From 821ff04f5e0ce9466d0ae349d00edc5c52909fc0 Mon Sep 17 00:00:00 2001 From: Jack Kleeman Date: Wed, 14 Feb 2024 14:31:16 +0000 Subject: [PATCH 1/3] Ack addon must support inline policies for EKS The EKS ack controller doesn't have a recommended managed policy, only an inline one, and the currently provided managed policy in blueprints doesn't seem to give any eks permissions, nor does any other managed policy seem to be appropriate. The best option is to support inline policies. There may be other ack controllers with similar issues, but EKS is the one I'm aware of. Signed-off-by: Jack Kleeman --- lib/addons/ack/index.ts | 257 ++++++++++++++++-------------- lib/addons/ack/serviceMappings.ts | 16 +- 2 files changed, 149 insertions(+), 124 deletions(-) diff --git a/lib/addons/ack/index.ts b/lib/addons/ack/index.ts index e8c6d929d..65dbf8e73 100644 --- a/lib/addons/ack/index.ts +++ b/lib/addons/ack/index.ts @@ -1,122 +1,135 @@ -import { ManagedPolicy } from 'aws-cdk-lib/aws-iam'; -import { Construct } from 'constructs'; -import merge from "ts-deepmerge"; -import { ClusterInfo, Values } from "../../spi"; -import "reflect-metadata"; -import { createNamespace, setPath, supportsX86 } from "../../utils"; -import { HelmAddOn, HelmAddOnProps, HelmAddOnUserProps } from "../helm-addon"; -import { AckServiceName, serviceMappings } from './serviceMappings'; - -export * from "./serviceMappings"; - -/** - * User provided option for the Helm Chart - */ -export interface AckAddOnProps extends HelmAddOnUserProps { - /** - * Required identified, must be unique within the parent stack scope. - */ - id?: string; - /** - * Default Service Name - * @default iam - */ - serviceName: AckServiceName; - /** - * Managed IAM Policy of the ack controller - * @default IAMFullAccess - */ - managedPolicyName?: string; - /** - * To Create Namespace using CDK. This should be done only for the first time. - */ - createNamespace?: boolean; - /** - * To create Service Account - */ - saName?: string; -} - -/** - * Default props to be used when creating the Helm chart - */ -const defaultProps: AckAddOnProps = { - namespace: "ack-system", - values: {}, - createNamespace: true, - serviceName: AckServiceName.IAM, - id: "iam-ack" -}; - -/** - * Main class to instantiate the Helm chart - */ -@Reflect.metadata("ordered", true) -@supportsX86 -export class AckAddOn extends HelmAddOn { - - readonly options: AckAddOnProps; - readonly id? : string; - - constructor(props?: AckAddOnProps) { - super(populateDefaults(defaultProps, props) as HelmAddOnProps); - this.options = this.props as AckAddOnProps; - this.id = this.options.id; - } - - - deploy(clusterInfo: ClusterInfo): Promise { - const cluster = clusterInfo.cluster; - - const sa = cluster.addServiceAccount(`${this.options.chart}-sa`, { - namespace: this.options.namespace, - name: this.options.saName, - }); - - let values: Values = populateValues(this.options,cluster.stack.region); - values = merge(values, this.props.values ?? {}); - - if(this.options.createNamespace == true){ - // Let CDK Create the Namespace - const namespace = createNamespace(this.options.namespace! , cluster); - sa.node.addDependency(namespace); - } - - sa.