Drop support for v1alpha Karpenter APIs

Ensure to update karpenter to 0.32+ before upgrading cluster to k8s 1.30
cookpad · Jul 24, 2024 · 29315c3 · 29315c3
1 parent 29a732d
commit 29315c3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 274 deletions.
diff --git a/modules/karpenter/controller_iam.tf b/modules/karpenter/controller_iam.tf
@@ -28,274 +28,17 @@ data "aws_iam_policy_document" "karpenter_controller_assume_role_policy" {
   }
 }
 
-resource "aws_iam_role_policy" "karpenter_controller_v1_alpha" {
-  count  = var.v1alpha ? 1 : 0
-  name   = "KarpenterController"
-  role   = aws_iam_role.karpenter_controller.id
-  policy = data.aws_iam_policy_document.karpenter_controller_v1_alpha.json
-}
-
-moved {
-  from = aws_iam_role_policy.karpenter_controller
-  to   = aws_iam_role_policy.karpenter_controller_v1_alpha[0]
-}
-
-data "aws_iam_policy_document" "karpenter_controller_v1_alpha" {
-  statement {
-    sid    = "AllowScopedEC2InstanceActions"
-    effect = "Allow"
-
-    # tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::image/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}::snapshot/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:spot-instances-request/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:security-group/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:subnet/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
-    ]
-
-    actions = [
-      "ec2:RunInstances",
-      "ec2:CreateFleet",
-    ]
-  }
-
-  statement {
-    sid    = "AllowScopedEC2LaunchTemplateAccessActions"
-    effect = "Allow"
-
-    # tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
-    ]
-
-    actions = [
-      "ec2:RunInstances",
-      "ec2:CreateFleet",
-    ]
-
-    condition {
-      test     = "StringLike"
-      variable = "aws:RequestTag/karpenter.sh/provisioner-name"
-      values   = ["*"]
-    }
-  }
-
-  statement {
-    sid    = "AllowScopedEC2InstanceActionsWithTags"
-    effect = "Allow"
-
-    # tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
-    ]
-
-    actions = [
-      "ec2:RunInstances",
-      "ec2:CreateFleet",
-      "ec2:CreateLaunchTemplate",
-    ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
-      values   = ["owned"]
-    }
-
-    condition {
-      test     = "StringLike"
-      variable = "aws:RequestTag/karpenter.sh/provisioner-name"
-      values   = ["*"]
-    }
-  }
-
-  statement {
-    sid    = "AllowScopedResourceCreationTagging"
-    effect = "Allow"
-
-    # tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:fleet/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:volume/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:network-interface/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
-    ]
-
-    actions = ["ec2:CreateTags"]
-
-    condition {
-      test     = "StringEquals"
-      variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_config.name}"
-      values   = ["owned"]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "ec2:CreateAction"
-
-      values = [
-        "RunInstances",
-        "CreateFleet",
-        "CreateLaunchTemplate",
-      ]
-    }
-
-    condition {
-      test     = "StringLike"
-      variable = "aws:RequestTag/karpenter.sh/provisioner-name"
-      values   = ["*"]
-    }
-  }
-
-  statement {
-    sid    = "AllowMachineMigrationTagging"
-    effect = "Allow"
-    # tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = ["arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*"]
-    actions   = ["ec2:CreateTags"]
-
-    condition {
-      test     = "StringEquals"
-      variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
-      values   = ["owned"]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "aws:RequestTag/karpenter.sh/managed-by"
-      values   = [var.cluster_config.name]
-    }
-
-    condition {
-      test     = "StringLike"
-      variable = "aws:RequestTag/karpenter.sh/provisioner-name"
-      values   = ["*"]
-    }
-
-    condition {
-      test     = "ForAllValues:StringEquals"
-      variable = "aws:TagKeys"
-
-      values = [
-        "karpenter.sh/provisioner-name",
-        "karpenter.sh/managed-by",
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowScopedDeletion"
-    effect = "Allow"
-
-    # tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:instance/*",
-      "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:*:launch-template/*",
-    ]
-
-    actions = [
-      "ec2:TerminateInstances",
-      "ec2:DeleteLaunchTemplate",
-    ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_config.name}"
-      values   = ["owned"]
-    }
-
-    condition {
-      test     = "StringLike"
-      variable = "aws:ResourceTag/karpenter.sh/provisioner-name"
-      values   = ["*"]
-    }
-  }
-
-  statement {
-    sid       = "AllowRegionalReadActions"
-    effect    = "Allow"
-    resources = ["*"]
-
-    actions = [
-      "ec2:DescribeAvailabilityZones",
-      "ec2:DescribeImages",
-      "ec2:DescribeInstances",
-      "ec2:DescribeInstanceTypeOfferings",
-      "ec2:DescribeInstanceTypes",
-      "ec2:DescribeLaunchTemplates",
-      "ec2:DescribeSecurityGroups",
-      "ec2:DescribeSpotPriceHistory",
-      "ec2:DescribeSubnets",
-    ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "aws:RequestedRegion"
-      values   = [data.aws_region.current.name]
-    }
-  }
-
-  statement {
-    sid       = "AllowSSMReadActions"
-    effect    = "Allow"
-    resources = ["arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}::parameter/aws/service/*"]
-    actions   = ["ssm:GetParameter"]
-  }
-
-  statement {
-    sid       = "AllowPricingReadActions"
-    effect    = "Allow"
-    resources = ["*"]
-    actions   = ["pricing:GetProducts"]
-  }
-
-  statement {
-    sid       = "AllowInterruptionQueueActions"
-    effect    = "Allow"
-    resources = [aws_sqs_queue.karpenter_interruption.arn]
-
-    actions = [
-      "sqs:DeleteMessage",
-      "sqs:GetQueueAttributes",
-      "sqs:GetQueueUrl",
-      "sqs:ReceiveMessage",
-    ]
-  }
-
-  statement {
-    sid       = "AllowPassingInstanceRole"
-    effect    = "Allow"
-    resources = concat([aws_iam_role.karpenter_node.arn], var.additional_node_role_arns)
-    actions   = ["iam:PassRole"]
-
-    condition {
-      test     = "StringEquals"
-      variable = "iam:PassedToService"
-      values   = ["ec2.amazonaws.com"]
-    }
-  }
-
-  statement {
-    sid       = "AllowAPIServerEndpointDiscovery"
-    effect    = "Allow"
-    resources = [var.cluster_config.arn]
-    actions   = ["eks:DescribeCluster"]
-  }
-}
-
 resource "aws_iam_role_policy" "karpenter_controller_v1_beta" {
-  count  = var.v1beta ? 1 : 0
   name   = "KarpenterController-v1beta"
   role   = aws_iam_role.karpenter_controller.id
   policy = data.aws_iam_policy_document.karpenter_controller_v1_beta.json
 }
 
+moved {
+  from = aws_iam_role_policy.karpenter_controller_v1_beta[0]
+  to   = aws_iam_role_policy.karpenter_controller_v1_beta
+}
+
 data "aws_iam_policy_document" "karpenter_controller_v1_beta" {
   statement {
     sid    = "AllowScopedEC2InstanceAccessActions"

diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
@@ -17,18 +17,6 @@ variable "oidc_config" {
   })
 }
 
-variable "v1alpha" {
-  description = "Enable controller policy for v1alpha resources (Karpenter <= 0.32.*)"
-  type        = bool
-  default     = true
-}
-
-variable "v1beta" {
-  description = "Enable controller policy for v1beta resources (Karpenter >= 0.32.*)"
-  type        = bool
-  default     = true
-}
-
 variable "additional_node_role_arns" {
   description = <<-EOF
     Additional Node Role ARNS that karpenter should manage