ci: Update E2E testing to use Pod Identity (#5262)

aws · Dec 7, 2023 · 77d2753 · 77d2753
1 parent 3e5f521
commit 77d2753
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 26 deletions.
diff --git a/.github/actions/e2e/setup-cluster/action.yaml b/.github/actions/e2e/setup-cluster/action.yaml
@@ -30,7 +30,7 @@ inputs:
     default: "1.28"
   eksctl_version:
     description: "Version of eksctl to install"
-    default: v0.164.0
+    default: v0.165.0
   ip_family:
     description: "IP Family of the cluster. Valid values are IPv4 or IPv6"
     default: "IPv4"
@@ -110,23 +110,19 @@ runs:
           logRetentionInDays: 30
       iam:
         serviceRolePermissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
-        serviceAccounts:
-          - metadata:
-              name: karpenter
-              namespace: kube-system
-            attachPolicyARNs:
-              - "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-${{ inputs.cluster_name }}"
-            permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
+        podIdentityAssociations:
+          - namespace: kube-system
+            serviceAccountName: karpenter
             roleName: karpenter-irsa-${{ inputs.cluster_name }}
-            roleOnly: true
-          - metadata:
-              name: prometheus-kube-prometheus-prometheus
-              namespace: prometheus
-            attachPolicyARNs:
-              - "arn:aws:iam::${{ inputs.account_id }}:policy/PrometheusWorkspaceIngestionPolicy"
-            permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
+            permissionsBoundaryARN: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
+            permissionPolicyARNs: 
+              - "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-${{ inputs.cluster_name }}"
+          - namespace: prometheus-kube-prometheus-prometheus
+            serviceAccountName: prometheus
             roleName: prometheus-irsa-${{ inputs.cluster_name }}
-            roleOnly: true
+            permissionsBoundaryARN: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
+            permissionPolicyARNs:
+              - "arn:aws:iam::${{ inputs.account_id }}:policy/PrometheusWorkspaceIngestionPolicy"
         withOIDC: true
       addons:
       - name: vpc-cni
@@ -139,6 +135,8 @@ runs:
         permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
         wellKnownPolicies:
           ebsCSIController: true
+      - name: eks-pod-identity-agent
+        permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
       EOF
 
       if [[ ${{ inputs.private_cluster }} == 'true' ]]; then
@@ -148,10 +146,6 @@ runs:
 
       eksctl ${cmd} cluster -f clusterconfig.yaml
 
-      # We need to call these update iamserviceaccount commands again since the "eksctl upgrade cluster" action
-      # doesn't handle updates to IAM serviceaccounts correctly when the roles assigned to them change
-      eksctl update iamserviceaccount -f clusterconfig.yaml --approve
-
       # Add the SQS and SSM VPC endpoints if we are creating a private cluster
       # We need to grab all of the VPC details for the cluster in order to add the endpoint
       if [[ ${{ inputs.private_cluster }} == 'true' ]]; then

diff --git a/.github/workflows/e2e-cleanup.yaml b/.github/workflows/e2e-cleanup.yaml
@@ -38,4 +38,4 @@ jobs:
           region: ${{ inputs.region }}
           cluster_name: ${{ inputs.cluster_name }}
           git_ref: ${{ inputs.git_ref }}
-          eksctl_version: v0.164.0
+          eksctl_version: v0.165.0
diff --git a/.github/workflows/e2e-upgrade.yaml b/.github/workflows/e2e-upgrade.yaml
@@ -89,7 +89,7 @@ jobs:
           region: ${{ inputs.region }}
           cluster_name: ${{ steps.generate-cluster-name.outputs.CLUSTER_NAME }}
           k8s_version: ${{ inputs.k8s_version }}
-          eksctl_version: v0.164.0
+          eksctl_version: v0.165.0
           ip_family: IPv4 # Set the value to IPv6 if IPv6 suite, else IPv4
           git_ref: ${{ inputs.from_git_ref }}
           ecr_account_id: ${{ vars.ECR_ACCOUNT_ID }}
@@ -107,7 +107,7 @@ jobs:
           region: ${{ inputs.region }}
           cluster_name: ${{ steps.generate-cluster-name.outputs.CLUSTER_NAME }}
           k8s_version: ${{ inputs.k8s_version }}
-          eksctl_version: v0.164.0
+          eksctl_version: v0.165.0
           ip_family: IPv4 # Set the value to IPv6 if IPv6 suite, else IPv4
           git_ref: ${{ inputs.to_git_ref }}
           ecr_account_id: ${{ vars.ECR_ACCOUNT_ID }}
@@ -151,7 +151,7 @@ jobs:
           region: ${{ inputs.region }}
           cluster_name: ${{ steps.generate-cluster-name.outputs.CLUSTER_NAME }}
           git_ref: ${{ inputs.to_git_ref }}
-          eksctl_version: v0.164.0
+          eksctl_version: v0.165.0
       - if: always() && github.event_name == 'workflow_run'
         uses: ./.github/actions/commit-status/end
         with:

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -108,7 +108,7 @@ jobs:
           region: ${{ inputs.region }}
           cluster_name: ${{ steps.generate-cluster-name.outputs.CLUSTER_NAME }}
           k8s_version: ${{ inputs.k8s_version }}
-          eksctl_version: v0.164.0
+          eksctl_version: v0.165.0
           ip_family: ${{ contains(inputs.suite, 'IPv6') && 'IPv6' || 'IPv4' }} # Set the value to IPv6 if IPv6 suite, else IPv4
           private_cluster: ${{ inputs.suite == 'PrivateCluster' }}
           git_ref: ${{ inputs.git_ref }}
@@ -152,7 +152,7 @@ jobs:
           region: ${{ inputs.region }}
           cluster_name: ${{ steps.generate-cluster-name.outputs.CLUSTER_NAME }}
           git_ref: ${{ inputs.git_ref }}
-          eksctl_version: v0.164.0
+          eksctl_version: v0.165.0
       - if: always() && github.event_name == 'workflow_run'
         uses: ./.github/actions/commit-status/end
         with:

diff --git a/test/cloudformation/iam_cloudformation.yaml b/test/cloudformation/iam_cloudformation.yaml
@@ -238,6 +238,7 @@ Resources:
               - eks:CreateCluster
               - eks:CreateAddon
               - eks:CreateNodegroup
+              - eks:CreatePodIdentityAssociation
               - eks:DeleteCluster
               - eks:ListFargateProfiles
               - eks:TagResource
@@ -328,6 +329,8 @@ Resources:
           - Effect: Allow
             Action: iam:PassRole
             Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/karpenter-irsa-*"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/prometheus-irsa-*"
               - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-*"
               - !GetAtt FISInterruptionRole.Arn
           - Effect: Allow