Attach Auto Mode policies to cluster role when enabling Auto Mode

Signed-off-by: cpu1 <[email protected]>

Author: cPu1

.mockery.yaml

@@ -108,3 +108,4 @@ packages:
     interfaces:
       RoleManager: {}
       NodeGroupDrainer: {}
+      ClusterRoleManager: {}

examples/42-auto-mode.yaml

@@ -0,0 +1,17 @@
+# A sample ClusterConfig file that creates a cluster with Auto Mode enabled.
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: auto-mode-cluster
+  region: us-west-2
+
+autoModeConfig:
+  # defaults to false
+  enabled: true
+  # optional, defaults to [general-purpose, system].
+  # To disable creation of nodePools, set it to the empty array ([]).
+  nodePools: [general-purpose, system]
+  # optional, eksctl creates a new role if this is not supplied
+  # and nodePools are present.
+#  nodeRoleARN: ""

go.sum

@@ -772,7 +772,9 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2K
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak=
 github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU=
 github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw=
+github.com/aws/smithy-go v1.4.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
 github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20240508073157-fbfa1bc129f5 h1:F80UWAvCDH3PgWIkMhwhKN7FRlkn9MhI+nBHFq739ZM=

integration/tests/auto_mode/auto_mode_test.go

@@ -6,17 +6,17 @@ package auto_mode
 
 import (
 	"context"
-	"fmt"
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
-	awseks "github.com/aws/aws-sdk-go-v2/service/eks"
-	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awseks "github.com/aws/aws-sdk-go-v2/service/eks"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
+
 	. "github.com/weaveworks/eksctl/integration/runner"
 	"github.com/weaveworks/eksctl/integration/tests"
 	clusterutils "github.com/weaveworks/eksctl/integration/utilities/cluster"
@@ -93,9 +93,7 @@ var _ = Describe("Auto Mode", Ordered, func() {
 		test, err := kube.NewTest(params.KubeconfigPath)
 		Expect(err).NotTo(HaveOccurred())
 		d := test.CreateDeploymentFromFile(test.Namespace, "../../data/podinfo.yaml")
-		start := time.Now()
 		test.WaitForDeploymentReady(d, 30*time.Minute)
-		fmt.Println("dep ready after", time.Since(start))
 		deployment, err := test.GetDeployment(test.Namespace, "podinfo")
 		Expect(err).NotTo(HaveOccurred())
 		nodeList := test.ListNodes(metav1.ListOptions{})
@@ -104,7 +102,7 @@ var _ = Describe("Auto Mode", Ordered, func() {
 		const labelName = "eks.amazonaws.com/compute-type"
 		computeType, ok := node.Labels[labelName]
 		Expect(ok).To(BeTrue(), "expected to find label %s on node %s", labelName, node.Name)
-		Expect(computeType).To(Equal("eks-managed"))
+		Expect(computeType).To(Equal("auto"))
 		podList := test.ListPodsFromDeployment(deployment)
 		Expect(podList.Items).To(HaveLen(2))
 		for _, pod := range podList.Items {

pkg/actions/automode/auto_mode_updater.go

@@ -7,15 +7,15 @@ import (
 	"slices"
 	"time"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/service/eks"
-	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
 	"github.com/kris-nova/logger"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/eks"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
+
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
-	"github.com/weaveworks/eksctl/pkg/automode"
 	"github.com/weaveworks/eksctl/pkg/eks/waiter"
 )
 
@@ -41,13 +41,19 @@ type RoleManager interface {
 	DeleteIfRequired(ctx context.Context) error
 }
 
+// A ClusterRoleManager manages the cluster role.
+type ClusterRoleManager interface {
+	UpdateRoleForAutoMode(ctx context.Context) error
+	DeleteAutoModePolicies(ctx context.Context) error
+}
+
 // An Updater enables or disables Auto Mode.
 type Updater struct {
-	RoleManager     RoleManager
-	CoreV1Interface corev1client.CoreV1Interface
-	EKSUpdater      EKSUpdater
-	Drainer         NodeGroupDrainer
-	RBACApplier     *automode.RBACApplier
+	RoleManager        RoleManager
+	ClusterRoleManager ClusterRoleManager
+	PodsGetter         corev1client.PodsGetter
+	EKSUpdater         EKSUpdater
+	Drainer            NodeGroupDrainer
 }
 
