Skip to content

Commit

Permalink
fix(eks): missing nodegroup identity in aws-auth after awsAuth.addMas…
Browse files Browse the repository at this point in the history 
…terRole (#8901)

fix(eks): missing nodegroup identity in aws-auth after awsAuth.addMasterRole

This PR adds the state tracking by `awsAuth.addRoleMapping` for the managed nodegroups

Fixed: #7595 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@pahud
pahud authored Jul 6, 2020
1 parent 57914c7 commit a9c66f7
Show file tree
Hide file tree
Showing 5 changed files with 143 additions and 3 deletions.
14 changes: 12 additions & 2 deletions packages/@aws-cdk/aws-eks/lib/managed-nodegroup.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,8 +263,18 @@ export class Nodegroup extends Resource implements INodegroup {
tags: props.tags,
});

// As managed nodegroup will auto map the instance role to RBAC behind the scene and users don't have to manually
// do it anymore. We don't need to print out the instance role arn now.
// managed nodegroups update the `aws-auth` on creation, but we still need to track
// its state for consistency.
if (this.cluster.kubectlEnabled) {
// see https://docs.aws.amazon.com/en_us/eks/latest/userguide/add-user-role.html
this.cluster.awsAuth.addRoleMapping(this.role, {
username: 'system:node:{{EC2PrivateDNSName}}',
groups: [
'system:bootstrappers',
'system:nodes',
],
});
}

this.nodegroupArn = this.getResourceArnAttribute(resource.attrArn, {
service: 'eks',
Expand Down
14 changes: 14 additions & 0 deletions packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -894,6 +894,13 @@
]
},
"\\\",\\\"groups\\\":[\\\"system:masters\\\"]},{\\\"rolearn\\\":\\\"",
{
"Fn::GetAtt": [
"ClusterNodegroupDefaultCapacityNodeGroupRole55953B04",
"Arn"
]
},
"\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]},{\\\"rolearn\\\":\\\"",
{
"Fn::GetAtt": [
"ClusterfargateprofiledefaultPodExecutionRole09952CFF",
Expand Down Expand Up @@ -928,6 +935,13 @@
"Arn"
]
},
"\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]},{\\\"rolearn\\\":\\\"",
{
"Fn::GetAtt": [
"ClusterNodegroupextrangNodeGroupRole23AE23D0",
"Arn"
]
},
"\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]}]\",\"mapUsers\":\"[]\",\"mapAccounts\":\"[]\"}}]"
]
]
Expand Down
63 changes: 62 additions & 1 deletion packages/@aws-cdk/aws-eks/test/test.awsauth.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,13 @@ export = {
'',
[
'[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system"},"data":{"mapRoles":"[{\\"rolearn\\":\\"',
{
'Fn::GetAtt': [
'ClusterNodegroupDefaultCapacityNodeGroupRole55953B04',
'Arn',
],
},
'\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]},{\\"rolearn\\":\\"',
{
'Fn::GetAtt': [
'roleC7B7E775',
Expand Down Expand Up @@ -120,7 +127,14 @@ export = {
'Fn::Join': [
'',
[
'[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system"},"data":{"mapRoles":"[{\\"rolearn\\":\\"arn:aws:iam::123456789012:role/S3Access\\",\\"username\\":\\"arn:aws:iam::123456789012:role/S3Access\\",\\"groups\\":[\\"group1\\"]}]","mapUsers":"[{\\"userarn\\":\\"arn:',
'[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system"},"data":{"mapRoles":"[{\\"rolearn\\":\\"',
{
'Fn::GetAtt': [
'ClusterNodegroupDefaultCapacityNodeGroupRole55953B04',
'Arn',
],
},
'\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]},{\\"rolearn\\":\\"arn:aws:iam::123456789012:role/S3Access\\",\\"username\\":\\"arn:aws:iam::123456789012:role/S3Access\\",\\"groups\\":[\\"group1\\"]}]\",\"mapUsers\":\"[{\\"userarn\\":\\"arn:',
{
Ref: 'AWS::Partition',
},
Expand All @@ -142,6 +156,53 @@ export = {
},
}));

test.done();
},
'addMastersRole after addNodegroup correctly'(test: Test) {
// GIVEN
const { stack } = testFixtureNoVpc();
const cluster = new Cluster(stack, 'Cluster', { version: CLUSTER_VERSION });
cluster.addNodegroup('NG');
const role = iam.Role.fromRoleArn(stack, 'imported-role', 'arn:aws:iam::123456789012:role/S3Access');

// WHEN
cluster.awsAuth.addMastersRole(role);

// THEN
expect(stack).to(haveResource(KubernetesResource.RESOURCE_TYPE, {
Manifest: {
'Fn::Join': [
'',
[
'[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system"},"data":{"mapRoles":"[{\\"rolearn\\":\\"',
{
'Fn::GetAtt': [
'ClusterNodegroupDefaultCapacityNodeGroupRole55953B04',
'Arn',
],
},
'\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]},{\\"rolearn\\":\\"',
{
'Fn::GetAtt': [
'ClusterNodegroupNGNodeGroupRole7C078920',
'Arn',
],
},
'\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]},{\\"rolearn\\":\\"arn:aws:iam::123456789012:role/S3Access\\",\\"username\\":\\"arn:aws:iam::123456789012:role/S3Access\\",\\"groups\\":[\\"system:masters\\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]',
],
],
},
ClusterName: {
Ref: 'Cluster9EE0221C',
},
RoleArn: {
'Fn::GetAtt': [
'ClusterCreationRole360249B6',
'Arn',
],
},
}));

test.done();
},
};
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-eks/test/test.cluster.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -923,6 +923,18 @@ export = {
],
},
},
{
Action: 'sts:AssumeRole',
Effect: 'Allow',
Principal: {
AWS: {
'Fn::GetAtt': [
'awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B',
'Outputs.StackawscdkawseksKubectlProviderHandlerServiceRole2C52B3ECArn',
],
},
},
},
],
Version: '2012-10-17',
},
Expand Down
43 changes: 43 additions & 0 deletions packages/@aws-cdk/aws-eks/test/test.nodegroup.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,49 @@ export = {
));
test.done();
},
'aws-auth will be updated'(test: Test) {
// GIVEN
const { stack, vpc } = testFixture();

// WHEN
const cluster = new eks.Cluster(stack, 'Cluster', {
vpc,
kubectlEnabled: true,
defaultCapacity: 0,
version: CLUSTER_VERSION,
});
new eks.Nodegroup(stack, 'Nodegroup', { cluster });

// THEN
// THEN
expect(stack).to(haveResource(eks.KubernetesResource.RESOURCE_TYPE, {
Manifest: {
'Fn::Join': [
'',
[
'[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system"},"data":{"mapRoles":"[{\\"rolearn\\":\\"',
{
'Fn::GetAtt': [
'NodegroupNodeGroupRole038A128B',
'Arn',
],
},
'\\",\\"username\\":\\"system:node:{{EC2PrivateDNSName}}\\",\\"groups\\":[\\"system:bootstrappers\\",\\"system:nodes\\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]',
],
],
},
ClusterName: {
Ref: 'Cluster9EE0221C',
},
RoleArn: {
'Fn::GetAtt': [
'ClusterCreationRole360249B6',
'Arn',
],
},
}));
test.done();
},
'create nodegroup correctly with security groups provided'(test: Test) {
// GIVEN
const { stack, vpc } = testFixture();
Expand Down

0 comments on commit a9c66f7

Please sign in to comment.