Merge pull request #9996 from zalando-incubator/alpha-to-beta

alpha to beta

Author: mikkeloscar

cluster/config-defaults.yaml

@@ -1304,7 +1304,6 @@ eks_zalando_iam_aws_proxy_hpa_cpu_target: "80"
 eks_zalando_iam_aws_proxy_hpa_memory_target: "80"
 eks_okta_identity_provider: "true"
 eks_fis_support_enabled: "false"
-eks_fis_namespaces: "default"
 
 # prefix delegation can only be configured for ipv4. For ipv6 it can only be true.
 aws_vpc_cni_prefix_delegation: "false"

cluster/manifests/01-coredns-local/daemonset-coredns.yaml

@@ -94,7 +94,7 @@ spec:
           name: unbound-socket
           readOnly: false
       - name: unbound-exporter
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/unbound_exporter:v0.4.6-main-1.custom
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/unbound_exporter:v0.4.6-main-2.custom
         args:
         - -unbound.ca
         - ""
@@ -120,7 +120,7 @@ spec:
           readOnly: false
       - name: coredns
         {{- if eq .Cluster.Provider "zalando-eks" }}
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/coredns:1.12.1-master-26
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/coredns:1.12.4-master-29
         {{- else }}
         image: container-registry.zalando.net/teapot/coredns:1.12.4-master-28
         {{- end }}

cluster/manifests/02-admission-control/config.yaml

@@ -169,6 +169,11 @@ data:
 {{- end}}
 
   pod.pod-security-policy.allow-privilege-escalation: "{{ .Cluster.ConfigItems.teapot_admission_controller_pod_security_policy_privileged_allow_privilege_escalation }}"
+{{- if eq .Cluster.ConfigItems.eks_fis_support_enabled "true" }}
+  pod.aws-fis-experiment-service-account-name: "fis-experiment-executor"
+  pod.aws-fis-experiment-user: "fis-experiment-executor"
+  pod.aws-fis-experiment-privileged-capabilities.NET_ADMIN: ""
+{{- end}}
 
   deployment.default.rolling-update-max-surge: "{{ .Cluster.ConfigItems.teapot_admission_controller_deployment_default_max_surge }}"
   deployment.default.rolling-update-max-unavailable: "{{ .Cluster.ConfigItems.teapot_admission_controller_deployment_default_max_unavailable }}"

cluster/manifests/deletions.yaml

@@ -15,11 +15,6 @@ post_apply:
   kind: ClusterRoleBinding
 - name: fis-experiment
   kind: ClusterRole
-# {{ range $namespace := split .Cluster.ConfigItems.eks_fis_namespaces "," }}
-- name: fis-experiment
-  kind: ServiceAccount
-  namespace: "{{ $namespace }}"
-# {{ end }}
 {{- end }}
 {{- end }}
 {{ if eq .Cluster.ConfigItems.teapot_admission_controller_process_resources "true" }}

cluster/manifests/eks-fis/01-rbac.yaml

@@ -1,12 +1,4 @@
 {{- if eq .Cluster.ConfigItems.eks_fis_support_enabled "true" }}
-# {{ range $namespace := split .Cluster.ConfigItems.eks_fis_namespaces "," }}
-kind: ServiceAccount
-apiVersion: v1
-metadata:
-  namespace: "{{ $namespace }}"
-  name: fis-experiment-executor
----
-# {{ end }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -17,7 +9,7 @@ rules:
   verbs: ["get", "create", "patch", "delete"]
 - apiGroups: [""]
   resources: ["pods"]
-  verbs: ["create", "get", "delete", "deletecollection", "list"]
+  verbs: ["create", "list", "get", "delete", "deletecollection"]
 - apiGroups: [""]
   resources: ["pods/ephemeralcontainers"]
   verbs: ["update"]
@@ -33,11 +25,6 @@ kind: ClusterRoleBinding
 metadata:
   name: fis-experiment-executor
 subjects:
-# {{ range $namespace := split .Cluster.ConfigItems.eks_fis_namespaces "," }}
-- kind: ServiceAccount
-  name: fis-experiment-executor
-  namespace: "{{ $namespace }}"
-# {{ end }}
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: fis-experiment-executor

