feat: Add support for Pod Identity assocation on Karpenter sub-module (#3031)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
2026-03-25 19:01:04 +01:00 · 2024-05-09 13:57:57 +02:00
parent f3299cc63d
commit cfcaf27ac7
6 changed files with 127 additions and 63 deletions
--- a/examples/karpenter/main.tf
+++ b/examples/karpenter/main.tf
@@ -41,9 +41,8 @@ data "aws_ecrpublic_authorization_token" "token" {
 }

 locals {
-  name            = "ex-${replace(basename(path.cwd), "_", "-")}"
-  cluster_version = "1.29"
-  region          = "eu-west-1"
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"

  vpc_cidr = "10.0.0.0/16"
  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
@@ -62,62 +61,42 @@ locals {
 module "eks" {
  source = "../.."

-  cluster_name                   = local.name
-  cluster_version                = local.cluster_version
-  cluster_endpoint_public_access = true
+  cluster_name    = local.name
+  cluster_version = "1.29"

  # Gives Terraform identity admin access to cluster which will
  # allow deploying resources (Karpenter) into the cluster
  enable_cluster_creator_admin_permissions = true
+  cluster_endpoint_public_access           = true

  cluster_addons = {
-    coredns = {
-      configuration_values = jsonencode({
-        computeType = "Fargate"
-        # Ensure that we fully utilize the minimum amount of resources that are supplied by
-        # Fargate https://docs.aws.amazon.com/eks/latest/userguide/fargate-pod-configuration.html
-        # Fargate adds 256 MB to each pod's memory reservation for the required Kubernetes
-        # components (kubelet, kube-proxy, and containerd). Fargate rounds up to the following
-        # compute configuration that most closely matches the sum of vCPU and memory requests in
-        # order to ensure pods always have the resources that they need to run.
-        resources = {
-          limits = {
-            cpu = "0.25"
-            # We are targeting the smallest Task size of 512Mb, so we subtract 256Mb from the
-            # request/limit to ensure we can fit within that task
-            memory = "256M"
-          }
-          requests = {
-            cpu = "0.25"
-            # We are targeting the smallest Task size of 512Mb, so we subtract 256Mb from the
-            # request/limit to ensure we can fit within that task
-            memory = "256M"
-          }
-        }
-      })
-    }
-    kube-proxy = {}
-    vpc-cni    = {}
+    coredns                = {}
+    eks-pod-identity-agent = {}
+    kube-proxy             = {}
+    vpc-cni                = {}
  }

  vpc_id                   = module.vpc.vpc_id
  subnet_ids               = module.vpc.private_subnets
  control_plane_subnet_ids = module.vpc.intra_subnets

-  # Fargate profiles use the cluster primary security group so these are not utilized
-  create_cluster_security_group = false
-  create_node_security_group    = false
-
-  fargate_profiles = {
+  eks_managed_node_groups = {
    karpenter = {
-      selectors = [
-        { namespace = "karpenter" }
-      ]
-    }
-    kube-system = {
-      selectors = [
-        { namespace = "kube-system" }
-      ]
+      instance_types = ["m5.large"]
+
+      min_size     = 2
+      max_size     = 3
+      desired_size = 2
+
+      taints = {
+        # This Taint aims to keep just EKS Addons and Karpenter running on this MNG
+        # The pods that do not tolerate this taint should run on nodes created by Karpenter
+        addons = {
+          key    = "CriticalAddonsOnly"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        },
+      }
    }
  }

@@ -138,9 +117,8 @@ module "karpenter" {

  cluster_name = module.eks.cluster_name

-  # EKS Fargate currently does not support Pod Identity
-  enable_irsa            = true
-  irsa_oidc_provider_arn = module.eks.oidc_provider_arn
+  enable_pod_identity             = true
+  create_pod_identity_association = true

  # Used to attach additional IAM policies to the Karpenter node IAM role
  node_iam_role_additional_policies = {
@@ -162,14 +140,13 @@ module "karpenter_disabled" {
 ################################################################################

 resource "helm_release" "karpenter" {
-  namespace           = "karpenter"
-  create_namespace    = true
+  namespace           = "kube-system"
  name                = "karpenter"
  repository          = "oci://public.ecr.aws/karpenter"
  repository_username = data.aws_ecrpublic_authorization_token.token.user_name
  repository_password = data.aws_ecrpublic_authorization_token.token.password
  chart               = "karpenter"
-  version             = "0.35.1"
+  version             = "0.36.1"
  wait                = false

  values = [
@@ -178,14 +155,6 @@ resource "helm_release" "karpenter" {
      clusterName: ${module.eks.cluster_name}
      clusterEndpoint: ${module.eks.cluster_endpoint}
      interruptionQueue: ${module.karpenter.queue_name}
-    serviceAccount:
-      annotations:
-        eks.amazonaws.com/role-arn: ${module.karpenter.iam_role_arn}
-    tolerations:
-      - key: 'eks.amazonaws.com/compute-type'
-        operator: Equal
-        value: fargate
-        effect: "NoSchedule"
    EOT
  ]
 }