Skip to content

Commit 1ec08df

Browse files
jeffb4jeffb4
authored
feat(eks): alb-controller v2.4.1 (#19653)
Add [alb-controller v2.4.1](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.1). The content of `packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.4.1.json` comes from [here](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/install/iam_policy.json). ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 99924af commit 1ec08df

9 files changed

+234
-10
lines changed

packages/@aws-cdk/aws-eks/README.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -539,7 +539,7 @@ To deploy the controller on your EKS cluster, configure the `albController` prop
539539
new eks.Cluster(this, 'HelloEKS', {
540540
version: eks.KubernetesVersion.V1_21,
541541
albController: {
542-
version: eks.AlbControllerVersion.V2_3_1,
542+
version: eks.AlbControllerVersion.V2_4_1,
543543
},
544544
});
545545
```
@@ -1417,7 +1417,7 @@ Kubernetes [endpoint access](#endpoint-access), you must also specify:
14171417

14181418
## Logging
14191419

1420-
EKS supports cluster logging for 5 different types of events:
1420+
EKS supports cluster logging for 5 different types of events:
14211421

14221422
* API requests to the cluster.
14231423
* Cluster access via the Kubernetes API.

packages/@aws-cdk/aws-eks/lib/addons/alb-iam_policy-v2.4.1.json

+219
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,219 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"iam:CreateServiceLinkedRole"
8+
],
9+
"Resource": "*",
10+
"Condition": {
11+
"StringEquals": {
12+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
13+
}
14+
}
15+
},
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"ec2:DescribeAccountAttributes",
20+
"ec2:DescribeAddresses",
21+
"ec2:DescribeAvailabilityZones",
22+
"ec2:DescribeInternetGateways",
23+
"ec2:DescribeVpcs",
24+
"ec2:DescribeVpcPeeringConnections",
25+
"ec2:DescribeSubnets",
26+
"ec2:DescribeSecurityGroups",
27+
"ec2:DescribeInstances",
28+
"ec2:DescribeNetworkInterfaces",
29+
"ec2:DescribeTags",
30+
"ec2:GetCoipPoolUsage",
31+
"ec2:DescribeCoipPools",
32+
"elasticloadbalancing:DescribeLoadBalancers",
33+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
34+
"elasticloadbalancing:DescribeListeners",
35+
"elasticloadbalancing:DescribeListenerCertificates",
36+
"elasticloadbalancing:DescribeSSLPolicies",
37+
"elasticloadbalancing:DescribeRules",
38+
"elasticloadbalancing:DescribeTargetGroups",
39+
"elasticloadbalancing:DescribeTargetGroupAttributes",
40+
"elasticloadbalancing:DescribeTargetHealth",
41+
"elasticloadbalancing:DescribeTags"
42+
],
43+
"Resource": "*"
44+
},
45+
{
46+
"Effect": "Allow",
47+
"Action": [
48+
"cognito-idp:DescribeUserPoolClient",
49+
"acm:ListCertificates",
50+
"acm:DescribeCertificate",
51+
"iam:ListServerCertificates",
52+
"iam:GetServerCertificate",
53+
"waf-regional:GetWebACL",
54+
"waf-regional:GetWebACLForResource",
55+
"waf-regional:AssociateWebACL",
56+
"waf-regional:DisassociateWebACL",
57+
"wafv2:GetWebACL",
58+
"wafv2:GetWebACLForResource",
59+
"wafv2:AssociateWebACL",
60+
"wafv2:DisassociateWebACL",
61+
"shield:GetSubscriptionState",
62+
"shield:DescribeProtection",
63+
"shield:CreateProtection",
64+
"shield:DeleteProtection"
65+
],
66+
"Resource": "*"
67+
},
68+
{
69+
"Effect": "Allow",
70+
"Action": [
71+
"ec2:AuthorizeSecurityGroupIngress",
72+
"ec2:RevokeSecurityGroupIngress"
73+
],
74+
"Resource": "*"
75+
},
76+
{
77+
"Effect": "Allow",
78+
"Action": [
79+
"ec2:CreateSecurityGroup"
80+
],
81+
"Resource": "*"
82+
},
83+
{
84+
"Effect": "Allow",
85+
"Action": [
86+
"ec2:CreateTags"
87+
],
88+
"Resource": "arn:aws:ec2:*:*:security-group/*",
89+
"Condition": {
90+
"StringEquals": {
91+
"ec2:CreateAction": "CreateSecurityGroup"
92+
},
93+
"Null": {
94+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
95+
}
96+
}
97+
},
98+
{
99+
"Effect": "Allow",
100+
"Action": [
101+
"ec2:CreateTags",
102+
"ec2:DeleteTags"
103+
],
104+
"Resource": "arn:aws:ec2:*:*:security-group/*",
105+
"Condition": {
106+
"Null": {
107+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
108+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
109+
}
110+
}
111+
},
112+
{
113+
"Effect": "Allow",
114+
"Action": [
115+
"ec2:AuthorizeSecurityGroupIngress",
116+
"ec2:RevokeSecurityGroupIngress",
117+
"ec2:DeleteSecurityGroup"
118+
],
119+
"Resource": "*",
120+
"Condition": {
121+
"Null": {
122+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
123+
}
124+
}
125+
},
126+
{
127+
"Effect": "Allow",
128+
"Action": [
129+
"elasticloadbalancing:CreateLoadBalancer",
130+
"elasticloadbalancing:CreateTargetGroup"
131+
],
132+
"Resource": "*",
133+
"Condition": {
134+
"Null": {
135+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
136+
}
137+
}
138+
},
139+
{
140+
"Effect": "Allow",
141+
"Action": [
142+
"elasticloadbalancing:CreateListener",
143+
"elasticloadbalancing:DeleteListener",
144+
"elasticloadbalancing:CreateRule",
145+
"elasticloadbalancing:DeleteRule"
146+
],
147+
"Resource": "*"
148+
},
149+
{
150+
"Effect": "Allow",
