diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 1cd622e..bfc12e4 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/eks-controller - newTag: 1.4.7 + newTag: 1.5.0 diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 7ea4ce5..85279a1 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: eks-chart description: A Helm chart for the ACK service controller for Amazon Elastic Kubernetes Service (EKS) -version: 1.4.7 -appVersion: 1.4.7 +version: 1.5.0 +appVersion: 1.5.0 home: https://github.com/aws-controllers-k8s/eks-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/crds/eks.services.k8s.aws_accessentries.yaml b/helm/crds/eks.services.k8s.aws_accessentries.yaml index 7d07bb2..20afa8a 100644 --- a/helm/crds/eks.services.k8s.aws_accessentries.yaml +++ b/helm/crds/eks.services.k8s.aws_accessentries.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: accessentries.eks.services.k8s.aws spec: group: eks.services.k8s.aws @@ -60,7 +60,6 @@ spec: description: |- AccessEntrySpec defines the desired state of AccessEntry. - An access entry allows an IAM principal (user or role) to access your cluster. Access entries can replace the need to maintain the aws-auth ConfigMap for authentication. For more information about access entries, see Access entries @@ -91,7 +90,7 @@ spec: clusterRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -112,14 +111,12 @@ spec: confirm that the value for name exists in any bindings on your cluster. You can specify one or more names. - Kubernetes authorizes the principalArn of the access entry to access any cluster objects that you've specified in a Kubernetes Role or ClusterRole object that is also specified in a binding's roleRef. For more information about creating Kubernetes RoleBinding, ClusterRoleBinding, Role, or ClusterRole objects, see Using RBAC Authorization in the Kubernetes documentation (https://kubernetes.io/docs/reference/access-authn-authz/rbac/). - If you want Amazon EKS to authorize the principalArn (instead of, or in addition to Kubernetes authorizing the principalArn), you can associate one or more access policies to the access entry using AssociateAccessPolicy. If you associate @@ -135,7 +132,6 @@ spec: for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation. - The valid principals differ depending on the type of the access entry in the type field. The only valid ARN is IAM roles for the types of access entries for nodes: . You can use every IAM principal type for STANDARD access entries. @@ -143,7 +139,6 @@ spec: this is a temporary principal for each session and not a permanent identity that can be assigned permissions. - IAM best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials. @@ -161,7 +156,6 @@ spec: The type of the new access entry. Valid values are Standard, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. - If the principalArn is for an IAM role that's used for self-managed Amazon EC2 nodes, specify EC2_LINUX or EC2_WINDOWS. Amazon EKS grants the necessary permissions to the node for you. If the principalArn is for any other purpose, @@ -171,7 +165,6 @@ spec: entries in the aws-auth ConfigMap for the roles. You can't change this value once you've created the access entry. - If you set the value to EC2_LINUX or EC2_WINDOWS, you can't specify values for kubernetesGroups, or associate an AccessPolicy to the access entry. type: string @@ -203,7 +196,6 @@ spec: when it has verified that an "adopted" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. - TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 type: string ownerAccountID: diff --git a/helm/crds/eks.services.k8s.aws_addons.yaml b/helm/crds/eks.services.k8s.aws_addons.yaml index bf07929..63ea57c 100644 --- a/helm/crds/eks.services.k8s.aws_addons.yaml +++ b/helm/crds/eks.services.k8s.aws_addons.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: addons.eks.services.k8s.aws spec: group: eks.services.k8s.aws @@ -64,7 +64,6 @@ spec: description: |- AddonSpec defines the desired state of Addon. - An Amazon EKS add-on. For more information, see Amazon EKS add-ons (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) in the Amazon EKS User Guide. properties: @@ -84,7 +83,7 @@ spec: clusterRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -113,25 +112,21 @@ spec: How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose: - - None – If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail. - - Overwrite – If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. - - Preserve – This is similar to the NONE option. If the self-managed version of the add-on is installed on your cluster Amazon EKS doesn't change the add-on resource properties. Creation of the add-on might fail if conflicts are detected. This option works differently during the update operation. For more information, see UpdateAddon (https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html). - If you don't currently have the self-managed version of the add-on installed on your cluster, the Amazon EKS add-on is installed. Amazon EKS sets all values to default values, regardless of the option that you specify. @@ -145,7 +140,6 @@ spec: Amazon EKS node IAM role (https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the Amazon EKS User Guide. - To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see Enabling IAM roles for service accounts on your cluster (https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) @@ -154,7 +148,7 @@ spec: serviceAccountRoleRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -196,7 +190,6 @@ spec: when it has verified that an "adopted" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. - TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 type: string ownerAccountID: diff --git a/helm/crds/eks.services.k8s.aws_clusters.yaml b/helm/crds/eks.services.k8s.aws_clusters.yaml index 0bd9dcc..c3b7033 100644 --- a/helm/crds/eks.services.k8s.aws_clusters.yaml +++ b/helm/crds/eks.services.k8s.aws_clusters.