Skip to content

Commit a25f6d0

Browse files
arlampinarlampin
committed
eks alb ingress controller versions 2.8.3 - 2.13.3
1 parent 0591c44 commit a25f6d0

15 files changed

+3028
-3
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ import { Pinger } from './pinger/pinger';
99
import * as eks from 'aws-cdk-lib/aws-eks';
1010
import { IAM_OIDC_REJECT_UNAUTHORIZED_CONNECTIONS } from 'aws-cdk-lib/cx-api';
1111

12-
const LATEST_VERSION: eks.AlbControllerVersion = eks.AlbControllerVersion.V2_8_2;
12+
const LATEST_VERSION: eks.AlbControllerVersion = eks.AlbControllerVersion.V2_13_3;
1313
class EksClusterAlbControllerStack extends Stack {
1414
constructor(scope: App, id: string) {
1515
super(scope, id);

packages/aws-cdk-lib/aws-eks/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -688,7 +688,7 @@ import { KubectlV33Layer } from '@aws-cdk/lambda-layer-kubectl-v33';
688688
new eks.Cluster(this, 'HelloEKS', {
689689
version: eks.KubernetesVersion.V1_33,
690690
albController: {
691-
version: eks.AlbControllerVersion.V2_8_2,
691+
version: eks.AlbControllerVersion.V2_13_3,
692692
},
693693
kubectlLayer: new KubectlV33Layer(this, 'kubectl'),
694694
});
@@ -702,7 +702,7 @@ import { KubectlV33Layer } from '@aws-cdk/lambda-layer-kubectl-v33';
702702
new eks.Cluster(this, 'HelloEKS', {
703703
version: eks.KubernetesVersion.V1_33,
704704
albController: {
705-
version: eks.AlbControllerVersion.V2_8_2,
705+
version: eks.AlbControllerVersion.V2_13_3,
706706
additionalHelmChartValues: {
707707
enableWafv2: false
708708
}

