From a85bb5a219491726244aa7465ffa18847cfb3b8f Mon Sep 17 00:00:00 2001 From: "alex.hsu" Date: Tue, 1 Oct 2024 17:30:46 +0800 Subject: [PATCH 1/3] feat: bump coredns to v1.11.3 and aws-ccm to v1.31.0 --- templates/addons/coredns.yaml.tpl | 7 ++++--- templates/cloud-provider/aws-ccm.yaml.tpl | 12 ++++++++++++ variables_defaults.tf | 4 ++-- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/templates/addons/coredns.yaml.tpl b/templates/addons/coredns.yaml.tpl index 451377a..cf80487 100644 --- a/templates/addons/coredns.yaml.tpl +++ b/templates/addons/coredns.yaml.tpl @@ -1,4 +1,4 @@ -# Source from: https://github.com/coredns/deployment/blob/master/kubernetes/coredns.yaml.sed +# Source from: https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/coredns/coredns.yaml.sed apiVersion: v1 kind: ServiceAccount metadata: @@ -106,9 +106,10 @@ spec: metadata: labels: k8s-app: kube-dns - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-cluster-critical serviceAccountName: coredns tolerations: diff --git a/templates/cloud-provider/aws-ccm.yaml.tpl b/templates/cloud-provider/aws-ccm.yaml.tpl index d9f58bd..0958dec 100644 --- a/templates/cloud-provider/aws-ccm.yaml.tpl +++ b/templates/cloud-provider/aws-ccm.yaml.tpl @@ -90,6 +90,18 @@ rules: - serviceaccounts/token verbs: - create +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/variables_defaults.tf b/variables_defaults.tf index 52e3588..e51c85f 100644 --- a/variables_defaults.tf +++ b/variables_defaults.tf @@ -18,7 +18,7 @@ locals { } coredns = { repo = "coredns/coredns" - tag = "1.11.1" + tag = "1.11.3" } vpc_cni = { repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni" @@ -58,7 +58,7 @@ locals { } cloud_controller_manager = { repo = "registry.k8s.io/provider-aws/cloud-controller-manager" - tag = "v1.27.1" + tag = "v1.31.0" } }, var.containers) From 24b12df728bfde469139c185c3d858f3990e7e18 Mon Sep 17 00:00:00 2001 From: "alex.hsu" Date: Fri, 4 Oct 2024 14:26:36 +0800 Subject: [PATCH 2/3] remove redundant permissions according to the latest doc --- templates/cloud-provider/aws-ccm.yaml.tpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/cloud-provider/aws-ccm.yaml.tpl b/templates/cloud-provider/aws-ccm.yaml.tpl index 0958dec..748cb8e 100644 --- a/templates/cloud-provider/aws-ccm.yaml.tpl +++ b/templates/cloud-provider/aws-ccm.yaml.tpl @@ -53,8 +53,6 @@ rules: - serviceaccounts verbs: - create - - get - - list - apiGroups: - "" resources: From 8c5f2e3362f8e84fe979857e77921b8adf3217da Mon Sep 17 00:00:00 2001 From: "alex.hsu" Date: Fri, 4 Oct 2024 18:10:55 +0800 Subject: [PATCH 3/3] add comments for hostnetowrk --- templates/cloud-provider/aws-ccm.yaml.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/cloud-provider/aws-ccm.yaml.tpl b/templates/cloud-provider/aws-ccm.yaml.tpl index 748cb8e..5238f63 100644 --- a/templates/cloud-provider/aws-ccm.yaml.tpl +++ b/templates/cloud-provider/aws-ccm.yaml.tpl @@ -158,6 +158,8 @@ spec: resources: requests: cpu: 200m + # We speculatively set hostNetwork to true for the AWS CCM to connect to the AWS API + # https://shazi.info/amazon-eks-pod-%E5%AD%98%E5%8F%96-imdsv2-%E7%95%B0%E5%B8%B8%E7%B7%A9%E6%85%A2%E8%99%95%E7%90%86/ hostNetwork: true nodeSelector: node-role.kubernetes.io/master: ""