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: clusters.eks.services.k8s.aws spec: group: eks.services.k8s.aws @@ -61,7 +61,6 @@ spec: description: |- ClusterSpec defines the desired state of Cluster. - An object representing an Amazon EKS cluster. properties: accessConfig: @@ -125,7 +124,6 @@ spec: plane logs (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) in the Amazon EKS User Guide . - CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing (http://aws.amazon.com/cloudwatch/pricing/). @@ -201,7 +199,7 @@ spec: items: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly - syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -225,7 +223,7 @@ spec: items: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly - syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -252,7 +250,7 @@ spec: roleRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -279,7 +277,6 @@ spec: The desired Kubernetes version for your cluster. If you don't specify a value here, the default version available in Amazon EKS is used. - The default version might not be the latest version available. type: string required: @@ -303,7 +300,6 @@ spec: when it has verified that an "adopted" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. - TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 type: string ownerAccountID: diff --git a/helm/crds/eks.services.k8s.aws_fargateprofiles.yaml b/helm/crds/eks.services.k8s.aws_fargateprofiles.yaml index 5cdd8ca..bc03ead 100644 --- a/helm/crds/eks.services.k8s.aws_fargateprofiles.yaml +++ b/helm/crds/eks.services.k8s.aws_fargateprofiles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: fargateprofiles.eks.services.k8s.aws spec: group: eks.services.k8s.aws @@ -57,7 +57,6 @@ spec: description: |- FargateProfileSpec defines the desired state of FargateProfile. - An object representing an Fargate profile. properties: clientRequestToken: @@ -71,7 +70,7 @@ spec: clusterRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -100,7 +99,7 @@ spec: podExecutionRoleRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -135,7 +134,7 @@ spec: items: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -186,7 +185,6 @@ spec: when it has verified that an "adopted" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. - TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 type: string ownerAccountID: diff --git a/helm/crds/eks.services.k8s.aws_identityproviderconfigs.yaml b/helm/crds/eks.services.k8s.aws_identityproviderconfigs.yaml index f0f7cba..7655856 100644 --- a/helm/crds/eks.services.k8s.aws_identityproviderconfigs.yaml +++ b/helm/crds/eks.services.k8s.aws_identityproviderconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: identityproviderconfigs.eks.services.k8s.aws spec: group: eks.services.k8s.aws @@ -41,7 +41,6 @@ spec: description: |- IdentityProviderConfigSpec defines the desired state of IdentityProviderConfig. - An object representing an identity provider configuration. properties: clusterName: @@ -50,7 +49,7 @@ spec: clusterRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -116,7 +115,6 @@ spec: when it has verified that an "adopted" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. - TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 type: string ownerAccountID: diff --git a/helm/crds/eks.services.k8s.aws_nodegroups.yaml b/helm/crds/eks.services.k8s.aws_nodegroups.yaml index 5e07370..b199a3c 100644 --- a/helm/crds/eks.services.k8s.aws_nodegroups.yaml +++ b/helm/crds/eks.services.k8s.aws_nodegroups.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: nodegroups.eks.services.k8s.aws spec: group: eks.services.k8s.aws @@ -73,7 +73,6 @@ spec: description: |- NodegroupSpec defines the desired state of Nodegroup. - An object representing an Amazon EKS managed node group. properties: amiType: @@ -100,7 +99,7 @@ spec: clusterRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -183,7 +182,7 @@ spec: nodeRoleRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -208,7 +207,6 @@ spec: Windows versions, see Amazon EKS optimized Windows AMI versions (https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-versions-windows.html) in the Amazon EKS User Guide. - If you specify launchTemplate, and your launch template uses a custom AMI, then don't specify releaseVersion, or the node group deployment will fail. For more information about using launch templates with Amazon EKS, see Launch @@ -231,7 +229,7 @@ spec: items: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly - syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -270,7 +268,7 @@ spec: items: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -362,7 +360,6 @@ spec: when it has verified that an "adopted" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. - TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 type: string ownerAccountID: diff --git a/helm/crds/eks.services.k8s.aws_podidentityassociations.yaml b/helm/crds/eks.services.k8s.aws_podidentityassociations.yaml index 4461930..b796796 100644 --- a/helm/crds/eks.services.k8s.aws_podidentityassociations.yaml +++ b/helm/crds/eks.services.k8s.aws_podidentityassociations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: podidentityassociations.eks.services.k8s.aws spec: group: eks.services.k8s.aws @@ -65,7 +65,6 @@ spec: description: |- PodIdentityAssociationSpec defines the desired state of PodIdentityAssociation. - Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. @@ -81,7 +80,7 @@ spec: clusterRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -110,7 +109,7 @@ spec: roleRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax - for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t \ name: my-api" properties: from: @@ -137,32 +136,24 @@ spec: of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources. - The following basic restrictions apply to tags: - - Maximum number of tags per resource – 50 - - For each resource, each tag key must be unique, and each tag key can have only one value. - - Maximum key length – 128 Unicode characters in UTF-8 - - Maximum value length – 256 Unicode characters in UTF-8 - - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @. - - Tag keys and values are case-sensitive. - - Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. @@ -190,7 +181,6 @@ spec: when it has verified that an "adopted" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. - TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 type: string ownerAccountID: diff --git a/helm/crds/services.k8s.aws_adoptedresources.yaml b/helm/crds/services.k8s.aws_adoptedresources.yaml index 65eff73..b7be322 100644 --- a/helm/crds/services.k8s.aws_adoptedresources.yaml +++ b/helm/crds/services.k8s.aws_adoptedresources.