cluster/manifests/prometheus/statefulset.yaml

@@ -57,7 +57,7 @@ spec:
           mountPath: /prometheus
       containers:
       - name: prometheus
-        image: container-registry.zalando.net/teapot/prometheus:v3.4.1-master-67
+        image: container-registry.zalando.net/teapot/prometheus:v3.5.0-master-68
         args:
         - "--config.file=/prometheus/prometheus.yaml"
         - "--storage.tsdb.path=/prometheus/"

cluster/manifests/role-sync-controller/cronjob.yaml

@@ -33,7 +33,7 @@ spec:
           restartPolicy: Never
           containers:
           - name: role-sync-controller
-            image: container-registry.zalando.net/teapot/role-sync-controller:main-13
+            image: container-registry.zalando.net/teapot/role-sync-controller:main-14
             args:
               - --subject-group=PowerUser
               - --subject-group=Manual
@@ -47,4 +47,7 @@ spec:
               {{- if eq .Cluster.Provider "zalando-eks"}}
               - --subject-serviceaccount=kube-system/deployment-service-controller
               {{- end}}
+              {{- if eq .Cluster.ConfigItems.eks_fis_support_enabled "true" }}
+              - --eks-fis-serviceaccount=fis-experiment-executor
+              {{- end}}
 {{ end }}

cluster/manifests/role-sync-controller/rbac.yaml

@@ -14,6 +14,15 @@ rules:
     - "namespaces"
     verbs:
     - "list"
+  # Allow the controller to manage ServiceAccounts
+  - apiGroups:
+    - ""
+    resources:
+    - serviceaccounts
+    verbs:
+    - "get"
+    - "create"
+    - "update"
   # Allow the controller to manage Roles and Rolebindings
   - apiGroups:
     - rbac.authorization.k8s.io
@@ -41,6 +50,23 @@ rules:
     - "get"
     - "list"
     - "watch"
+  # Allow the controller to manage roles with permissions required by eks-fis
+  # integration.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "create", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["create", "get", "delete", "deletecollection", "list"]
+  - apiGroups: [""]
+    resources: ["pods/ephemeralcontainers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

cluster/manifests/sandbox-controller/30-deployment.yaml

@@ -1,4 +1,4 @@
-# {{ $image := "container-registry.zalando.net/gwproxy/sandbox-controller:main-20" }}
+# {{ $image := "container-registry.zalando.net/gwproxy/sandbox-controller:main-22" }}
 # {{ $version := index (split $image ":") 1 }}
 
 {{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}

test/e2e/cluster_config.sh

@@ -108,15 +108,6 @@ EOFF
     profile: worker-splitaz
     min_size: 0
     max_size: 21
-  - name: default-karpenter
-    profile: worker-karpenter
-    discount_strategy: none
-    max_size: 0
-    min_size: 0
-    instance_types:
-    - default-for-karpenter
-    config_items:
-      scaling_priority: "100"
   - name: karpenter-arm
     profile: worker-karpenter
     discount_strategy: none
@@ -188,7 +179,6 @@ EOFF
       scaling_priority: "2"
       taints: nvidia.com/gpu=present:NoSchedule,zalando.org/dedicated=dedicated:NoSchedule
     discount_strategy: none
-    instance_type: not-specified
     instance_types:
     - not-specified
     max_size: 0
@@ -200,9 +190,8 @@ EOFF
       scaling_priority: "1"
       taints: zalando.org/dedicated=dedicated:NoSchedule
     discount_strategy: none
-    instance_type: not-specified
     instance_types:
-    - not-specified
+    - default-for-karpenter
     max_size: 0
     min_size: 0
     name: karpenter-catch-all-dedicated
@@ -212,7 +201,6 @@ EOFF
       scaling_priority: "3"
       taints: nvidia.com/gpu=present:NoSchedule
     discount_strategy: none
-    instance_type: not-specified
     instance_types:
     - not-specified
     max_size: 0
@@ -222,9 +210,8 @@ EOFF
   - config_items:
       scaling_priority: "2"
     discount_strategy: none
-    instance_type: not-specified
     instance_types:
-    - not-specified
+    - default-for-karpenter
     max_size: 0
     min_size: 0
     name: karpenter-catch-all