151+
"Action": [
152+
"elasticloadbalancing:AddTags",
153+
"elasticloadbalancing:RemoveTags"
154+
],
155+
"Resource": [
156+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
157+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
158+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
159+
],
160+
"Condition": {
161+
"Null": {
162+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
163+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
164+
}
165+
}
166+
},
167+
{
168+
"Effect": "Allow",
169+
"Action": [
170+
"elasticloadbalancing:AddTags",
171+
"elasticloadbalancing:RemoveTags"
172+
],
173+
"Resource": [
174+
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
175+
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
176+
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
177+
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
178+
]
179+
},
180+
{
181+
"Effect": "Allow",
182+
"Action": [
183+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
184+
"elasticloadbalancing:SetIpAddressType",
185+
"elasticloadbalancing:SetSecurityGroups",
186+
"elasticloadbalancing:SetSubnets",
187+
"elasticloadbalancing:DeleteLoadBalancer",
188+
"elasticloadbalancing:ModifyTargetGroup",
189+
"elasticloadbalancing:ModifyTargetGroupAttributes",
190+
"elasticloadbalancing:DeleteTargetGroup"
191+
],
192+
"Resource": "*",
193+
"Condition": {
194+
"Null": {
195+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
196+
}
197+
}
198+
},
199+
{
200+
"Effect": "Allow",
201+
"Action": [
202+
"elasticloadbalancing:RegisterTargets",
203+
"elasticloadbalancing:DeregisterTargets"
204+
],
205+
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
206+
},
207+
{
208+
"Effect": "Allow",
209+
"Action": [
210+
"elasticloadbalancing:SetWebAcl",
211+
"elasticloadbalancing:ModifyListener",
212+
"elasticloadbalancing:AddListenerCertificates",
213+
"elasticloadbalancing:RemoveListenerCertificates",
214+
"elasticloadbalancing:ModifyRule"
215+
],
216+
"Resource": "*"
217+
}
218+
]
219+
}

packages/@aws-cdk/aws-eks/lib/alb-controller.ts

+6-1
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,11 @@ export class AlbControllerVersion {
8282
*/
8383
public static readonly V2_3_1 = new AlbControllerVersion('v2.3.1', false);
8484

85+
/**
86+
* v2.4.1
87+
*/
88+
public static readonly V2_4_1 = new AlbControllerVersion('v2.4.1', false);
89+
8590
/**
8691
* Specify a custom version.
8792
* Use this if the version you need is not available in one of the predefined versions.
@@ -101,7 +106,7 @@ export class AlbControllerVersion {
101106
/**
102107
* Whether or not its a custom version.
103108
*/
104-
public readonly custom: boolean) {}
109+
public readonly custom: boolean) { }
105110
}
106111

107112
/**

packages/@aws-cdk/aws-eks/test/alb-controller.test.ts

+2-2
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ test('can configure a custom repository', () => {
3636

3737
AlbController.create(stack, {
3838
cluster,
39-
version: AlbControllerVersion.V2_3_1,
39+
version: AlbControllerVersion.V2_4_1,
4040
repository: 'custom',
4141
});
4242

@@ -53,7 +53,7 @@ test('can configure a custom repository', () => {
5353
{
5454
Ref: 'ClusterDefaultVpcFA9F2722',
5555
},
56-
'","image":{"repository":"custom","tag":"v2.3.1"}}',
56+
'","image":{"repository":"custom","tag":"v2.4.1"}}',
5757
],
5858
],
5959
},

packages/@aws-cdk/aws-eks/test/cluster.test.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ describe('cluster', () => {
2727
const cluster = new eks.Cluster(stack, 'Cluster', {
2828
version: CLUSTER_VERSION,
2929
albController: {
30-
version: eks.AlbControllerVersion.V2_3_1,
30+
version: eks.AlbControllerVersion.V2_4_1,
3131
},
3232
});
3333

packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -1615,7 +1615,7 @@
16151615
{
16161616
"Ref": "Vpc8378EB38"
16171617
},
1618-
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}"
1618+
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
16191619
]
16201620
]
16211621
},

packages/@aws-cdk/aws-eks/test/integ.alb-controller.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ class EksClusterAlbControllerStack extends TestStack {
1919
vpc,
2020
version: eks.KubernetesVersion.V1_21,
2121
albController: {
22-
version: eks.AlbControllerVersion.V2_3_1,
22+
version: eks.AlbControllerVersion.V2_4_1,
2323
},
2424
});
2525

packages/@aws-cdk/aws-eks/test/integ.eks-inference.expected.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -1980,7 +1980,7 @@
19801980
{
19811981
"Ref": "Vpc8378EB38"
19821982
},
1983-
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.3.1\"}}"
1983+
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
19841984
]
19851985
]
19861986
},

packages/@aws-cdk/aws-eks/test/integ.eks-inference.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ class EksClusterInferenceStack extends TestStack {
1616
vpc,
1717
version: eks.KubernetesVersion.V1_21,
1818
albController: {
19-
version: eks.AlbControllerVersion.V2_3_1,
19+
version: eks.AlbControllerVersion.V2_4_1,
2020
},
2121
});
2222

0 commit comments

Comments
 (0)