From 3cb8fa3d87aa7c57ed5a0f24e95747dfd62a4715 Mon Sep 17 00:00:00 2001 From: Brannon Dorsey Date: Sat, 7 Nov 2020 08:28:52 -0500 Subject: [PATCH] docs: Fix IRSA example when deploying cluster-autoscaler from the latest kubernetes/autoscaler helm repo (#1090) --- docs/spot-instances.md | 2 +- examples/irsa/README.md | 12 ++++++------ examples/irsa/cluster-autoscaler-chart-values.yaml | 3 +++ examples/irsa/locals.tf | 2 +- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/spot-instances.md b/docs/spot-instances.md index 442c228..f140fe5 100644 --- a/docs/spot-instances.md +++ b/docs/spot-instances.md @@ -8,7 +8,7 @@ You need to install a daemonset to catch the 2 minute warning before termination helm install stable/k8s-spot-termination-handler --namespace kube-system ``` -In the following examples at least 1 worker group that uses on-demand instances is included. This worker group has an added node label that can be used in scheduling. This could be used to schedule any workload not suitable for spot instances but is important for the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) as it might be end up unscheduled when spot instances are terminated. You can add this to the values of the [cluster-autoscaler helm chart](https://github.com/helm/charts/tree/master/stable/cluster-autoscaler): +In the following examples at least 1 worker group that uses on-demand instances is included. This worker group has an added node label that can be used in scheduling. This could be used to schedule any workload not suitable for spot instances but is important for the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) as it might be end up unscheduled when spot instances are terminated. You can add this to the values of the [cluster-autoscaler helm chart](https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler-chart): ```yaml nodeSelector: diff --git a/examples/irsa/README.md b/examples/irsa/README.md index fd30ad3..3cbe5e6 100644 --- a/examples/irsa/README.md +++ b/examples/irsa/README.md @@ -1,6 +1,6 @@ # IAM Roles for Service Accounts -This example shows how to create an IAM role to be used for a Kubernetes `ServiceAccount`. It will create a policy and role to be used by the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) using the [public Helm chart](https://github.com/helm/charts/tree/master/stable/cluster-autoscaler). +This example shows how to create an IAM role to be used for a Kubernetes `ServiceAccount`. It will create a policy and role to be used by the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) using the [public Helm chart](https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler-chart). The AWS documentation for IRSA is here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html @@ -38,15 +38,15 @@ $ helm install cluster-autoscaler --namespace kube-system autoscaler/cluster-aut Ensure the cluster-autoscaler pod is running: ``` -$ kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler" -NAME READY STATUS RESTARTS AGE -cluster-autoscaler-aws-cluster-autoscaler-5545d4b97-9ztpm 1/1 Running 0 3m +$ kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler-chart" +NAME READY STATUS RESTARTS AGE +cluster-autoscaler-aws-cluster-autoscaler-chart-5545d4b97-9ztpm 1/1 Running 0 3m ``` Observe the `AWS_*` environment variables that were added to the pod automatically by EKS: ``` -kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler" -o yaml | grep -A3 AWS_ROLE_ARN +kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler-chart" -o yaml | grep -A3 AWS_ROLE_ARN - name: AWS_ROLE_ARN value: arn:aws:iam::xxxxxxxxx:role/cluster-autoscaler @@ -57,7 +57,7 @@ kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster- Verify it is working by checking the logs, you should see that it has discovered the autoscaling group successfully: ``` -kubectl --namespace=kube-system logs -l "app.kubernetes.io/name=aws-cluster-autoscaler" +kubectl --namespace=kube-system logs -l "app.kubernetes.io/name=aws-cluster-autoscaler-chart" I0128 14:59:00.901513 1 auto_scaling_groups.go:354] Regenerating instance to ASG map for ASGs: [test-eks-irsa-worker-group-12020012814125354700000000e] I0128 14:59:00.969875 1 auto_scaling_groups.go:138] Registering ASG test-eks-irsa-worker-group-12020012814125354700000000e diff --git a/examples/irsa/cluster-autoscaler-chart-values.yaml b/examples/irsa/cluster-autoscaler-chart-values.yaml index 03f411f..ccde436 100644 --- a/examples/irsa/cluster-autoscaler-chart-values.yaml +++ b/examples/irsa/cluster-autoscaler-chart-values.yaml @@ -3,7 +3,10 @@ awsRegion: us-west-2 rbac: create: true serviceAccount: + # This value should match local.k8s_service_account_name in locals.tf + name: cluster-autoscaler-aws-cluster-autoscaler-chart annotations: + # This value should match the ARN of the role created by module.iam_assumable_role_admin in irsa.tf eks.amazonaws.com/role-arn: "arn:aws:iam:::role/cluster-autoscaler" autoDiscovery: diff --git a/examples/irsa/locals.tf b/examples/irsa/locals.tf index 9cdc8af..a0e5da0 100644 --- a/examples/irsa/locals.tf +++ b/examples/irsa/locals.tf @@ -1,5 +1,5 @@ locals { cluster_name = "test-eks-irsa" k8s_service_account_namespace = "kube-system" - k8s_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler" + k8s_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler-chart" }