Merge pull request kubernetes-retired#1123 from ivanilves/node-draine…

…r-iam-role Add [optional] explicit IAM role specification to NodeDrainer
HotelsDotCom · Feb 6, 2018 · d20102b · d20102b
2 parents 0d26618 + de4b7ca
commit d20102b
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 3 deletions.
diff --git a/core/controlplane/config/config.go b/core/controlplane/config/config.go
@@ -104,6 +104,7 @@ func NewDefaultCluster() *Cluster {
 		NodeDrainer: model.NodeDrainer{
 			Enabled:      false,
 			DrainTimeout: 5,
+			IAMRole:      model.IAMRole{},
 		},
 		Oidc: model.Oidc{
 			Enabled:       false,

diff --git a/core/controlplane/config/config_test.go b/core/controlplane/config/config_test.go
@@ -930,17 +930,21 @@ func TestNodeDrainerConfig(t *testing.T) {
 			nodeDrainer: model.NodeDrainer{
 				Enabled:      false,
 				DrainTimeout: 5,
+				IAMRole:      model.IAMRole{},
 			},
 		},
 		{
 			conf: `
 experimental:
   nodeDrainer:
     enabled: true
+    iamRole:
+      arn: arn:aws:iam::0123456789012:role/asg-list-role
 `,
 			nodeDrainer: model.NodeDrainer{
 				Enabled:      true,
 				DrainTimeout: 5,
+				IAMRole:      model.IAMRole{ARN: model.ARN{Arn: "arn:aws:iam::0123456789012:role/asg-list-role"}},
 			},
 		},
 		{

diff --git a/core/controlplane/config/templates/cloud-config-controller b/core/controlplane/config/templates/cloud-config-controller
@@ -1332,6 +1332,9 @@ write_files:
                 k8s-app: kube-node-drainer-asg-status-updater
               annotations:
                 scheduler.alpha.kubernetes.io/critical-pod: ''
+                {{if ne .Experimental.NodeDrainer.IAMRole.ARN.Arn "" -}}
+                iam.amazonaws.com/role: {{ .Experimental.NodeDrainer.IAMRole.ARN.Arn }}
+                {{ end }}
             spec:
               {{if .Experimental.Admission.Priority.Enabled -}}
               priorityClassName: system-node-critical

diff --git a/core/controlplane/config/templates/cluster.yaml b/core/controlplane/config/templates/cluster.yaml
@@ -1220,7 +1220,7 @@ addons:
 
   # When set to true this configures security groups for prometheus between nodes.
   # This includes the following ports: 10252, 10251, 10250, 9100, and 4194
-  prometheus: 
+  prometheus:
     securityGroupsEnabled: false
 
 # Experimental features will change in backward-incompatible ways
@@ -1296,6 +1296,10 @@ experimental:
     enabled: false
     # Maximum time to wait, in minutes, for the node to be completely drained. Must be an integer between 1 and 60.
     drainTimeout: 5
+    # IAM role to assume with kube2iam for the pod in "kube-node-drainer-asg-status-updater" deployment.
+    iamRole:
+      # Empty, inactive by default. Set it to valid ARN "arn: arn:aws:iam::0123456789012:role/roleName" to activate.
+      arn: ""
 
   # Configure OpenID Connect token authenticator plugin in Kubernetes API server.
   # For using Dex as a custom OIDC provider, please check "contrib/dex/README.md".

diff --git a/model/node_drainer.go b/model/node_drainer.go
@@ -6,8 +6,9 @@ import (
 )
 
 type NodeDrainer struct {
-	Enabled      bool `yaml:"enabled"`
-	DrainTimeout int  `yaml:"drainTimeout"`
+	Enabled      bool    `yaml:"enabled"`
+	DrainTimeout int     `yaml:"drainTimeout"`
+	IAMRole      IAMRole `yaml:"iamRole,omitempty"`
 }
 
 func (nd *NodeDrainer) DrainTimeoutInSeconds() int {