 // Update updates the cluster to match the autoModeConfig settings supplied in clusterConfig.
@@ -57,8 +63,8 @@ func (u *Updater) Update(ctx context.Context, clusterConfig *api.ClusterConfig,
 		return cc != nil && *cc.Enabled
 	}
 	if clusterConfig.IsAutoModeEnabled() {
+		amc := clusterConfig.AutoModeConfig
 		if autoModeEnabled() {
-			amc := clusterConfig.AutoModeConfig
 			if !amc.NodeRoleARN.IsZero() && currentCluster.ComputeConfig.NodeRoleArn != nil &&
 				*currentCluster.ComputeConfig.NodeRoleArn != amc.NodeRoleARN.String() {
 				return errors.New("autoModeConfig.nodeRoleARN cannot be modified")
@@ -73,17 +79,13 @@ func (u *Updater) Update(ctx context.Context, clusterConfig *api.ClusterConfig,
 		} else {
 			logger.Info("enabling Auto Mode")
 		}
-		if err := u.enableAutoMode(ctx, clusterConfig.AutoModeConfig, currentCluster.ComputeConfig, clusterConfig.Metadata.Name); err != nil {
+		if err := u.enableAutoMode(ctx, amc, currentCluster.ComputeConfig, clusterConfig.Metadata.Name); err != nil {
 			return fmt.Errorf("enabling Auto Mode: %w", err)
 		}
-		if clusterConfig.AutoModeConfig.HasNodePools() {
+		if amc.HasNodePools() {
 			logger.Info("cluster subnets will be used for nodes launched by Auto Mode; please create a new NodeClass " +
 				"resource if you do not want to use cluster subnets")
 		}
-		logger.Info("applying node RBAC resources for Auto Mode")
-		if err := u.RBACApplier.ApplyRBACResources(); err != nil {
-			return err
-		}
 		logger.Info("Auto Mode enabled successfully")
 		return nil
 	}
@@ -94,9 +96,6 @@ func (u *Updater) Update(ctx context.Context, clusterConfig *api.ClusterConfig,
 	if err := u.disableAutoMode(ctx, clusterConfig.Metadata.Name); err != nil {
 		return fmt.Errorf("disabling Auto Mode: %w", err)
 	}
-	if err := u.RBACApplier.DeleteRBACResources(); err != nil {
-		return err
-	}
 	logger.Info("Auto Mode disabled successfully")
 	return nil
 }
@@ -105,6 +104,9 @@ func (u *Updater) enableAutoMode(ctx context.Context, autoModeConfig *api.AutoMo
 	if err := u.preflightCheck(ctx); err != nil {
 		return err
 	}
+	if err := u.ClusterRoleManager.UpdateRoleForAutoMode(ctx); err != nil {
+		return fmt.Errorf("updating cluster role to use Auto Mode: %w", err)
+	}
 	computeConfigReq := &ekstypes.ComputeConfigRequest{
 		Enabled:   aws.Bool(true),
 		NodePools: *autoModeConfig.NodePools,
@@ -177,6 +179,9 @@ func (u *Updater) disableAutoMode(ctx context.Context, clusterName string) error
 	if err := u.RoleManager.DeleteIfRequired(ctx); err != nil {
 		return fmt.Errorf("deleting IAM resources for Auto Mode: %w", err)
 	}
+	if err := u.ClusterRoleManager.DeleteAutoModePolicies(ctx); err != nil {
+		return fmt.Errorf("deleting Auto Mode policies from cluster role: %w", err)
+	}
 	return nil
 }
 
@@ -204,7 +209,7 @@ func (u *Updater) preflightCheck(ctx context.Context) error {
 	}
 	knownKarpenterNamespaces := []string{metav1.NamespaceSystem, "karpenter"}
 	for _, ns := range knownKarpenterNamespaces {
-		podList, err := u.CoreV1Interface.Pods(ns).List(ctx, metav1.ListOptions{
+		podList, err := u.PodsGetter.Pods(ns).List(ctx, metav1.ListOptions{
 			LabelSelector: "app.kubernetes.io/instance=karpenter",
 		})
 		if err != nil {

pkg/actions/automode/auto_mode_updater_test.go

@@ -3,21 +3,20 @@ package automode_test
 import (
 	"context"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
-	awseks "github.com/aws/aws-sdk-go-v2/service/eks"
-	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/stretchr/testify/mock"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kubernetesfake "k8s.io/client-go/kubernetes/fake"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awseks "github.com/aws/aws-sdk-go-v2/service/eks"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
+
 	automodeactions "github.com/weaveworks/eksctl/pkg/actions/automode"
 	"github.com/weaveworks/eksctl/pkg/actions/automode/mocks"
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
-	"github.com/weaveworks/eksctl/pkg/automode"
-	automodemocks "github.com/weaveworks/eksctl/pkg/automode/mocks"
 	"github.com/weaveworks/eksctl/pkg/eks/mocksv2"
 )
 
