Add eks fis v2 support

mikkeloscar · mikkeloscar · commit 7d3f41b104d9 · 2025-10-02T14:57:46.000+02:00
Signed-off-by: Mikkel Oscar Lyderik Larsen &lt;mikkel.larsen@zalando.de&gt;
diff --git a/cluster/manifests/02-admission-control/config.yaml b/cluster/manifests/02-admission-control/config.yaml
@@ -169,6 +169,11 @@ data:
 {{- end}}
 
   pod.pod-security-policy.allow-privilege-escalation: "{{ .Cluster.ConfigItems.teapot_admission_controller_pod_security_policy_privileged_allow_privilege_escalation }}"
+{{- if eq .Cluster.ConfigItems.eks_fis_support_enabled "true" }}
+  pod.aws-fis-experiment-service-account-name: "fis-experiment-executor"
+  pod.aws-fis-experiment-user: "fis-experiment-executor"
+  pod.aws-fis-experiment-privileged-capabilities.NET_ADMIN: ""
+{{- end}}
 
   deployment.default.rolling-update-max-surge: "{{ .Cluster.ConfigItems.teapot_admission_controller_deployment_default_max_surge }}"
   deployment.default.rolling-update-max-unavailable: "{{ .Cluster.ConfigItems.teapot_admission_controller_deployment_default_max_unavailable }}"
diff --git a/cluster/manifests/02-admission-control/deployment.yaml b/cluster/manifests/02-admission-control/deployment.yaml
@@ -33,7 +33,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
       - name: admission-controller
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-274
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-276
         lifecycle:
           preStop:
             sleep:
diff --git a/cluster/manifests/eks-fis/01-rbac.yaml b/cluster/manifests/eks-fis/01-rbac.yaml
@@ -1,12 +1,4 @@
 {{- if eq .Cluster.ConfigItems.eks_fis_support_enabled "true" }}
-# {{ range $namespace := split .Cluster.ConfigItems.eks_fis_namespaces "," }}
-kind: ServiceAccount
-apiVersion: v1
-metadata:
-  namespace: "{{ $namespace }}"
-  name: fis-experiment-executor
----
-# {{ end }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -17,7 +9,7 @@ rules:
   verbs: ["get", "create", "patch", "delete"]
 - apiGroups: [""]
   resources: ["pods"]
-  verbs: ["create", "get", "delete", "deletecollection", "list"]
+  verbs: ["create", "list", "get", "delete", "deletecollection"]
 - apiGroups: [""]
   resources: ["pods/ephemeralcontainers"]
   verbs: ["update"]
@@ -33,11 +25,6 @@ kind: ClusterRoleBinding
 metadata:
   name: fis-experiment-executor
 subjects:
-# {{ range $namespace := split .Cluster.ConfigItems.eks_fis_namespaces "," }}
-- kind: ServiceAccount
-  name: fis-experiment-executor
-  namespace: "{{ $namespace }}"
-# {{ end }}
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: fis-experiment-executor
diff --git a/cluster/manifests/role-sync-controller/cronjob.yaml b/cluster/manifests/role-sync-controller/cronjob.yaml
@@ -33,7 +33,7 @@ spec:
           restartPolicy: Never
           containers:
           - name: role-sync-controller
-            image: container-registry.zalando.net/teapot/role-sync-controller:main-13
+            image: container-registry.zalando.net/teapot/role-sync-controller:main-14
             args:
               - --subject-group=PowerUser
               - --subject-group=Manual
@@ -47,4 +47,7 @@ spec:
               {{- if eq .Cluster.Provider "zalando-eks"}}
               - --subject-serviceaccount=kube-system/deployment-service-controller
               {{- end}}
+              {{- if eq .Cluster.ConfigItems.eks_fis_support_enabled "true" }}
+              - --eks-fis-serviceaccount=fis-experiment-executor
+              {{- end}}
 {{ end }}
diff --git a/cluster/manifests/role-sync-controller/rbac.yaml b/cluster/manifests/role-sync-controller/rbac.yaml
@@ -14,6 +14,15 @@ rules:
     - "namespaces"
     verbs:
     - "list"
+  # Allow the controller to manage ServiceAccounts
+  - apiGroups:
+    - ""
+    resources:
+    - serviceaccounts
+    verbs:
+    - "get"
+    - "create"
+    - "update"
   # Allow the controller to manage Roles and Rolebindings
   - apiGroups:
     - rbac.authorization.k8s.io
@@ -41,6 +50,23 @@ rules:
     - "get"
     - "list"
     - "watch"
+  # Allow the controller to manage roles with permissions required by eks-fis
+  # integration.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "create", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["create", "get", "delete", "deletecollection", "list"]
+  - apiGroups: [""]
+    resources: ["pods/ephemeralcontainers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml
@@ -219,7 +219,7 @@ write_files:
             limits:
               memory: {{ .Values.InstanceInfo.MemoryFraction (parseInt64 .Cluster.ConfigItems.apiserver_memory_limit_percent)}}
 {{- end }}
-        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-274
+        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-276
           name: admission-controller
           lifecycle:
             preStop:
