Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/add node pool common #353

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Feat/add node pool common #353

wants to merge 3 commits into from

Conversation

g-iannelli
Copy link
Contributor

@g-iannelli g-iannelli commented Feb 10, 2025
edited
Loading

Summary 💡

Currently, there is no built-in support for configuring Instance Metadata Service Version 2 (IMDSv2) for self-managed EKS node pools. IMDSv2 enhances security by enforcing session-based authentication for metadata requests, reducing the risk of metadata theft.

Self-managed EKS node pools should support the configuration of IMDSv2 settings, including:

  • Enforcing the use of IMDSv2 (metadata_http_tokens = "required")
  • Enabling or disabling the metadata service (metadata_http_endpoint)
  • Setting the hop limit for metadata requests (metadata_http_put_response_hop_limit)

Expected Outcome:

  • Users should be able to define IMDSv2 settings for self-managed node pools.

Closes:
#352

Relates:

Description 📝

  • Added spec.kubernetes.nodePoolCommon with properties for managing IDMS parameters in self-managed EKS node pools.
  • Updated the Terraform template to handle the new variables from spec.kubernetes.nodePoolCommon.

Breaking Changes 💔

No breaking changes should be in place

Tests performed 🧪

  • Create a cluster without spec.kubernetes.nodePoolsCommon
  • Create a cluster setting IDMSv2 with required token

@g-iannelli g-iannelli force-pushed the feat/add-nodePoolCommon branch 2 times, most recently from 16de105 to 7af93df Compare February 10, 2025 15:25
@g-iannelli g-iannelli marked this pull request as ready for review February 10, 2025 15:28
ralgozino
ralgozino requested changes Feb 11, 2025
View reviewed changes
Copy link
Member

@ralgozino ralgozino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor changes before approving.

I'm not sure nodePoolsCommon is a good name for this parameter though. Maybe nodePoolsDefaults is better? but then it could cause some confusion with nodePoolsLaunchKind and nodePoolGlobalAmiType 🤔

Also, I'm not a fan that we are starting to have:

.spec.kubernetes.nodePools
.spec.kubernetes.nodePoolsLaunchKind
.spec.kubernetes.nodePoolGlobalAmiType (notice that is nodePool and not nodePool**s**)
.spec.kubernetes.nodePoolsCommon (this is being added)

This smells like all should be inside .spec.kubernetes.nodePools and maybe launchKind inside common too, but then what is currently under .spec.kubernetes.nodePools should be inside another key that I can't think of right now.

@g-iannelli
Copy link
Contributor Author

g-iannelli commented Feb 11, 2025
edited
Loading

Some minor changes before approving.

I'm not sure nodePoolsCommon is a good name for this parameter though. Maybe nodePoolsDefaults is better? but then it could cause some confusion with nodePoolsLaunchKind and nodePoolGlobalAmiType 🤔

Also, I'm not a fan that we are starting to have:

.spec.kubernetes.nodePools
.spec.kubernetes.nodePoolsLaunchKind
.spec.kubernetes.nodePoolGlobalAmiType (notice that is nodePool and not nodePool**s**)
.spec.kubernetes.nodePoolsCommon (this is being added)

This smells like all should be inside .spec.kubernetes.nodePools and maybe launchKind inside common too, but then what is currently under .spec.kubernetes.nodePools should be inside another key that I can't think of right now.

@ralgozino I don't have a strong preference for the name nodePoolsCommon, so it could be changed to nodePoolsDefaults, even though it only applies to self-managed node pools. In my opinion, nodePoolsLaunchKind could be deprecated since the only valid value is launch_templates, as launch_configurations has been deprecated since 2022. Refactoring the spec.kubernetes.nodePools structure might be necessary, but it would introduce a breaking change in the interface (are we ready to move from ekscluster-kfd-v1alpha2 to ekscluster-kfd-v2alpha1?)

@g-iannelli g-iannelli force-pushed the feat/add-nodePoolCommon branch from 7af93df to 70364b9 Compare February 11, 2025 12:29
@g-iannelli g-iannelli requested a review from ralgozino February 11, 2025 12:29
@ralgozino
Copy link
Member

@ralgozino I don't have a strong preference for the name nodePoolsCommon, so it could be changed to nodePoolsDefaults, even though it only applies to self-managed node pools.

Mm.. I did pick up that this applied only to self-managed node pools, in that case we should be very clear in the descriptions that this fields apply only to that case.

Are there any other properties that could be added in the future to nodePoolsCommon that apply to eks-managed nodepools or will it always be only for self-managed ones?

In my opinion, nodePoolsLaunchKind could be deprecated since the only valid value is launch_templates, as launch_configurations has been deprecated since 2022. Refactoring the spec.kubernetes.nodePools structure might be necessary, but it would introduce a breaking change in the interface (are we ready to move from ekscluster-kfd-v1alpha2 to ekscluster-kfd-v2alpha1?)

Yes, all of that would be breaking changes that ideally would require bumping the schema version. Let's leave that out of the scope of this PR.

@g-iannelli
Copy link
Contributor Author

@ralgozino I don't have a strong preference for the name nodePoolsCommon, so it could be changed to nodePoolsDefaults, even though it only applies to self-managed node pools.

Mm.. I did pick up that this applied only to self-managed node pools, in that case we should be very clear in the descriptions that this fields apply only to that case.

Are there any other properties that could be added in the future to nodePoolsCommon that apply to eks-managed nodepools or will it always be only for self-managed ones?

Any keys that are common between https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v17.24.0/locals.tf#L36 and https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v17.24.0/modules/node_groups/locals.tf#L3

@g-iannelli g-iannelli requested a review from ralgozino February 11, 2025 14:23
stefanoghinelli
stefanoghinelli requested changes Feb 25, 2025
View reviewed changes
Copy link
Member

@stefanoghinelli stefanoghinelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @g-iannelli, Ci is failing, could you please check it?

@g-iannelli g-iannelli force-pushed the feat/add-nodePoolCommon branch from b9cf4bb to 755ae21 Compare February 25, 2025 09:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nutellinoit nutellinoit Awaiting requested review from nutellinoit

@mimnix mimnix Awaiting requested review from mimnix

@ralgozino ralgozino Awaiting requested review from ralgozino

@stefanoghinelli stefanoghinelli Awaiting requested review from stefanoghinelli

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@g-iannelli @ralgozino @stefanoghinelli