feat(eks): connect all custom resources to the cluster VPC #10200
Conversation
|
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
|
is it possible to add ability to define proxy for lambda functions as aws doesn't have vpc endpoints for api's, for example to reach eks api from private network? |
|
@alexey-boyko Yes it will be possible |
cool thanks, ping me if you need me to test |
|
@iliapolo hello, any plans to merge it this year? |
|
@alexey-boyko Yes it is on our roadmap for this quarter. |
|
|
iliapolo
force-pushed
the
epolon/eks-vpc-all-functions
branch
from
84a0b92 to
18716b0
Compare
| @@ -97,6 +97,8 @@ export class KubectlProvider extends NestedStack { | |||
|
|
|||
| const provider = new cr.Provider(this, 'Provider', { | |||
| onEventHandler: handler, | |||
| vpc: cluster.kubectlPrivateSubnets ? cluster.vpc : undefined, | |||
There was a problem hiding this comment.
This isn't related to the placeClusterHandlerInVpc property. But seems like we should have done this when we introduced private endpoints, consolidating all the related functions into the same network.
| const CLUSTER_VERSION = eks.KubernetesVersion.V1_18; | ||
|
|
||
|
|
||
| class EksAllHandlersInVpcStack extends TestStack { |
There was a problem hiding this comment.
Reluctantly, adding another integ test because this property affects the cluster deployment and operation.
github-actions
bot
added
the
@aws-cdk/aws-eks
| * | ||
| * @default false | ||
| */ | ||
| readonly placeClusterHandlerInVpc?: boolean; |
There was a problem hiding this comment.
It would make sense to use a similar prefix:
| readonly placeClusterHandlerInVpc?: boolean; | |
| readonly clusterHandlerVpc?: boolean; |
| @@ -459,7 +460,18 @@ If the endpoint does not expose private access (via `EndpointAccess.PUBLIC`) **o | |||
|
|
|||
| #### Cluster Handler | |||
|
|
|||
| The `ClusterHandler` is a Lambda function responsible to interact the EKS API in order to control the cluster lifecycle. At the moment, this function cannot be provisioned inside the VPC. See [Attach all Lambda Function to a VPC](https://github.com/aws/aws-cdk/issues/9509) for more details. | |||
| The `ClusterHandler` is a Lambda function responsible to interact with the EKS API in order to control the cluster lifecycle. To provision this function inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the function inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property. | |||
There was a problem hiding this comment.
What about the kubectl handler?
|
Okay now just saw the PR description |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Allow all our lambda handlers to be provisioned inside the cluster VPC. The `KubectlProvider` handlers were already placed inside the VPC is they could have, the missing was to include the `ClusterHandler`. This is now possible via the `placeClusterHandlerInVpc` (names are welcome) property. Default value remains `false` because if the VPC happens to be isolated (i.e no outbound internet access) this would break the deployment. (See aws#12171) Closes aws#9509 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Following #10200, our `KubectlProvider` functions are now provisioned inside a VPC when applicable. A somewhat unintended side effect is that the provider framework will **create** and use a dedicated security group for its functions. This can violate organizational policies that don't allow CDK to create security groups. We can easily avoid this by simply reusing the `kubectlSecurityGroup`, which must be defined in this case, and passing it to the provider. Fixes #12952 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Following #10200, our `KubectlProvider` functions are now provisioned inside a VPC when applicable. A somewhat unintended side effect is that the provider framework will **create** and use a dedicated security group for its functions. This can violate organizational policies that don't allow CDK to create security groups. We can easily avoid this by simply reusing the `kubectlSecurityGroup`, which must be defined in this case, and passing it to the provider. Fixes #12952 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Allow all our lambda handlers to be provisioned inside the cluster VPC.
The
KubectlProviderhandlers were already placed inside the VPC is they could have, the missing was to include theClusterHandler. This is now possible via theplaceClusterHandlerInVpc(names are welcome) property.Default value remains
falsebecause if the VPC happens to be isolated (i.e no outbound internet access) this would break the deployment. (See #12171)Closes #9509
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license