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: adoptedresources.services.k8s.aws spec: group: services.k8s.aws @@ -78,11 +78,9 @@ spec: automatically converts this to an arbitrary string-string map. https://github.com/kubernetes-sigs/controller-tools/issues/385 - Active discussion about inclusion of this field in the spec is happening in this PR: https://github.com/kubernetes-sigs/controller-tools/pull/395 - Until this is allowed, or if it never is, we will produce a subset of the object meta that contains only the fields which the user is allowed to modify in the metadata. properties: @@ -105,13 +103,11 @@ spec: and may be truncated by the length of the suffix required to make the value unique on the server. - If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). - Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency type: string @@ -140,7 +136,6 @@ spec: Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. - Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces diff --git a/helm/crds/services.k8s.aws_fieldexports.yaml b/helm/crds/services.k8s.aws_fieldexports.yaml index 4d3a8f1..49b4f38 100644 --- a/helm/crds/services.k8s.aws_fieldexports.yaml +++ b/helm/crds/services.k8s.aws_fieldexports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: fieldexports.services.k8s.aws spec: group: services.k8s.aws diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index d4df838..52f77dc 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/eks-controller:1.4.7". +This chart deploys "public.ecr.aws/aws-controllers-k8s/eks-controller:1.5.0". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 6cb8891..7c8ca4a 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -55,6 +55,7 @@ rules: - "" resources: - configmaps + - secrets verbs: - get - list @@ -68,39 +69,12 @@ rules: - get - list - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - patch - - watch - apiGroups: - ec2.services.k8s.aws resources: - securitygroups - verbs: - - get - - list -- apiGroups: - - ec2.services.k8s.aws - resources: - securitygroups/status - verbs: - - get - - list -- apiGroups: - - ec2.services.k8s.aws - resources: - subnets - verbs: - - get - - list -- apiGroups: - - ec2.services.k8s.aws - resources: - subnets/status verbs: - get @@ -109,125 +83,11 @@ rules: - eks.services.k8s.aws resources: - accessentries - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - eks.services.k8s.aws - resources: - - accessentries/status - verbs: - - get - - patch - - update -- apiGroups: - - eks.services.k8s.aws - resources: - addons - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - eks.services.k8s.aws - resources: - - addons/status - verbs: - - get - - patch - - update -- apiGroups: - - eks.services.k8s.aws - resources: - clusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - eks.services.k8s.aws - resources: - - clusters/status - verbs: - - get - - patch - - update -- apiGroups: - - eks.services.k8s.aws - resources: - fargateprofiles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - eks.services.k8s.aws - resources: - - fargateprofiles/status - verbs: - - get - - patch - - update -- apiGroups: - - eks.services.k8s.aws - resources: - identityproviderconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - eks.services.k8s.aws - resources: - - identityproviderconfigs/status - verbs: - - get - - patch - - update -- apiGroups: - - eks.services.k8s.aws - resources: - nodegroups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - eks.services.k8s.aws - resources: - - nodegroups/status - verbs: - - get - - patch - - update -- apiGroups: - - eks.services.k8s.aws - resources: - podidentityassociations verbs: - create @@ -240,6 +100,12 @@ rules: - apiGroups: - eks.services.k8s.aws resources: + - accessentries/status + - addons/status + - clusters/status + - fargateprofiles/status + - identityproviderconfigs/status + - nodegroups/status - podidentityassociations/status verbs: - get @@ -249,12 +115,6 @@ rules: - iam.services.k8s.aws resources: - roles - verbs: - - get - - list -- apiGroups: - - iam.services.k8s.aws - resources: - roles/status verbs: - get @@ -263,12 +123,6 @@ rules: - kms.services.k8s.aws resources: - keys - verbs: - - get - - list -- apiGroups: - - kms.services.k8s.aws - resources: - keys/status verbs: - get @@ -277,25 +131,6 @@ rules: - services.k8s.aws resources: - adoptedresources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - fieldexports verbs: - create @@ -308,6 +143,7 @@ rules: - apiGroups: - services.k8s.aws resources: + - adoptedresources/status - fieldexports/status verbs: - get diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 7c2fc39..13be250 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -152,6 +152,7 @@ spec: securityContext: allowPrivilegeEscalation: false privileged: false + readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: diff --git a/helm/values.yaml b/helm/values.yaml index 0689619..20b3e9a 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/eks-controller - tag: 1.4.7 + tag: 1.5.0 pullPolicy: IfNotPresent pullSecrets: []