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(this.options.managedPolicyName!)); - const chart = this.addHelmChart(clusterInfo, values); - chart.node.addDependency(sa); - return Promise.resolve(chart); - } -} - -/** - * populateValues populates the appropriate values used to customize the Helm chart - * @param helmOptions User provided values to customize the chart - */ -function populateValues(helmOptions: AckAddOnProps, awsRegion: string): Values { - const values = helmOptions.values ?? {}; - setPath(values, "aws.region", awsRegion); - setPath(values,"serviceAccount.create", false); - setPath(values,"serviceAccount.name", helmOptions.saName); - return values; -} - -/** - * populate parameters passed or the default values from service Mappings. - */ -function populateDefaults(defaultProps: AckAddOnProps, props?: AckAddOnProps): AckAddOnProps { - let tempProps : Partial = {...props ?? {}}; // since props may be empty - tempProps.id = tempProps.id ?? defaultProps.id; - tempProps.serviceName = tempProps.serviceName ?? defaultProps.serviceName; - tempProps.name = tempProps.name ?? serviceMappings[tempProps.serviceName!]!.chart; - tempProps.namespace = tempProps.namespace ?? defaultProps.namespace; - tempProps.chart = tempProps.chart ?? serviceMappings[tempProps.serviceName!]?.chart; - tempProps.version = tempProps.version ?? serviceMappings[tempProps.serviceName!]?.version; - const repositoryUrl = "oci://public.ecr.aws/aws-controllers-k8s"; - tempProps.release = tempProps.release ?? tempProps.chart; - tempProps.repository = tempProps.repository ?? `${repositoryUrl}/${tempProps.name}`; - tempProps.managedPolicyName = tempProps.managedPolicyName ?? serviceMappings[tempProps.serviceName!]?.managedPolicyName; - tempProps.createNamespace = tempProps.createNamespace ?? defaultProps.createNamespace; - tempProps.saName = tempProps.saName ?? `${tempProps.chart}-sa`; - return tempProps as AckAddOnProps; -} \ No newline at end of file +import { ManagedPolicy, Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam'; +import { Construct } from 'constructs'; +import merge from "ts-deepmerge"; +import { ClusterInfo, Values } from "../../spi"; +import "reflect-metadata"; +import { createNamespace, setPath, supportsX86 } from "../../utils"; +import { HelmAddOn, HelmAddOnProps, HelmAddOnUserProps } from "../helm-addon"; +import { AckServiceName, serviceMappings } from './serviceMappings'; + +export * from "./serviceMappings"; + +/** + * User provided option for the Helm Chart + */ +export interface AckAddOnProps extends HelmAddOnUserProps { + /** + * Required identified, must be unique within the parent stack scope. + */ + id?: string; + /** + * Default Service Name + * @default iam + */ + serviceName: AckServiceName; + /** + * Managed IAM Policy of the ack controller + * @default IAMFullAccess + */ + managedPolicyName?: string; + /** + * Inline IAM Policy for the ack controller + * @default undefined + */ + inlinePolicyStatements?: PolicyStatement[]; + /** + * To Create Namespace using CDK. This should be done only for the first time. + */ + createNamespace?: boolean; + /** + * To create Service Account + */ + saName?: string; +} + +/** + * Default props to be used when creating the Helm chart + */ +const defaultProps: AckAddOnProps = { + namespace: "ack-system", + values: {}, + createNamespace: true, + serviceName: AckServiceName.IAM, + id: "iam-ack" +}; + +/** + * Main class to instantiate the Helm chart + */ +@Reflect.metadata("ordered", true) +@supportsX86 +export class AckAddOn extends HelmAddOn { + + readonly options: AckAddOnProps; + readonly id? : string; + + constructor(props?: AckAddOnProps) { + super(populateDefaults(defaultProps, props) as HelmAddOnProps); + this.options = this.props as AckAddOnProps; + this.id = this.options.id; + } + + + deploy(clusterInfo: ClusterInfo): Promise { + const cluster = clusterInfo.cluster; + + const sa = cluster.addServiceAccount(`${this.options.chart}-sa`, { + namespace: this.options.namespace, + name: this.options.saName, + }); + + let values: Values = populateValues(this.options,cluster.stack.region); + values = merge(values, this.props.values ?? {}); + + if(this.options.createNamespace == true){ + // Let CDK Create the Namespace + const namespace = createNamespace(this.options.namespace! , cluster); + sa.node.addDependency(namespace); + } + + if (this.options.managedPolicyName) { + sa.