Remove default namespace from being selected by fargate, also adds secgrouppolicies for essentials namespace along with kube-system namespace

README.md

@@ -312,6 +312,7 @@ module "karpenter" {
 | <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security Group ID of the master nodes |
 | <a name="output_ebs_kms_key_arn"></a> [ebs\_kms\_key\_arn](#output\_ebs\_kms\_key\_arn) | KMS Key ARN used for EBS encryption |
 | <a name="output_ebs_kms_key_id"></a> [ebs\_kms\_key\_id](#output\_ebs\_kms\_key\_id) | KMS Key ID used for EBS encryption |
+| <a name="output_fargate_namespaces_for_security_group"></a> [fargate\_namespaces\_for\_security\_group](#output\_fargate\_namespaces\_for\_security\_group) | value for fargate\_namespaces\_for\_security\_group |
 | <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | OIDC Provider ARN for IRSA |
 | <a name="output_worker_iam_role_arn"></a> [worker\_iam\_role\_arn](#output\_worker\_iam\_role\_arn) | IAM Role ARN used by worker nodes |
 | <a name="output_worker_iam_role_name"></a> [worker\_iam\_role\_name](#output\_worker\_iam\_role\_name) | IAM Role Name used by worker nodes |

fargate_profile.tf

@@ -1,29 +1,18 @@
 locals {
 
+ essentials_namespaces = ["opentelemetry-operator-system", "cert-manager", "brupop-bottlerocket-aws"] # to add more if the essentials module deploys in any new namespaces
+ kube_system_namespaces = ["kube-system"]
+
+ fargate_namespaces = concat(local.essentials_namespaces, local.kube_system_namespaces)
+
  default_fargate_profiles = merge(
  {
- default = {
- name = "default"
- selectors = [
- {
- namespace = "default"
- },
- ]
- subnet_ids = var.subnet_ids
- }
  essentials = {
  subnet_ids = var.subnet_ids
  selectors = [
- {
- namespace = "opentelemetry-operator-system"
- },
- {
- namespace = "cert-manager"
- },
- {
- namespace = "brupop-bottlerocket-aws"
- },
- # to add more if the essentials module deploys in any new namespaces
+ for ns_value in local.essentials_namespaces : {
+ namespace = ns_value
+ }
  ]
  }
  },
@@ -55,5 +44,8 @@ module "fargate_profiles" {
  create_aws_observability_ns = var.create_aws_observability_ns
  create_fargate_logger_configmap = var.create_fargate_logger_configmap
 
+ eks_worker_security_group_id = module.eks.node_security_group_id
+ fargate_namespaces_for_security_group = local.fargate_namespaces
+
  tags = var.tags
 }

modules/fargate_profile/README.md

@@ -80,6 +80,7 @@ module "fargate_profile" {
 | Name | Type |
 |------|------|
 | [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
+| [kubernetes_manifest.sg](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_namespace_v1.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -91,6 +92,8 @@ module "fargate_profile" {
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS Cluster name | `string` | n/a | yes |
 | <a name="input_create_aws_observability_ns"></a> [create\_aws\_observability\_ns](#input\_create\_aws\_observability\_ns) | value to determine if aws-observability namespace is created | `bool` | `true` | no |
 | <a name="input_create_fargate_logger_configmap"></a> [create\_fargate\_logger\_configmap](#input\_create\_fargate\_logger\_configmap) | value to determine if create\_fargate\_logger\_configmap is created | `bool` | `true` | no |
+| <a name="input_eks_worker_security_group_id"></a> [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | Security Group ID of the worker nodes | `string` | n/a | yes |
+| <a name="input_fargate_namespaces_for_security_group"></a> [fargate\_namespaces\_for\_security\_group](#input\_fargate\_namespaces\_for\_security\_group) | List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes | `list(string)` | `[]` | no |
 | <a name="input_fargate_profile_defaults"></a> [fargate\_profile\_defaults](#input\_fargate\_profile\_defaults) | Map of Fargate Profile default configurations | `any` | `{}` | no |
 | <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | Map of maps of `fargate_profiles` to create | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags for all resources | `map(string)` | `{}` | no |

modules/fargate_profile/main.tf

@@ -22,3 +22,28 @@ module "fargate_profile" {
  iam_role_tags = lookup(each.value, "iam_role_tags", {})
  tags = merge(var.tags, lookup(each.value, "tags", {}))
 }
+
+
+
+resource "kubernetes_manifest" "sg" {
+
+ for_each = var.fargate_namespaces_for_security_group
+
+ manifest = {
+ apiVersion = "vpcresources.k8s.aws/v1beta1"
+ kind = "SecurityGroupPolicy"
+ metadata = {
+ name = "fargate-node-${each.value}-sg"
+ namespace = each.value
+ }
+ spec = {
+ podSelector = {
+ matchLabels = {}
+ }
+ securityGroups = {
+ groupIds = [var.eks_worker_security_group_id]
+ }
+ }
+ }
+
+}

modules/fargate_profile/variables.tf

@@ -50,3 +50,17 @@ variable "create_fargate_logger_configmap" {
  type = bool
  default = true
 }
+
+##################################
+### Fargate Selector Namespaces ##
+##################################
+variable "fargate_namespaces_for_security_group" {
+ description = "List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes"
+ type = list(string)
+ default = []
+}
+
+variable "eks_worker_security_group_id" {
+ description = "Security Group ID of the worker nodes"
+ type = string
+}

outputs.tf

@@ -77,3 +77,8 @@ output "cluster_version" {
  description = "Version of the EKS Cluster"
  value = module.eks.cluster_version
 }
+
+output "fargate_namespaces_for_security_group" {
+ description = "value for fargate_namespaces_for_security_group"
+ value = local.fargate_namespaces
+}