[EKS] Change Kubernetes control plane to EKS (the eks branch)
#7808
Conversation
mikkeloscar
added
do-not-merge
architectural
linki
changed the title
eks branch)
[EKS] switch to generic deny-all admitter, match conditions and fail policy
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
Update aws-node daemonset to v1.19
…t-admission-controller-exception Exclude eks-pod-identity-agent from admission-controller to avoid 🐔🥚
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
…ric-scrape Scrape metrics from EKS control plane
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
Co-authored-by: Martin Linkhorst <[email protected]>
Handle secret read clusterroles
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
Run e2e tests for both `zalando-aws` and `zalando-eks` providers.
Avoid problem of anchor-merging lists by using multiple envFroms
| Name: '{{.Cluster.ID}}:worker-iam-role' | ||
| Value: !Ref WorkerIAMRole | ||
| RemoteFilesEncryptionKey: | ||
| Name: "{{.Cluster.ID}}:eks-oidc-url" |
There was a problem hiding this comment.
Should we use .Cluster.Name instead of .ID here (and other places?). PR that introduced the field: https://github.com/zalando-incubator/cluster-lifecycle-manager/pull/829/files#diff-61dbe200b05c4fa62230dc5e9efedf4ac8d35088d3dfb7a1cde9163b79b41066
| - "@127.0.0.1" | ||
| {{- else }} | ||
| - "::1" |
There was a problem hiding this comment.
Looks like we enter this branch for legacy clusters (IPv4) as well. Does this make sense?
There was a problem hiding this comment.
This is unbound which is not yet being activated in EKS clusters. Let's defer fixing this to later.
| args: | ||
| - tcp | ||
| # TODO: ipv6 | ||
| - --bind=0.0.0.0:9054 |
There was a problem hiding this comment.
Should this bind to all interfaces (for IPv6)?
There was a problem hiding this comment.
This is unbound which I didn't invest in making ipv6 compatible yet. We use dnsmasq in eks clusters for now so we can defer fixing this to later.
| @@ -123,8 +144,8 @@ spec: | |||
| - --neg-ttl=60 | |||
| # send requests to the last server first, only fallback to the previous ones if it's unreachable | |||
| - --strict-order | |||
| - --server=10.5.0.11#53 | |||
| - --server=127.0.0.1#9254 | |||
| - --server=10.5.0.11#53 # TODO: fix this for ipv6 | |||
There was a problem hiding this comment.
I think in practice this address is never used as it's a fallback if the local CoreDNS is not available. Hence we didn't notice issues in IPv6 clusters.
We should fix this, but I would say we don't have to fix it before merging this.
| @@ -52,6 +53,7 @@ spec: | |||
| - --aws-zones-cache-duration={{ .Cluster.ConfigItems.external_dns_zones_cache_duration }} | |||
| - --annotation-filter=external-dns.alpha.kubernetes.io/exclude notin (true) | |||
| - --policy={{ .Cluster.ConfigItems.external_dns_policy }} | |||
| - --log-level=debug | |||
linki
added
the
frozen
|
👍 |
1 similar comment
|
👍 |
This branch contains a Proof of Concept setup for running a Zalando Kubernetes cluster using EKS as the control plane. All the EKS specific configuration is behind feature flags:
{{ if eq .Cluster.Provider "zalando-eks"}}making it compatible with non-eks setup.This PR is open to facilitate merging changes from
devinto the branch regularly and to get it into a state that makes it mergeable.Note: This branch currently only works with a modified version of CLM: zalando-incubator/cluster-lifecycle-manager#777