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(this.options.managedPolicyName!)); + } + if (this.options.inlinePolicyStatements && this.options.inlinePolicyStatements.length > 0) { + sa.role.attachInlinePolicy(new Policy(cluster.stack, "inline-policy", { + statements: this.options.inlinePolicyStatements + })); + } + const chart = this.addHelmChart(clusterInfo, values); + chart.node.addDependency(sa); + return Promise.resolve(chart); + } +} + +/** + * populateValues populates the appropriate values used to customize the Helm chart + * @param helmOptions User provided values to customize the chart + */ +function populateValues(helmOptions: AckAddOnProps, awsRegion: string): Values { + const values = helmOptions.values ?? {}; + setPath(values, "aws.region", awsRegion); + setPath(values,"serviceAccount.create", false); + setPath(values,"serviceAccount.name", helmOptions.saName); + return values; +} + +/** + * populate parameters passed or the default values from service Mappings. + */ +function populateDefaults(defaultProps: AckAddOnProps, props?: AckAddOnProps): AckAddOnProps { + let tempProps : Partial = {...props ?? {}}; // since props may be empty + tempProps.id = tempProps.id ?? defaultProps.id; + tempProps.serviceName = tempProps.serviceName ?? defaultProps.serviceName; + tempProps.name = tempProps.name ?? serviceMappings[tempProps.serviceName!]!.chart; + tempProps.namespace = tempProps.namespace ?? defaultProps.namespace; + tempProps.chart = tempProps.chart ?? serviceMappings[tempProps.serviceName!]?.chart; + tempProps.version = tempProps.version ?? serviceMappings[tempProps.serviceName!]?.version; + const repositoryUrl = "oci://public.ecr.aws/aws-controllers-k8s"; + tempProps.release = tempProps.release ?? tempProps.chart; + tempProps.repository = tempProps.repository ?? `${repositoryUrl}/${tempProps.name}`; + tempProps.managedPolicyName = tempProps.managedPolicyName ?? serviceMappings[tempProps.serviceName!]?.managedPolicyName; + tempProps.inlinePolicyStatements = tempProps.inlinePolicyStatements ?? serviceMappings[tempProps.serviceName!]?.inlinePolicyStatements; + tempProps.createNamespace = tempProps.createNamespace ?? defaultProps.createNamespace; + tempProps.saName = tempProps.saName ?? `${tempProps.chart}-sa`; + return tempProps as AckAddOnProps; +} diff --git a/lib/addons/ack/serviceMappings.ts b/lib/addons/ack/serviceMappings.ts index 9d49190c3..45c94f727 100644 --- a/lib/addons/ack/serviceMappings.ts +++ b/lib/addons/ack/serviceMappings.ts @@ -1,10 +1,13 @@ +import {PolicyStatement} from "aws-cdk-lib/aws-iam"; + /** * Chart Mapping for fields such as chart, version, managed IAM policy. */ export interface AckChartMapping { chart: string, version: string, - managedPolicyName: string + managedPolicyName?: string + inlinePolicyStatements?: PolicyStatement[] } /** @@ -125,7 +128,16 @@ export const serviceMappings : {[key in AckServiceName]?: AckChartMapping } = { [AckServiceName.EKS]: { chart: "eks-chart", version: "1.0.5", - managedPolicyName: "AmazonEKSClusterPolicy" + managedPolicyName: "AmazonEKSClusterPolicy", + inlinePolicyStatements: [PolicyStatement.fromJson({ + "Effect": "Allow", + "Action": [ + "eks:*", + "iam:GetRole", + "iam:PassRole" + ], + "Resource": "*" + })] }, [AckServiceName.APPLICATIONAUTOSCALING]: { chart: "applicationautoscaling-chart", From f1bfa94f16021f9e6054d51ce71486fd32d16702 Mon Sep 17 00:00:00 2001 From: Jack Kleeman Date: Wed, 14 Feb 2024 15:02:36 +0000 Subject: [PATCH 2/3] Update docs Signed-off-by: Jack Kleeman --- docs/addons/ack-addon.md | 344 +++++++++++++++++++++------------------ 1 file changed, 184 insertions(+), 160 deletions(-) diff --git a/docs/addons/ack-addon.md b/docs/addons/ack-addon.md index dd5e3853b..1fe991f81 100644 --- a/docs/addons/ack-addon.md +++ b/docs/addons/ack-addon.md @@ -1,160 +1,184 @@ -# AWS Controller for Kubernetes Add-on - -This add-on installs [aws-controller-8s](https://github.com/aws-controllers-k8s/community). - -AWS Controllers for Kubernetes (ACK) lets you define and use AWS service resources directly from Kubernetes. With ACK, you can take advantage of AWS managed services for your Kubernetes applications without needing to define resources outside of the cluster or run services that provide supporting capabilities like databases or message queues within the cluster. - -ACK is an open source project built with ❤️ by AWS. The project is composed of many source code repositories containing a common runtime, a code generator, common testing tools and Kubernetes custom controllers for individual AWS service APIs. - -## Usage - -> Pattern # 1 : This installs AWS Controller for Kubernetes for IAM ACK Controller. This uses all default parameters for installation of the IAM Controller. - -```typescript -import * as cdk from 'aws-cdk-lib'; -import * as blueprints from '@aws-quickstart/eks-blueprints'; - -const app = new cdk.App(); - -const addOn = new blueprints.addons.AckAddOn({ - serviceName: AckServiceName.IAM, -}), - -const blueprint = blueprints.EksBlueprint.builder() - .version("auto") - .addOns(addOn) - .build(app, 'my-stack-name'); -``` - -> Pattern # 2 : This installs AWS Controller for Kubernetes for EC2 ACK controller using service name internally referencing service mapping values for helm options. After Installing this EC2 ACK Controller, the instructions in [Provision ACK Resource](https://www.eksworkshop.com/docs/automation/controlplanes/ack/provision-resources) can be used to provision EC2 namespaces `SecurityGroup` resources required for creating Amazon RDS database as an example. - -```typescript -import * as cdk from 'aws-cdk-lib'; -import * as blueprints from '@aws-quickstart/eks-blueprints'; - -const app = new cdk.App(); - -const addOn = new blueprints.addons.AckAddOn({ - id: "ec2-ack", // Having this field is important if you are using multiple iterations of this Addon. - createNamespace: false, //This is essential if you are using multiple iterations of this Addon to run in same namespace. - serviceName: AckServiceName.EC2 // This value can be references from supported service section below, -}), - -const blueprint = blueprints.EksBlueprint.builder() - .version("auto") - .addOns(addOn) - .build(app, 'my-stack-name'); -``` - -> Pattern # 3 : This installs AWS Controller for Kubernetes for RDS ACK controller with user specified values. After Installing this RDS ACK Controller, the instructions in [Provision ACK Resource](https://www.eksworkshop.com/docs/automation/controlplanes/ack/provision-resources) can be used to provision Amazon RDS database using the RDS ACK controller as an example. - -```typescript -import * as cdk from 'aws-cdk-lib'; -import * as blueprints from '@aws-quickstart/eks-blueprints'; - -const app = new cdk.App(); - -const addOn = new blueprints.addons.AckAddOn({ - id: "rds-ack", - serviceName: AckServiceName.RDS, - name: "rds-chart", - chart: "rds-chart", - version: "v0.1.1", - release: "rds-chart", - repository: "oci://public.ecr.aws/aws-controllers-k8s/rds-chart", - managedPolicyName: "AmazonRDSFullAccess", - createNamespace: false, - saName: "rds-chart" -}), - -const blueprint = blueprints.EksBlueprint.builder() - .version("auto") - .addOns(addOn) - .build(app, 'my-stack-name'); -``` - -## Configuration Options - -- `id`: Unique identifier of the Addon especially if you are using ACK Addon multiple times -- `serviceName`: Name of the service and this is mandatory -- `name`: Name of the ACK Chart -- `chart`: Chart Name of the ACK Chart -- `version`: Version of the ACK Chart -- `release`: Release Name of the ACK Chart -- `repository`: Repository URI of the specific ACK Chart -- `managedPolicyName`: Policy Name required to be added to the IAM role for that ACK -- `createNamespace`: (boolean) This should be false if you are using for the second time -- `saName` : Name to create the service account. -- `values`: Arbitrary values to pass to the chart -- [Standard helm configuration options](https://github.com/aws-quickstart/cdk-eks-blueprints/blob/main/docs/addons/index.md#standard-helm-add-on-configuration-options). - -## Validation - -To validate that ack-controller-k8s is installed properly in the cluster, check if the namespace is created and pods are running in the `ack-system` namespace. - -Verify if the namespace is created correctly -```bash - kubectl get all -n ack-system -``` -There should be list the following resources in the namespace -```bash -NAME READY STATUS RESTARTS AGE -pod/iam-chart-64c8fd7f6-wpb5k 1/1 Running 0 34m -pod/rds-chart-5f6f5b8fc7-hp55l 1/1 Running 0 5m26s - -NAME READY UP-TO-DATE AVAILABLE AGE -deployment.apps/iam-chart 1/1 1 1 35m -deployment.apps/rds-chart 1/1 1 1 5m36s - -NAME DESIRED CURRENT READY AGE -replicaset.apps/iam-chart-64c8fd7f6 1 1 1 35m -replicaset.apps/rds-chart-5f6f5b8fc7 1 1 1 5m36s -``` - -## aws-controller-8s references - -Please refer to following aws-controller-8s references for more information : -- [ACK Workshop](https://www.eksworkshop.com/docs/automation/controlplanes/ack/) -- [ECR Gallery for ACK](https://gallery.ecr.aws/aws-controllers-k8s/) -- [ACK GitHub](https://github.com/aws-controllers-k8s/community) - -## Supported AWS Services by ACK Addon - -*You can use this ACK Addon today to provision resources for below mentioned 22 AWS services:* - -1. ACM -2. ACMPCA -3. APIGATEWAYV2 -4. APPLICATIONAUTOSCALING -5. CLOUDTRAIL -6. CLOUDWATCH -7. CLOUDWATCHLOGS -8. DYNAMODB -9. EC2 -10. ECR -11. EMRCONTAINERS -12. EKS -13. ELASTICACHE -14. ELASTICSEARCHSERVICE -15. EVENTBRIDGE -16. IAM -17. KAFKA -18. KINESIS -19. KMS -20. LAMBDA -21. MEMORYDB -22. MQ -23. OPENSEARCHSERVICE -24. PIPES -25. PROMETHEUSSERVICE -26. RDS -27. ROUTE53 -28. ROUTE53RESOLVER -29. S3 -30. SAGEMAKER -31. SECRETSMANAGER -32. SFN -33. SNS -34. SQS - -*We highly recommend you to contribute to this ACK Addon whenever there is a newer service or new version of supported service by this Addon is published to [ECR Gallery for ACK](https://gallery.ecr.aws/aws-controllers-k8s/).* +# AWS Controller for Kubernetes Add-on + +This add-on installs [aws-controller-8s](https://github.com/aws-controllers-k8s/community). + +AWS Controllers for Kubernetes (ACK) lets you define and use AWS service resources directly from Kubernetes. With ACK, you can take advantage of AWS managed services for your Kubernetes applications without needing to define resources outside of the cluster or run services that provide supporting capabilities like databases or message queues within the cluster. + +ACK is an open source project built with ❤️ by AWS. The project is composed of many source code repositories containing a common runtime, a code generator, common testing tools and Kubernetes custom controllers for individual AWS service APIs. + +## Usage + +> Pattern # 1 : This installs AWS Controller for Kubernetes for IAM ACK