Last active
December 6, 2021 08:25
-
-
Save tico24/c120f97d9fa46b5eb3ed64ff1cd4819a to your computer and use it in GitHub Desktop.
(Bad, but working) terraform for Karpenter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is VERY quick and dirty. Find and replace 'my-eks-name' with the name of your eks cluster. | |
# This also assumes you created your cluster using this module: https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/17.1.0 You'll probably have to fudge some of the vars if you didn't. Shouldn't be too hard. | |
resource "aws_iam_instance_profile" "KarpenterNodeInstanceProfile-my-eks-name" { | |
name = "KarpenterNodeInstanceProfile-my-eks-name" | |
role = aws_iam_role.KarpenterNodeRole-my-eks-name.name | |
} | |
resource "aws_iam_role" "KarpenterNodeRole-my-eks-name" { | |
name = "KarpenterNodeRole-my-eks-name" | |
path = "/" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "ec2.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
EOF | |
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly","arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"] | |
} | |
# This is assuming your clusterrole is called 'karpenter' and you deploy to the namespace 'karpenter'. | |
resource "aws_iam_role" "karpenter" { | |
name = "karpenter" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Federated": "arn:aws:iam::${var.aws_account}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}" | |
}, | |
"Action": "sts:AssumeRoleWithWebIdentity", | |
"Condition": { | |
"StringEquals": { | |
"${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:sub": "system:serviceaccount:karpenter:karpenter" | |
} | |
} | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_role_policy_attachment" "karpenter-KarpenterControllerPolicy-my-eks-name-attach-prod" { | |
role = aws_iam_role.karpenter.name | |
policy_arn = aws_iam_policy.KarpenterControllerPolicy-my-eks-name.arn | |
} | |
resource "aws_iam_policy" "KarpenterControllerPolicy-my-eks-name" { | |
name_prefix = "KarpenterControllerPolicy-my-eks-name" | |
description = "EKS KarpenterController policy for cluster ${module.eks.cluster_id}" | |
policy = data.aws_iam_policy_document.KarpenterControllerPolicy-my-eks-name.json | |
} | |
data "aws_iam_policy_document" "KarpenterControllerPolicy-my-eks-name" { | |
statement { | |
sid = "KarpenterControllerPolicy" | |
effect = "Allow" | |
actions = [ | |
"ec2:CreateLaunchTemplate", | |
"ec2:CreateFleet", | |
"ec2:RunInstances", | |
"ec2:CreateTags", | |
"iam:PassRole", | |
"ec2:TerminateInstances", | |
"ec2:DescribeLaunchTemplates", | |
"ec2:DescribeInstances", | |
"ec2:DescribeSecurityGroups", | |
"ec2:DescribeSubnets", | |
"ec2:DescribeInstanceTypes", | |
"ec2:DescribeInstanceTypeOfferings", | |
"ec2:DescribeAvailabilityZones", | |
"ssm:GetParameter" | |
] | |
resources = ["*"] | |
} | |
} | |
# Remember, you also have to add to the aws-auth configmap. I haven't scripted this here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment