Skip to content

Commit 83c4c36

Browse files
colifrancolifran
authored
feat(eks): alb controller include versions 2.4.2 - 2.5.1 (#25330)
## Motivation: We should provide users with all available ALB controller versions for use with aws-eks. This change does not prohibit users from using previous ALB controller versions. Instead, this adds support for versions 2.4.2 - 2.5.1. Previous ALB controller versions can be specified by using the static "of" method as part of the AlbControllerVersion class, e.g., AlbControllerVersion.of(). ## Testing: Updated existing ALB controller integrity test to use ALB controller version 2.5.1. Closes #25307 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 25bd120 commit 83c4c36

17 files changed

+2006
-32
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/aws-cdk-eks-cluster-alb-controller-test.template.json

+22-2
Original file line numberDiff line numberDiff line change
@@ -1368,6 +1368,26 @@
13681368
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
13691369
]
13701370
},
1371+
{
1372+
"Action": "elasticloadbalancing:AddTags",
1373+
"Condition": {
1374+
"StringEquals": {
1375+
"elasticloadbalancing:CreateAction": [
1376+
"CreateTargetGroup",
1377+
"CreateLoadBalancer"
1378+
]
1379+
},
1380+
"Null": {
1381+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
1382+
}
1383+
},
1384+
"Effect": "Allow",
1385+
"Resource": [
1386+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
1387+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
1388+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
1389+
]
1390+
},
13711391
{
13721392
"Action": [
13731393
"elasticloadbalancing:DeregisterTargets",
@@ -1454,7 +1474,7 @@
14541474
},
14551475
"Release": "aws-load-balancer-controller",
14561476
"Chart": "aws-load-balancer-controller",
1457-
"Version": "1.4.1",
1477+
"Version": "1.5.2",
14581478
"Wait": true,
14591479
"Timeout": "900s",
14601480
"Values": {
@@ -1473,7 +1493,7 @@
14731493
{
14741494
"Ref": "Vpc8378EB38"
14751495
},
1476-
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
1496+
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.5.1\"}}"
14771497
]
14781498
]
14791499
},

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/tree.json

+20
Original file line numberDiff line numberDiff line change
@@ -3385,6 +3385,26 @@
33853385
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
33863386
]
33873387
},
3388+
{
3389+
"Action": "elasticloadbalancing:AddTags",
3390+
"Condition": {
3391+
"StringEquals": {
3392+
"elasticloadbalancing:CreateAction": [
3393+
"CreateTargetGroup",
3394+
"CreateLoadBalancer"
3395+
]
3396+
},
3397+
"Null": {
3398+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
3399+
}
3400+
},
3401+
"Effect": "Allow",
3402+
"Resource": [
3403+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
3404+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
3405+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
3406+
]
3407+
},
33883408
{
33893409
"Action": [
33903410
"elasticloadbalancing:DeregisterTargets",

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ class EksClusterAlbControllerStack extends Stack {
2020
vpc,
2121
...getClusterVersionConfig(this),
2222
albController: {
23-
version: eks.AlbControllerVersion.V2_4_1,
23+
version: eks.AlbControllerVersion.V2_5_1,
2424
},
2525
});
2626

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-inference.js.snapshot/aws-cdk-eks-cluster-inference-test.template.json

+22-2
Original file line numberDiff line numberDiff line change
@@ -1703,6 +1703,26 @@
17031703
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
17041704
]
17051705
},
1706+
{
1707+
"Action": "elasticloadbalancing:AddTags",
1708+
"Condition": {
1709+
"StringEquals": {
1710+
"elasticloadbalancing:CreateAction": [
1711+
"CreateTargetGroup",
1712+
"CreateLoadBalancer"
1713+
]
1714+
},
1715+
"Null": {
1716+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
1717+
}
1718+
},
1719+
"Effect": "Allow",
1720+
"Resource": [
1721+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
1722+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
1723+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
1724+
]
1725+
},
17061726
{
17071727
"Action": [
17081728
"elasticloadbalancing:DeregisterTargets",
@@ -1809,7 +1829,7 @@
18091829
},
18101830
"Release": "aws-load-balancer-controller",
18111831
"Chart": "aws-load-balancer-controller",
1812-
"Version": "1.4.1",
1832+
"Version": "1.5.2",
18131833
"Wait": true,
18141834
"Timeout": "900s",
18151835
"Values": {
@@ -1828,7 +1848,7 @@
18281848
{
18291849
"Ref": "Vpc8378EB38"
18301850
},
1831-
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.4.1\"}}"
1851+
"\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.5.1\"}}"
18321852
]
18331853
]
18341854
},