@@ -32,11 +31,11 @@ type updaterTest struct {
 }
 
 type updaterMocks struct {
-	roleManager mocks.RoleManager
-	drainer     mocks.NodeGroupDrainer
-	eksUpdater  mocksv2.EKS
-	rawClient   automodemocks.RawClient
-	clientSet   *kubernetesfake.Clientset
+	roleManager        mocks.RoleManager
+	clusterRoleManager mocks.ClusterRoleManager
+	drainer            mocks.NodeGroupDrainer
+	eksUpdater         mocksv2.EKS
+	clientSet          *kubernetesfake.Clientset
 }
 
 var _ = DescribeTable("Auto Mode Updater", func(t updaterTest) {
@@ -50,12 +49,10 @@ var _ = DescribeTable("Auto Mode Updater", func(t updaterTest) {
 	clusterConfig.AutoModeConfig = t.autoModeConfig
 	clusterConfig.VPC = t.vpc
 	updater := &automodeactions.Updater{
-		RoleManager:     &um.roleManager,
-		CoreV1Interface: um.clientSet.CoreV1(),
-		EKSUpdater:      &um.eksUpdater,
-		RBACApplier: &automode.RBACApplier{
-			RawClient: &um.rawClient,
-		},
+		RoleManager:        &um.roleManager,
+		ClusterRoleManager: &um.clusterRoleManager,
+		PodsGetter:         um.clientSet.CoreV1(),
+		EKSUpdater:         &um.eksUpdater,
 	}
 	if t.drainNodes {
 		updater.Drainer = &um.drainer
@@ -70,9 +67,9 @@ var _ = DescribeTable("Auto Mode Updater", func(t updaterTest) {
 		AssertExpectations(t mock.TestingT) bool
 	}{
 		&um.roleManager,
+		&um.clusterRoleManager,
 		&um.eksUpdater,
 		&um.drainer,
-		&um.rawClient,
 	} {
 		asserter.AssertExpectations(GinkgoT())
 	}
@@ -151,12 +148,12 @@ var _ = DescribeTable("Auto Mode Updater", func(t updaterTest) {
 			},
 		},
 		updateMocks: func(u *updaterMocks) {
+			u.clusterRoleManager.EXPECT().UpdateRoleForAutoMode(mock.Anything).Return(nil).Once()
 			mockUpdateClusterConfig(u, &ekstypes.ComputeConfigRequest{
 				Enabled:     aws.Bool(true),
 				NodePools:   []string{api.AutoModeNodePoolGeneralPurpose},
 				NodeRoleArn: aws.String("arn:aws:iam::000:role/CustomNodeRole"),
 			})
-			u.rawClient.EXPECT().CreateOrReplace(mock.Anything, false).Return(nil)
 		},
 	}),
 	Entry("disabling Auto Mode", updaterTest{
@@ -173,7 +170,7 @@ var _ = DescribeTable("Auto Mode Updater", func(t updaterTest) {
 				Enabled: aws.Bool(false),
 			})
 			u.roleManager.EXPECT().DeleteIfRequired(mock.Anything).Return(nil).Once()
-			u.rawClient.EXPECT().Delete(mock.Anything).Return(nil)
+			u.clusterRoleManager.EXPECT().DeleteAutoModePolicies(mock.Anything).Return(nil).Once()
 		},
 	}),
 	Entry("Karpenter pods exist in the cluster when enabling Auto Mode", updaterTest{
@@ -221,12 +218,12 @@ var _ = DescribeTable("Auto Mode Updater", func(t updaterTest) {
 )
 
 func mockEnableAutoMode(u *updaterMocks, nodeRoleARN string, nodePools []string) {
+	u.clusterRoleManager.EXPECT().UpdateRoleForAutoMode(mock.Anything).Return(nil).Once()
 	mockUpdateClusterConfig(u, &ekstypes.ComputeConfigRequest{
 		Enabled:     aws.Bool(true),
 		NodePools:   nodePools,
 		NodeRoleArn: aws.String(nodeRoleARN),
 	})
-	u.rawClient.EXPECT().CreateOrReplace(mock.Anything, false).Return(nil)
 }
 
 func mockUpdateClusterConfig(u *updaterMocks, computeConfig *ekstypes.ComputeConfigRequest) {