packages/aws-cdk-lib/aws-eks/lib/addons/alb-iam_policy-v2.10.0.json

Lines changed: 245 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,245 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"iam:CreateServiceLinkedRole"
8+
],
9+
"Resource": "*",
10+
"Condition": {
11+
"StringEquals": {
12+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
13+
}
14+
}
15+
},
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"ec2:DescribeAccountAttributes",
20+
"ec2:DescribeAddresses",
21+
"ec2:DescribeAvailabilityZones",
22+
"ec2:DescribeInternetGateways",
23+
"ec2:DescribeVpcs",
24+
"ec2:DescribeVpcPeeringConnections",
25+
"ec2:DescribeSubnets",
26+
"ec2:DescribeSecurityGroups",
27+
"ec2:DescribeInstances",
28+
"ec2:DescribeNetworkInterfaces",
29+
"ec2:DescribeTags",
30+
"ec2:GetCoipPoolUsage",
31+
"ec2:DescribeCoipPools",
32+
"ec2:GetSecurityGroupsForVpc",
33+
"elasticloadbalancing:DescribeLoadBalancers",
34+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
35+
"elasticloadbalancing:DescribeListeners",
36+
"elasticloadbalancing:DescribeListenerCertificates",
37+
"elasticloadbalancing:DescribeSSLPolicies",
38+
"elasticloadbalancing:DescribeRules",
39+
"elasticloadbalancing:DescribeTargetGroups",
40+
"elasticloadbalancing:DescribeTargetGroupAttributes",
41+
"elasticloadbalancing:DescribeTargetHealth",
42+
"elasticloadbalancing:DescribeTags",
43+
"elasticloadbalancing:DescribeTrustStores",
44+
"elasticloadbalancing:DescribeListenerAttributes"
45+
],
46+
"Resource": "*"
47+
},
48+
{
49+
"Effect": "Allow",
50+
"Action": [
51+
"cognito-idp:DescribeUserPoolClient",
52+
"acm:ListCertificates",
53+
"acm:DescribeCertificate",
54+
"iam:ListServerCertificates",
55+
"iam:GetServerCertificate",
56+
"waf-regional:GetWebACL",
57+
"waf-regional:GetWebACLForResource",
58+
"waf-regional:AssociateWebACL",
59+
"waf-regional:DisassociateWebACL",
60+
"wafv2:GetWebACL",
61+
"wafv2:GetWebACLForResource",
62+
"wafv2:AssociateWebACL",
63+
"wafv2:DisassociateWebACL",
64+
"shield:GetSubscriptionState",
65+
"shield:DescribeProtection",
66+
"shield:CreateProtection",
67+
"shield:DeleteProtection"
68+
],
69+
"Resource": "*"
70+
},
71+
{
72+
"Effect": "Allow",
73+
"Action": [
74+
"ec2:AuthorizeSecurityGroupIngress",
75+
"ec2:RevokeSecurityGroupIngress"
76+
],
77+
"Resource": "*"
78+
},
79+
{
80+
"Effect": "Allow",
81+
"Action": [
82+
"ec2:CreateSecurityGroup"
83+
],
84+
"Resource": "*"
85+
},
86+
{
87+
"Effect": "Allow",
88+
"Action": [
89+
"ec2:CreateTags"
90+
],
91+
"Resource": "arn:aws:ec2:*:*:security-group/*",
92+
"Condition": {
93+
"StringEquals": {
94+
"ec2:CreateAction": "CreateSecurityGroup"
95+
},
96+
"Null": {
97+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
98+
}
99+
}
100+
},
101+
{
102+
"Effect": "Allow",
103+
"Action": [
104+
"ec2:CreateTags",
105+
"ec2:DeleteTags"
106+
],
107+
"Resource": "arn:aws:ec2:*:*:security-group/*",
108+
"Condition": {
109+
"Null": {
110+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
111+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
112+
}
113+
}
114+
},
115+
{
116+
"Effect": "Allow",
117+
"Action": [
118+
"ec2:AuthorizeSecurityGroupIngress",
119+
"ec2:RevokeSecurityGroupIngress",
120+
"ec2:DeleteSecurityGroup"
121+
],
122+
"Resource": "*",
123+
"Condition": {
124+
"Null": {
125+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
126+
}
127+
}
128+
},
129+
{
130+
"Effect": "Allow",
131+
"Action": [
132+
"elasticloadbalancing:CreateLoadBalancer",
133+
"elasticloadbalancing:CreateTargetGroup"
134+
],
135+
"Resource": "*",
136+
"Condition": {
137+
"Null": {
138+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
139+
}
140+
}
141+
},
142+
{
143+
"Effect": "Allow",
144+
"Action": [
145+
"elasticloadbalancing:CreateListener",
146+
"elasticloadbalancing:DeleteListener",
147+
"elasticloadbalancing:CreateRule",
148+
"elasticloadbalancing:DeleteRule"
149+
],
150+
"Resource": "*"
151+
},
152+
{
153+
"Effect": "Allow",
154+
"Action": [
155+
"elasticloadbalancing:AddTags",
156+
"elasticloadbalancing:RemoveTags"
157+
],
158+
"Resource": [
159+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
160+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
161+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
162+
],
163+
"Condition": {
164+
"Null": {
165+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
166+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
167+
}
168+
}
169+
},
170+
{
171+
"Effect": "Allow",
172+
"Action": [
173+
"elasticloadbalancing:AddTags",
174+
"elasticloadbalancing:RemoveTags"
175+
],
176+
"Resource": [
177+
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
178+
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
179+
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
180+
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
181+
]
182+
},
183+
{
184+
"Effect": "Allow",
185+
"Action": [
186+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
187+
"elasticloadbalancing:SetIpAddressType",
188+
"elasticloadbalancing:SetSecurityGroups",
189+
"elasticloadbalancing:SetSubnets",
190+
"elasticloadbalancing:DeleteLoadBalancer",
191+
"elasticloadbalancing:ModifyTargetGroup",
192+
"elasticloadbalancing:ModifyTargetGroupAttributes",
193+
"elasticloadbalancing:DeleteTargetGroup",
194+
"elasticloadbalancing:ModifyListenerAttributes"
195+
],
196+
"Resource": "*",
197+
"Condition": {
198+
"Null": {
199+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
200+
}
201+
}
202+
},
203+
{
204+
"Effect": "Allow",
205+
"Action": [
206+
"elasticloadbalancing:AddTags"
207+
],
208+
"Resource": [
209+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
210+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
211+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
212+
],
213+
"Condition": {
214+
"StringEquals": {
215+
"elasticloadbalancing:CreateAction": [
216+
"CreateTargetGroup",
217+
"CreateLoadBalancer"
218+
]
219+
},
220+
"Null": {
221+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
222+
}
223+
}
224+
},
225+
{
226+
"Effect": "Allow",
227+
"Action": [
228+
"elasticloadbalancing:RegisterTargets",
229+
"elasticloadbalancing:DeregisterTargets"
230+
],
231+
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
232+
},
233+
{
234+
"Effect": "Allow",
235+
"Action": [
236+
"elasticloadbalancing:SetWebAcl",
237+
"elasticloadbalancing:ModifyListener",
238+
"elasticloadbalancing:AddListenerCertificates",
239+
"elasticloadbalancing:RemoveListenerCertificates",
240+
"elasticloadbalancing:ModifyRule"
241+
],
242+
"Resource": "*"
243+
}
244+
]
245+
}

0 commit comments

Comments
 (0)