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-inference.js.snapshot/tree.json

+20
Original file line numberDiff line numberDiff line change
@@ -3842,6 +3842,26 @@
38423842
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
38433843
]
38443844
},
3845+
{
3846+
"Action": "elasticloadbalancing:AddTags",
3847+
"Condition": {
3848+
"StringEquals": {
3849+
"elasticloadbalancing:CreateAction": [
3850+
"CreateTargetGroup",
3851+
"CreateLoadBalancer"
3852+
]
3853+
},
3854+
"Null": {
3855+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
3856+
}
3857+
},
3858+
"Effect": "Allow",
3859+
"Resource": [
3860+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
3861+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
3862+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
3863+
]
3864+
},
38453865
{
38463866
"Action": [
38473867
"elasticloadbalancing:DeregisterTargets",

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-inference.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ class EksClusterInferenceStack extends Stack {
1717
vpc,
1818
...getClusterVersionConfig(this),
1919
albController: {
20-
version: eks.AlbControllerVersion.V2_4_1,
20+
version: eks.AlbControllerVersion.V2_5_1,
2121
},
2222
});
2323

packages/aws-cdk-lib/aws-eks/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -518,7 +518,7 @@ The default value is `eks.EndpointAccess.PUBLIC_AND_PRIVATE`. Which means the cl
518518

519519
### Alb Controller
520520

521-
Some Kubernetes resources are commonly implemented on AWS with the help of the [ALB Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/).
521+
Some Kubernetes resources are commonly implemented on AWS with the help of the [ALB Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/).
522522

523523
From the docs:
524524

packages/aws-cdk-lib/aws-eks/lib/addons/alb-iam_policy-v2.4.2.json

+219
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,219 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"iam:CreateServiceLinkedRole"
8+
],
9+
"Resource": "*",
10+
"Condition": {
11+
"StringEquals": {
12+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
13+
}
14+
}
15+
},
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"ec2:DescribeAccountAttributes",
20+
"ec2:DescribeAddresses",
21+
"ec2:DescribeAvailabilityZones",
22+
"ec2:DescribeInternetGateways",
23+
"ec2:DescribeVpcs",
24+
"ec2:DescribeVpcPeeringConnections",
25+
"ec2:DescribeSubnets",
26+
"ec2:DescribeSecurityGroups",
27+
"ec2:DescribeInstances",
28+
"ec2:DescribeNetworkInterfaces",
29+
"ec2:DescribeTags",
30+
"ec2:GetCoipPoolUsage",
31+
"ec2:DescribeCoipPools",
32+
"elasticloadbalancing:DescribeLoadBalancers",
33+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
34+
"elasticloadbalancing:DescribeListeners",
35+
"elasticloadbalancing:DescribeListenerCertificates",
36+
"elasticloadbalancing:DescribeSSLPolicies",
37+
"elasticloadbalancing:DescribeRules",
38+
"elasticloadbalancing:DescribeTargetGroups",
39+
"elasticloadbalancing:DescribeTargetGroupAttributes",
40+
"elasticloadbalancing:DescribeTargetHealth",
41+
"elasticloadbalancing:DescribeTags"
42+
],
43+
"Resource": "*"
44+
},
45+
{
46+
"Effect": "Allow",
47+
"Action": [
48+
"cognito-idp:DescribeUserPoolClient",
49+
"acm:ListCertificates",
50+
"acm:DescribeCertificate",
51+
"iam:ListServerCertificates",
52+
"iam:GetServerCertificate",
53+
"waf-regional:GetWebACL",
54+
"waf-regional:GetWebACLForResource",
55+
"waf-regional:AssociateWebACL",
56+
"waf-regional:DisassociateWebACL",
57+
"wafv2:GetWebACL",
58+
"wafv2:GetWebACLForResource",
59+
"wafv2:AssociateWebACL",
60+
"wafv2:DisassociateWebACL",
61+
"shield:GetSubscriptionState",
62+
"shield:DescribeProtection",
63+
"shield:CreateProtection",
64+
"shield:DeleteProtection"
65+
],
66+
"Resource": "*"
67+
},
68+
{
69+
"Effect": "Allow",
70+
"Action": [
71+
"ec2:AuthorizeSecurityGroupIngress",
72+
"ec2:RevokeSecurityGroupIngress"
73+
],
74+
"Resource": "*"
75+
},
76+
{
77+
"Effect": "Allow",
78+
"Action": [
79+
"ec2:CreateSecurityGroup"
80+
],
81+
"Resource": "*"
82+
},
83+
{
84+
"Effect": "Allow",
85+
"Action": [
86+
"ec2:CreateTags"
87+
],
88+
"Resource": "arn:aws:ec2:*:*:security-group/*",
89+
"Condition": {
90+
"StringEquals": {
91+
"ec2:CreateAction": "CreateSecurityGroup"
92+
},
93+
"Null": {
94+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
95+
}
96+
}
97+
},
98+
{
99+
"Effect": "Allow",
100+
"Action": [
101+
"ec2:CreateTags",
102+
"ec2:DeleteTags"
103+
],
104+
"Resource": "arn:aws:ec2:*:*:security-group/*",
105+
"Condition": {
106+
"Null": {
107+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
108+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
109+
}
110+
}
111+
},
112+
{
113+
"Effect": "Allow",
114+
"Action": [
115+
"ec2:AuthorizeSecurityGroupIngress",
116+
"ec2:RevokeSecurityGroupIngress",
117+
"ec2:DeleteSecurityGroup"
118+
],
119+
"Resource": "*",
120+
"Condition": {
121+
"Null": {
122+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
123+
}
124+
}
125+
},
126+
{
127+
"Effect": "Allow",
128+
"Action": [
129+
"elasticloadbalancing:CreateLoadBalancer",
130+
"elasticloadbalancing:CreateTargetGroup"
131+
],
132+
"Resource": "*",
133+
"Condition": {
134+
"Null": {
135+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
136+
}
137+
}
138+
},
139+
{
140+
"Effect": "Allow",
141+
"Action": [
142+
"elasticloadbalancing:CreateListener",
143+
"elasticloadbalancing:DeleteListener",
144+
"elasticloadbalancing:CreateRule",
145+
"elasticloadbalancing:DeleteRule"
146+
],
147+
"Resource": "*"
148+
},
149+
{
150+
"Effect": "Allow",
151+
"Action": [
152+
"elasticloadbalancing:AddTags",
153+
"elasticloadbalancing:RemoveTags"
154+
],
155+
"Resource": [
156+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
157+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
158+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
159+
],
160+
"Condition": {
161+
"Null": {
162+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
163+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
164+
}
165+
}
166+
},
167+
{
168+
"Effect": "Allow",
169+
"Action": [
170+
"elasticloadbalancing:AddTags",
171+
"elasticloadbalancing:RemoveTags"
172+
],
173+
"Resource": [
174+
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
175+
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
176+
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
177+
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
178+
]
179+
},
180+
{
181+
"Effect": "Allow",
182+
"Action": [
183+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
184+
"elasticloadbalancing:SetIpAddressType",
185+
"elasticloadbalancing:SetSecurityGroups",
186+
"elasticloadbalancing:SetSubnets",
187+
"elasticloadbalancing:DeleteLoadBalancer",
188+
"elasticloadbalancing:ModifyTargetGroup",
189+
"elasticloadbalancing:ModifyTargetGroupAttributes",
190+
"elasticloadbalancing:DeleteTargetGroup"
191+
],
192+
"Resource": "*",
193+
"Condition": {
194+
"Null": {
195+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
196+
}
197+
}
198+
},
199+
{
200+
"Effect": "Allow",
201+
"Action": [
202+
"elasticloadbalancing:RegisterTargets",
203+
"elasticloadbalancing:DeregisterTargets"
204+
],
205+
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
206+
},
207+
{
208+
"Effect": "Allow",
209+
"Action": [
210+
"elasticloadbalancing:SetWebAcl",
211+
"elasticloadbalancing:ModifyListener",
212+
"elasticloadbalancing:AddListenerCertificates",
213+
"elasticloadbalancing:RemoveListenerCertificates",
214+
"elasticloadbalancing:ModifyRule"
215+
],
216+
"Resource": "*"
217+
}
218+
]
219+
}

0 commit comments

Comments
 (0)