Controller. This uses all default parameters for installation of the IAM Controller. + +```typescript +import * as cdk from 'aws-cdk-lib'; +import * as blueprints from '@aws-quickstart/eks-blueprints'; + +const app = new cdk.App(); + +const addOn = new blueprints.addons.AckAddOn({ + serviceName: AckServiceName.IAM, +}), + +const blueprint = blueprints.EksBlueprint.builder() + .version("auto") + .addOns(addOn) + .build(app, 'my-stack-name'); +``` + +> Pattern # 2 : This installs AWS Controller for Kubernetes for EC2 ACK controller using service name internally referencing service mapping values for helm options. After Installing this EC2 ACK Controller, the instructions in [Provision ACK Resource](https://www.eksworkshop.com/docs/automation/controlplanes/ack/provision-resources) can be used to provision EC2 namespaces `SecurityGroup` resources required for creating Amazon RDS database as an example. + +```typescript +import * as cdk from 'aws-cdk-lib'; +import * as blueprints from '@aws-quickstart/eks-blueprints'; + +const app = new cdk.App(); + +const addOn = new blueprints.addons.AckAddOn({ + id: "ec2-ack", // Having this field is important if you are using multiple iterations of this Addon. + createNamespace: false, //This is essential if you are using multiple iterations of this Addon to run in same namespace. + serviceName: AckServiceName.EC2 // This value can be references from supported service section below, +}), + +const blueprint = blueprints.EksBlueprint.builder() + .version("auto") + .addOns(addOn) + .build(app, 'my-stack-name'); +``` + +> Pattern # 3 : This installs AWS Controller for Kubernetes for S3 ACK controller with user specified values. After Installing this S3 ACK Controller, the instructions in [Provision ACK Resource](https://www.eksworkshop.com/docs/automation/controlplanes/ack/provision-resources) can be used to provision Amazon S3 resources using the S3 ACK controller as an example. + +```typescript +import * as cdk from 'aws-cdk-lib'; +import * as iam from "aws-cdk-lib/aws-iam"; +import * as blueprints from '@aws-quickstart/eks-blueprints'; + +const app = new cdk.App(); + +const addOn = new blueprints.addons.AckAddOn({ + id: "s3-ack", + serviceName: AckServiceName.S3, + name: "s3-chart", + chart: "s3-chart", + version: "v0.1.1", + release: "s3-chart", + repository: "oci://public.ecr.aws/aws-controllers-k8s/s3-chart", + managedPolicyName: "AmazonS3FullAccess", + inlinePolicyStatements: [ + iam.PolicyStatement.fromJson({ + "Sid": "S3AllPermission", + "Effect": "Allow", + "Action": [ + "s3:*", + "s3-object-lambda:*" + ], + "Resource": "*" + }), + iam.PolicyStatement.fromJson({ + "Sid": "S3ReplicationPassRole", + "Condition": { + "StringEquals": { + "iam:PassedToService": "s3.amazonaws.com" + } + }, + "Action": "iam:PassRole", + "Resource": "*", + "Effect": "Allow" + }) + ], + createNamespace: false, + saName: "s3-chart" +}) + +const blueprint = blueprints.EksBlueprint.builder() + .version("auto") + .addOns(addOn) + .build(app, 'my-stack-name'); +``` + +## Configuration Options + +- `id`: Unique identifier of the Addon especially if you are using ACK Addon multiple times +- `serviceName`: Name of the service and this is mandatory +- `name`: Name of the ACK Chart +- `chart`: Chart Name of the ACK Chart +- `version`: Version of the ACK Chart +- `release`: Release Name of the ACK Chart +- `repository`: Repository URI of the specific ACK Chart +- `managedPolicyName`: Policy Name required to be added to the IAM role for that ACK +- `inlinePolicyStatements`: Inline Policy Statements required to be added to the IAM role for that ACK +- `createNamespace`: (boolean) This should be false if you are using