" } variable "iam_instance_profile_arn" { diff --git a/variables.tf b/variables.tf index fff8895..639110a 100644 --- a/variables.tf +++ b/variables.tf @@ -83,7 +83,7 @@ variable "cluster_endpoint_public_access_cidrs" { variable "cluster_ip_family" { description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created" type = string - default = null + default = "ipv4" } variable "cluster_service_ipv4_cidr" {