Skip to content

Commit 4ada313

Browse files
xazhaoxazhao
authored
fix(eks-v2-alpha): can't delete fargate cluster (#33573)
### Issue # (if applicable) Closes #33347. ### Reason for this change The fargate cluster deletion issue is because the cluster admin access entry is deleted before deleting `KubernetesPatch`. Since deleting `KubernetesPatch` requires applying a restore patch to the cluster, it will still need the cluster access. In this case, because the access entry is deleted, kubectl provider won't be able to apply the patch to the cluster anymore. ### Description of changes add an explicit dependency from patch to the access entry so the patch will only be deleted after the access entry ### Description of how you validated changes unit tests/integration tests ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 528e5df commit 4ada313

File tree

6 files changed

+68
-946
lines changed

6 files changed

+68
-946
lines changed

packages/@aws-cdk/aws-eks-v2-alpha/lib/cluster.ts

+36-6
Original file line numberDiff line numberDiff line change
@@ -1067,6 +1067,8 @@ export class Cluster extends ClusterBase {
10671067

10681068
private readonly _kubectlProvider?: IKubectlProvider;
10691069

1070+
private readonly _clusterAdminAccess?: AccessEntry;
1071+
10701072
/**
10711073
* Initiates an EKS Cluster with the supplied arguments
10721074
*
@@ -1279,11 +1281,7 @@ export class Cluster extends ClusterBase {
12791281

12801282
// give the handler role admin access to the cluster
12811283
// so it can deploy/query any resource.
1282-
this.grantAccess('ClusterAdminRoleAccess', this._kubectlProvider?.role!.roleArn, [
1283-
AccessPolicy.fromAccessPolicyName('AmazonEKSClusterAdminPolicy', {
1284-
accessScopeType: AccessScopeType.CLUSTER,
1285-
}),
1286-
]);
1284+
this._clusterAdminAccess = this.grantClusterAdmin('ClusterAdminRoleAccess', this._kubectlProvider?.role!.roleArn);
12871285
}
12881286

12891287
// do not create a masters role if one is not provided. Trusting the accountRootPrincipal() is too permissive.
@@ -1351,6 +1349,32 @@ export class Cluster extends ClusterBase {
13511349
this.addToAccessEntry(id, principal, accessPolicies);
13521350
}
13531351

1352+
/**
1353+
* Grants the specified IAM principal cluster admin access to the EKS cluster.
1354+
*
1355+
* This method creates an `AccessEntry` construct that grants the specified IAM principal the cluster admin
1356+
* access permissions. This allows the IAM principal to perform the actions permitted
1357+
* by the cluster admin acces.
1358+
*
1359+
* @param id - The ID of the `AccessEntry` construct to be created.
1360+
* @param principal - The IAM principal (role or user) to be granted access to the EKS cluster.
1361+
* @returns the access entry construct
1362+
*/
1363+
@MethodMetadata()
1364+
public grantClusterAdmin(id: string, principal: string): AccessEntry {
1365+
const newEntry = new AccessEntry(this, id, {
1366+
principal,
1367+
cluster: this,
1368+
accessPolicies: [
1369+
AccessPolicy.fromAccessPolicyName('AmazonEKSClusterAdminPolicy', {
1370+
accessScopeType: AccessScopeType.CLUSTER,
1371+
}),
1372+
],
1373+
});
1374+
this.accessEntries.set(principal, newEntry);
1375+
return newEntry;
1376+
}
1377+
13541378
/**
13551379
* Fetch the load balancer address of a service of type 'LoadBalancer'.
13561380
*
@@ -1730,13 +1754,19 @@ export class Cluster extends ClusterBase {
17301754
},
17311755
});
17321756

1733-
new KubernetesPatch(this, 'CoreDnsComputeTypePatch', {
1757+
const k8sPatch = new KubernetesPatch(this, 'CoreDnsComputeTypePatch', {
17341758
cluster: this,
17351759
resourceName: 'deployment/coredns',
17361760
resourceNamespace: 'kube-system',
17371761
applyPatch: renderPatch(CoreDnsComputeType.FARGATE),
17381762
restorePatch: renderPatch(CoreDnsComputeType.EC2),
17391763
});
1764+
1765+
// In Patch deletion, it needs to apply the restore patch to the cluster
1766+
// So the cluster admin access can only be deleted after the patch
1767+
if (this._clusterAdminAccess) {
1768+
k8sPatch.node.addDependency(this._clusterAdminAccess);
1769+
}
17401770
}
17411771
}
17421772

packages/@aws-cdk/aws-eks-v2-alpha/test/integ.fargate-cluster.js.snapshot/asset.2e670e0c40dc05a34d602c35c948edefcb81afaeea05b9f6240341173af6164e.zip

-3
This file was deleted.

packages/@aws-cdk/aws-eks-v2-alpha/test/integ.fargate-cluster.js.snapshot/eks-fargate-cluster-test-stack.assets.json

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk/aws-eks-v2-alpha/test/integ.fargate-cluster.js.snapshot/eks-fargate-cluster-test-stack.template.json

+1
Original file line numberDiff line numberDiff line change
@@ -1046,6 +1046,7 @@
10461046
"PatchType": "strategic"
10471047
},
10481048
"DependsOn": [
1049+
"FargateTestClusterClusterAdminRoleAccess9EFE9888",
10491050
"FargateTestClusterKubectlReadyBarrier724731D5"
10501051
],
10511052
"UpdateReplacePolicy": "Delete",

0 commit comments

Comments
 (0)