for the second time +- `saName` : Name to create the service account. +- `values`: Arbitrary values to pass to the chart +- [Standard helm configuration options](https://github.com/aws-quickstart/cdk-eks-blueprints/blob/main/docs/addons/index.md#standard-helm-add-on-configuration-options). + +## Validation + +To validate that ack-controller-k8s is installed properly in the cluster, check if the namespace is created and pods are running in the `ack-system` namespace. + +Verify if the namespace is created correctly +```bash + kubectl get all -n ack-system +``` +There should be list the following resources in the namespace +```bash +NAME READY STATUS RESTARTS AGE +pod/iam-chart-64c8fd7f6-wpb5k 1/1 Running 0 34m +pod/rds-chart-5f6f5b8fc7-hp55l 1/1 Running 0 5m26s + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/iam-chart 1/1 1 1 35m +deployment.apps/rds-chart 1/1 1 1 5m36s + +NAME DESIRED CURRENT READY AGE +replicaset.apps/iam-chart-64c8fd7f6 1 1 1 35m +replicaset.apps/rds-chart-5f6f5b8fc7 1 1 1 5m36s +``` + +## aws-controller-8s references + +Please refer to following aws-controller-8s references for more information : +- [ACK Workshop](https://www.eksworkshop.com/docs/automation/controlplanes/ack/) +- [ECR Gallery for ACK](https://gallery.ecr.aws/aws-controllers-k8s/) +- [ACK GitHub](https://github.com/aws-controllers-k8s/community) + +## Supported AWS Services by ACK Addon + +*You can use this ACK Addon today to provision resources for below mentioned 22 AWS services:* + +1. ACM +2. ACMPCA +3. APIGATEWAYV2 +4. APPLICATIONAUTOSCALING +5. CLOUDTRAIL +6. CLOUDWATCH +7. CLOUDWATCHLOGS +8. DYNAMODB +9. EC2 +10. ECR +11. EMRCONTAINERS +12. EKS +13. ELASTICACHE +14. ELASTICSEARCHSERVICE +15. EVENTBRIDGE +16. IAM +17. KAFKA +18. KINESIS +19. KMS +20. LAMBDA +21. MEMORYDB +22. MQ +23. OPENSEARCHSERVICE +24. PIPES +25. PROMETHEUSSERVICE +26. RDS +27. ROUTE53 +28. ROUTE53RESOLVER +29. S3 +30. SAGEMAKER +31. SECRETSMANAGER +32. SFN +33. SNS +34. SQS + +*We highly recommend you to contribute to this ACK Addon whenever there is a newer service or new version of supported service by this Addon is published to [ECR Gallery for ACK](https://gallery.ecr.aws/aws-controllers-k8s/).* From aa923ee954517f35efb402161848ccbb5e17b3d5 Mon Sep 17 00:00:00 2001 From: Jack Kleeman Date: Fri, 23 Feb 2024 14:12:52 +0000 Subject: [PATCH 3/3] Remove AmazonEKSClusterPolicy from EKS ack controller Also improve the name of the inline policy object --- lib/addons/ack/index.ts | 2 +- lib/addons/ack/serviceMappings.ts | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/addons/ack/index.ts b/lib/addons/ack/index.ts index 65dbf8e73..2bd7c2f64 100644 --- a/lib/addons/ack/index.ts +++ b/lib/addons/ack/index.ts @@ -91,7 +91,7 @@ export class AckAddOn extends HelmAddOn { sa.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(this.options.managedPolicyName!)); } if (this.options.inlinePolicyStatements && this.options.inlinePolicyStatements.length > 0) { - sa.role.attachInlinePolicy(new Policy(cluster.stack, "inline-policy", { + sa.role.attachInlinePolicy(new Policy(cluster.stack, `${this.options.chart}-inline-policy`, { statements: this.options.inlinePolicyStatements })); } diff --git a/lib/addons/ack/serviceMappings.ts b/lib/addons/ack/serviceMappings.ts index 45c94f727..c9c14925c 100644 --- a/lib/addons/ack/serviceMappings.ts +++ b/lib/addons/ack/serviceMappings.ts @@ -128,7 +128,6 @@ export const serviceMappings : {[key in AckServiceName]?: AckChartMapping } = { [AckServiceName.EKS]: { chart: "eks-chart", version: "1.0.5", - managedPolicyName: "AmazonEKSClusterPolicy", inlinePolicyStatements: [PolicyStatement.fromJson({ "Effect": "Allow", "Action": [