From 6f70451a6b02b2db754c85a46aaea9a24d80eaab Mon Sep 17 00:00:00 2001 From: Aldo Lacuku Date: Tue, 16 Jul 2024 11:23:56 +0200 Subject: [PATCH] update(cluster/aws-lb): upgrade aws-load-balancer to version 2.4.7 Signed-off-by: Aldo Lacuku --- config/clusters/iam.tf | 247 ++++++++- config/prow/alb_controller.yaml | 875 +++++++++++++++++++++++--------- 2 files changed, 870 insertions(+), 252 deletions(-) diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf index 5d2df2e601..9d89739df3 100644 --- a/config/clusters/iam.tf +++ b/config/clusters/iam.tf @@ -719,20 +719,35 @@ resource "aws_iam_policy" "loadbalancer_controller" { data "aws_iam_policy_document" "loadbalancer_controller" { statement { - sid = "loadbalancercontroller" - effect = "Allow" + effect = "Allow" + resources = ["*"] + actions = ["iam:CreateServiceLinkedRole"] + + condition { + test = "StringEquals" + variable = "iam:AWSServiceName" + values = ["elasticloadbalancing.amazonaws.com"] + } + } + + statement { + effect = "Allow" + resources = ["*"] actions = [ - "iam:CreateServiceLinkedRole", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways", "ec2:DescribeVpcs", + "ec2:DescribeVpcPeeringConnections", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeTags", + "ec2:GetCoipPoolUsage", + "ec2:DescribeCoipPools", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", @@ -743,6 +758,14 @@ data "aws_iam_policy_document" "loadbalancer_controller" { "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTags", + ] + } + + statement { + effect = "Allow" + resources = ["*"] + + actions = [ "cognito-idp:DescribeUserPoolClient", "acm:ListCertificates", "acm:DescribeCertificate", @@ -760,27 +783,189 @@ data "aws_iam_policy_document" "loadbalancer_controller" { "shield:DescribeProtection", "shield:CreateProtection", "shield:DeleteProtection", + ] + } + + statement { + effect = "Allow" + resources = ["*"] + + actions = [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", - "ec2:CreateSecurityGroup", - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule", + ] + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateSecurityGroup"] + } + + statement { + effect = "Allow" + resources = ["arn:aws:ec2:*:*:security-group/*"] + actions = ["ec2:CreateTags"] + + condition { + test = "StringEquals" + variable = "ec2:CreateAction" + values = ["CreateSecurityGroup"] + } + + condition { + test = "Null" + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + values = ["false"] + } + } + + statement { + effect = "Allow" + resources = ["arn:aws:ec2:*:*:security-group/*"] + + actions = [ + "ec2:CreateTags", + "ec2:DeleteTags", + ] + + condition { + test = "Null" + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + values = ["true"] + } + + condition { + test = "Null" + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + values = ["false"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + + actions = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + ] + + condition { + test = "Null" + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + values = ["false"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + + actions = [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + ] + + condition { + test = "Null" + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + values = ["false"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + + actions = [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:CreateRule", "elasticloadbalancing:DeleteRule", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:CreateLoadBalancer", + ] + } + + statement { + sid = "" + effect = "Allow" + + resources = [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*", + ] + + actions = [ "elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags", - "ec2:CreateTags", - "ec2:DeleteTags", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", + ] + + condition { + test = "Null" + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + values = ["true"] + } + + condition { + test = "Null" + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + values = ["false"] + } + } + + statement { + sid = "" + effect = "Allow" + + resources = [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*", + ] + + actions = [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags", + ] + } + + statement { + sid = "" + effect = "Allow" + + resources = [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*", + ] + + actions = ["elasticloadbalancing:AddTags"] + + condition { + test = "StringEquals" + variable = "elasticloadbalancing:CreateAction" + + values = [ + "CreateTargetGroup", + "CreateLoadBalancer", + ] + } + + condition { + test = "Null" + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + values = ["false"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + + actions = [ "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:SetIpAddressType", "elasticloadbalancing:SetSecurityGroups", @@ -789,11 +974,35 @@ data "aws_iam_policy_document" "loadbalancer_controller" { "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:DeleteTargetGroup", + ] + + condition { + test = "Null" + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + values = ["false"] + } + } + + statement { + effect = "Allow" + resources = ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"] + + actions = [ "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" + "elasticloadbalancing:DeregisterTargets", ] - resources = [ - "*" + } + + statement { + effect = "Allow" + resources = ["*"] + + actions = [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule", ] } } diff --git a/config/prow/alb_controller.yaml b/config/prow/alb_controller.yaml index e36d74997c..8402767794 100644 --- a/config/prow/alb_controller.yaml +++ b/config/prow/alb_controller.yaml @@ -1,248 +1,563 @@ -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: ingressclassparams.elbv2.k8s.aws +spec: + group: elbv2.k8s.aws + names: + kind: IngressClassParams + listKind: IngressClassParamsList + plural: ingressclassparams + singular: ingressclassparams + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Ingress Group name + jsonPath: .spec.group.name + name: GROUP-NAME + type: string + - description: The AWS Load Balancer scheme + jsonPath: .spec.scheme + name: SCHEME + type: string + - description: The AWS Load Balancer ipAddressType + jsonPath: .spec.ipAddressType + name: IP-ADDRESS-TYPE + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: IngressClassParams is the Schema for the IngressClassParams API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressClassParamsSpec defines the desired state of IngressClassParams + properties: + group: + description: Group defines the IngressGroup for all Ingresses that + belong to IngressClass with this IngressClassParams. + properties: + name: + description: Name is the name of IngressGroup. + type: string + required: + - name + type: object + ipAddressType: + description: IPAddressType defines the ip address type for all Ingresses + that belong to IngressClass with this IngressClassParams. + enum: + - ipv4 + - dualstack + type: string + loadBalancerAttributes: + description: LoadBalancerAttributes define the custom attributes to + LoadBalancers for all Ingress that that belong to IngressClass with + this IngressClassParams. + items: + description: Attributes defines custom attributes on resources. + properties: + key: + description: The key of the attribute. + type: string + value: + description: The value of the attribute. + type: string + required: + - key + - value + type: object + type: array + namespaceSelector: + description: NamespaceSelector restrict the namespaces of Ingresses + that are allowed to specify the IngressClass with this IngressClassParams. + * if absent or present but empty, it selects all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + scheme: + description: Scheme defines the scheme for all Ingresses that belong + to IngressClass with this IngressClassParams. + enum: + - internal + - internet-facing + type: string + tags: + description: Tags defines list of Tags on AWS resources provisioned + for Ingresses that belong to IngressClass with this IngressClassParams. + items: + description: Tag defines a AWS Tag on resources. + properties: + key: + description: The key of the tag. + type: string + value: + description: The value of the tag. + type: string + required: + - key + - value + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null labels: app.kubernetes.io/name: aws-load-balancer-controller name: targetgroupbindings.elbv2.k8s.aws spec: - additionalPrinterColumns: - - JSONPath: .spec.serviceRef.name - description: The Kubernetes Service's name - name: SERVICE-NAME - type: string - - JSONPath: .spec.serviceRef.port - description: The Kubernetes Service's port - name: SERVICE-PORT - type: string - - JSONPath: .spec.targetType - description: The AWS TargetGroup's TargetType - name: TARGET-TYPE - type: string - - JSONPath: .spec.targetGroupARN - description: The AWS TargetGroup's Amazon Resource Name - name: ARN - priority: 1 - type: string - - JSONPath: .metadata.creationTimestamp - name: AGE - type: date group: elbv2.k8s.aws names: - categories: - - all kind: TargetGroupBinding listKind: TargetGroupBindingList plural: targetgroupbindings singular: targetgroupbinding scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: TargetGroupBinding is the Schema for the TargetGroupBinding API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + versions: + - additionalPrinterColumns: + - description: The Kubernetes Service's name + jsonPath: .spec.serviceRef.name + name: SERVICE-NAME type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + - description: The Kubernetes Service's port + jsonPath: .spec.serviceRef.port + name: SERVICE-PORT type: string - metadata: - type: object - spec: - description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding + - description: The AWS TargetGroup's TargetType + jsonPath: .spec.targetType + name: TARGET-TYPE + type: string + - description: The AWS TargetGroup's Amazon Resource Name + jsonPath: .spec.targetGroupARN + name: ARN + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TargetGroupBinding is the Schema for the TargetGroupBinding API properties: - networking: - description: networking provides the networking setup for ELBV2 LoadBalancer - to access targets in TargetGroup. + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding properties: - ingress: - description: List of ingress rules to allow ELBV2 LoadBalancer to - access targets in TargetGroup. - items: - properties: - from: - description: List of peers which should be able to access - the targets in TargetGroup. At least one NetworkingPeer - should be specified. - items: - description: NetworkingPeer defines the source/destination - peer for networking rules. - properties: - ipBlock: - description: IPBlock defines an IPBlock peer. If specified, - none of the other fields can be set. + networking: + description: networking provides the networking setup for ELBV2 LoadBalancer + to access targets in TargetGroup. + properties: + ingress: + description: List of ingress rules to allow ELBV2 LoadBalancer + to access targets in TargetGroup. + items: + properties: + from: + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. + items: + description: NetworkingPeer defines the source/destination + peer for networking rules. properties: - cidr: - description: CIDR is the network CIDR. Both IPV4 - or IPV6 CIDR are accepted. - type: string - required: - - cidr + ipBlock: + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. + properties: + cidr: + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. + type: string + required: + - cidr + type: object + securityGroup: + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. + properties: + groupID: + description: GroupID is the EC2 SecurityGroupID. + type: string + required: + - groupID + type: object type: object - securityGroup: - description: SecurityGroup defines a SecurityGroup peer. - If specified, none of the other fields can be set. + type: array + ports: + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. + items: properties: - groupID: - description: GroupID is the EC2 SecurityGroupID. + port: + anyOf: + - type: integer + - type: string + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. + x-kubernetes-int-or-string: true + protocol: + description: The protocol which traffic must match. + If protocol is unspecified, it defaults to TCP. + enum: + - TCP + - UDP type: string - required: - - groupID type: object - type: object - type: array - ports: - description: List of ports which should be made accessible - on the targets in TargetGroup. If ports is empty or unspecified, - it defaults to all ports with TCP. - items: - properties: - port: - anyOf: - - type: integer - - type: string - description: The port which traffic must match. When - NodePort endpoints(instance TargetType) is used, this - must be a numerical port. When Port endpoints(ip TargetType) - is used, this can be either numerical or named port - on pods. if port is unspecified, it defaults to all - ports. - x-kubernetes-int-or-string: true - protocol: - description: The protocol which traffic must match. - If protocol is unspecified, it defaults to TCP. - enum: - - TCP - - UDP - type: string - type: object - type: array - required: - - from - - ports - type: object - type: array - type: object - serviceRef: - description: serviceRef is a reference to a Kubernetes Service and ServicePort. - properties: - name: - description: Name is the name of the Service. + type: array + required: + - from + - ports + type: object + type: array + type: object + serviceRef: + description: serviceRef is a reference to a Kubernetes Service and + ServicePort. + properties: + name: + description: Name is the name of the Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port is the port of the ServicePort. + x-kubernetes-int-or-string: true + required: + - name + - port + type: object + targetGroupARN: + description: targetGroupARN is the Amazon Resource Name (ARN) for + the TargetGroup. + type: string + targetType: + description: targetType is the TargetType of TargetGroup. If unspecified, + it will be automatically inferred. + enum: + - instance + - ip type: string - port: - anyOf: - - type: integer - - type: string - description: Port is the port of the ServicePort. - x-kubernetes-int-or-string: true required: - - name - - port + - serviceRef + - targetGroupARN + type: object + status: + description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding + properties: + observedGeneration: + description: The generation observed by the TargetGroupBinding controller. + format: int64 + type: integer type: object - targetGroupARN: - description: targetGroupARN is the Amazon Resource Name (ARN) for the - TargetGroup. - type: string - targetType: - description: targetType is the TargetType of TargetGroup. If unspecified, - it will be automatically inferred. - enum: - - instance - - ip - type: string - required: - - serviceRef - - targetGroupARN - type: object - status: - description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding - properties: - observedGeneration: - description: The generation observed by the TargetGroupBinding controller. - format: int64 - type: integer type: object - type: object - version: v1alpha1 - versions: - - name: v1alpha1 served: true storage: false - - name: v1beta1 + subresources: + status: {} + - additionalPrinterColumns: + - description: The Kubernetes Service's name + jsonPath: .spec.serviceRef.name + name: SERVICE-NAME + type: string + - description: The Kubernetes Service's port + jsonPath: .spec.serviceRef.port + name: SERVICE-PORT + type: string + - description: The AWS TargetGroup's TargetType + jsonPath: .spec.targetType + name: TARGET-TYPE + type: string + - description: The AWS TargetGroup's Amazon Resource Name + jsonPath: .spec.targetGroupARN + name: ARN + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: TargetGroupBinding is the Schema for the TargetGroupBinding API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding + properties: + ipAddressType: + description: ipAddressType specifies whether the target group is of + type IPv4 or IPv6. If unspecified, it will be automatically inferred. + enum: + - ipv4 + - ipv6 + type: string + networking: + description: networking defines the networking rules to allow ELBV2 + LoadBalancer to access targets in TargetGroup. + properties: + ingress: + description: List of ingress rules to allow ELBV2 LoadBalancer + to access targets in TargetGroup. + items: + description: NetworkingIngressRule defines a particular set + of traffic that is allowed to access TargetGroup's targets. + properties: + from: + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. + items: + description: NetworkingPeer defines the source/destination + peer for networking rules. + properties: + ipBlock: + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. + properties: + cidr: + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. + type: string + required: + - cidr + type: object + securityGroup: + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. + properties: + groupID: + description: GroupID is the EC2 SecurityGroupID. + type: string + required: + - groupID + type: object + type: object + type: array + ports: + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. + items: + description: NetworkingPort defines the port and protocol + for networking rules. + properties: + port: + anyOf: + - type: integer + - type: string + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. + x-kubernetes-int-or-string: true + protocol: + description: The protocol which traffic must match. + If protocol is unspecified, it defaults to TCP. + enum: + - TCP + - UDP + type: string + type: object + type: array + required: + - from + - ports + type: object + type: array + type: object + nodeSelector: + description: node selector for instance type target groups to only + register certain nodes + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + serviceRef: + description: serviceRef is a reference to a Kubernetes Service and + ServicePort. + properties: + name: + description: Name is the name of the Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port is the port of the ServicePort. + x-kubernetes-int-or-string: true + required: + - name + - port + type: object + targetGroupARN: + description: targetGroupARN is the Amazon Resource Name (ARN) for + the TargetGroup. + minLength: 1 + type: string + targetType: + description: targetType is the TargetType of TargetGroup. If unspecified, + it will be automatically inferred. + enum: + - instance + - ip + type: string + required: + - serviceRef + - targetGroupARN + type: object + status: + description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding + properties: + observedGeneration: + description: The generation observed by the TargetGroupBinding controller. + format: int64 + type: integer + type: object + type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert - creationTimestamp: null - labels: - app.kubernetes.io/name: aws-load-balancer-controller - name: aws-load-balancer-webhook -webhooks: - - clientConfig: - caBundle: Cg== - service: - name: aws-load-balancer-webhook-service - namespace: kube-system - path: /mutate-v1-pod - failurePolicy: Fail - name: mpod.elbv2.k8s.aws - namespaceSelector: - matchExpressions: - - key: elbv2.k8s.aws/pod-readiness-gate-inject - operator: In - values: - - enabled - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None - admissionReviewVersions: - - v1 - - clientConfig: - caBundle: Cg== - service: - name: aws-load-balancer-webhook-service - namespace: kube-system - path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding - failurePolicy: Fail - name: mtargetgroupbinding.elbv2.k8s.aws - rules: - - apiGroups: - - elbv2.k8s.aws - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - targetgroupbindings - sideEffects: None - admissionReviewVersions: - - v1beta1 + subresources: + status: {} --- apiVersion: v1 kind: ServiceAccount @@ -271,10 +586,10 @@ rules: - create - apiGroups: - "" - resources: - - configmaps resourceNames: - aws-load-balancer-controller-leader + resources: + - configmaps verbs: - get - update @@ -334,14 +649,6 @@ rules: verbs: - patch - update - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - apiGroups: - "" resources: @@ -359,6 +666,22 @@ rules: verbs: - patch - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - elbv2.k8s.aws + resources: + - ingressclassparams + verbs: + - get + - list + - watch - apiGroups: - elbv2.k8s.aws resources: @@ -395,6 +718,14 @@ rules: verbs: - patch - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch - apiGroups: - networking.k8s.io resources: @@ -483,7 +814,7 @@ spec: - args: - --cluster-name=falco-prow-test-infra - --ingress-class=alb - image: amazon/aws-alb-ingress-controller:v2.0.0 + image: public.ecr.aws/eks/aws-load-balancer-controller:v2.4.7 livenessProbe: failureThreshold: 2 httpGet: @@ -512,6 +843,7 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true + priorityClassName: system-cluster-critical securityContext: fsGroup: 1337 serviceAccountName: aws-load-balancer-controller @@ -521,11 +853,8 @@ spec: secret: defaultMode: 420 secretName: aws-load-balancer-webhook-tls - nodeSelector: - Archtype: "x86" - --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: @@ -541,7 +870,7 @@ spec: name: aws-load-balancer-selfsigned-issuer secretName: aws-load-balancer-webhook-tls --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Issuer metadata: labels: @@ -552,17 +881,78 @@ spec: selfSigned: {} --- apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-webhook +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /mutate-v1-pod + failurePolicy: Fail + name: mpod.elbv2.k8s.aws + namespaceSelector: + matchExpressions: + - key: elbv2.k8s.aws/pod-readiness-gate-inject + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - aws-load-balancer-controller + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding + failurePolicy: Fail + name: mtargetgroupbinding.elbv2.k8s.aws + rules: + - apiGroups: + - elbv2.k8s.aws + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - targetgroupbindings + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert - creationTimestamp: null labels: app.kubernetes.io/name: aws-load-balancer-controller name: aws-load-balancer-webhook webhooks: - - clientConfig: - caBundle: Cg== + - admissionReviewVersions: + - v1beta1 + clientConfig: service: name: aws-load-balancer-webhook-service namespace: kube-system @@ -580,5 +970,24 @@ webhooks: resources: - targetgroupbindings sideEffects: None - admissionReviewVersions: + - admissionReviewVersions: - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /validate-networking-v1-ingress + failurePolicy: Fail + matchPolicy: Equivalent + name: vingress.elbv2.k8s.aws + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None