From 9ee5ce247eaeb27bd4545f0463e795ae4f3e91cd Mon Sep 17 00:00:00 2001 From: Simon Marty Date: Mon, 31 Mar 2025 14:55:41 -0700 Subject: [PATCH 1/7] Fix typo on "associations" --- pkg/apis/eksctl.io/v1alpha5/addon.go | 2 +- pkg/apis/eksctl.io/v1alpha5/addon_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/addon.go b/pkg/apis/eksctl.io/v1alpha5/addon.go index 984c1861c5..40995c0f3d 100644 --- a/pkg/apis/eksctl.io/v1alpha5/addon.go +++ b/pkg/apis/eksctl.io/v1alpha5/addon.go @@ -115,7 +115,7 @@ func (a Addon) Validate() error { if a.HasPodIDsSet() { if a.CanonicalName() == PodIdentityAgentAddon { - return invalidAddonConfigErr(fmt.Sprintf("cannot set pod identity associtations for %q addon", PodIdentityAgentAddon)) + return invalidAddonConfigErr(fmt.Sprintf("cannot set pod identity associations for %q addon", PodIdentityAgentAddon)) } for i, pia := range *a.PodIdentityAssociations { diff --git a/pkg/apis/eksctl.io/v1alpha5/addon_test.go b/pkg/apis/eksctl.io/v1alpha5/addon_test.go index ca04420825..762c46f0e3 100644 --- a/pkg/apis/eksctl.io/v1alpha5/addon_test.go +++ b/pkg/apis/eksctl.io/v1alpha5/addon_test.go @@ -107,7 +107,7 @@ var _ = Describe("Addon", func() { Name: api.PodIdentityAgentAddon, PodIdentityAssociations: &[]api.PodIdentityAssociation{{}}, }, - expectedErr: "cannot set pod identity associtations for \"eks-pod-identity-agent\" addon", + expectedErr: "cannot set pod identity associations for \"eks-pod-identity-agent\" addon", }), Entry("namespace is not set", addonWithPodIDEntry{ addon: api.Addon{ From dca772f1ad4fa8a3ea6c3ae2cbe4368d72b69082 Mon Sep 17 00:00:00 2001 From: Simon Marty Date: Mon, 31 Mar 2025 15:24:41 -0700 Subject: [PATCH 2/7] Add VS Code folder to gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 7dfabf6980..a4e3a83df6 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,6 @@ logs/* # Ignore social cards cache userdocs/.cache/* + +# Visual Studio Code +.vscode/ From fde19f48a7ee890edf67ce74c83124a8da229580 Mon Sep 17 00:00:00 2001 From: Simon Marty Date: Mon, 31 Mar 2025 15:25:10 -0700 Subject: [PATCH 3/7] Enable creating IPV6 clusters with pod identities --- pkg/apis/eksctl.io/v1alpha5/validation.go | 16 ++++- .../eksctl.io/v1alpha5/validation_test.go | 66 +++++++++++++++++++ 2 files changed, 80 insertions(+), 2 deletions(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index 078eada6bc..3ca65cc365 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -5,6 +5,7 @@ import ( "fmt" "net" "regexp" + "slices" "strconv" "strings" @@ -607,8 +608,19 @@ func (c *ClusterConfig) validateKubernetesNetworkConfig() error { if missing := c.addonContainsManagedAddons([]string{VPCCNIAddon, CoreDNSAddon, KubeProxyAddon}); len(missing) != 0 { return fmt.Errorf("the default core addons must be defined for IPv6; missing addon(s): %s; either define them or use EKS Auto Mode", strings.Join(missing, ", ")) } - if c.IAM == nil || c.IAM != nil && IsDisabled(c.IAM.WithOIDC) { - return fmt.Errorf("oidc needs to be enabled if IPv6 is set; either set it or use EKS Auto Mode") + if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) != 0 && (c.IAM == nil || c.IAM != nil && IsDisabled(c.IAM.WithOIDC)) { + + return fmt.Errorf("either pod identity or oidc needs to be enabled if IPv6 is set; set either one or use EKS Auto Mode") + } + + if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) == 0 && !c.AddonsConfig.AutoApplyPodIdentityAssociations { + // Assuming user intends to use pod identities if the pod identity agent addon is added. + vpcCNIAddonEntry := c.Addons[slices.IndexFunc(c.Addons, func(a *Addon) bool { return a.Name == VPCCNIAddon })] + + if !vpcCNIAddonEntry.UseDefaultPodIdentityAssociations && + (vpcCNIAddonEntry.PodIdentityAssociations == nil || (vpcCNIAddonEntry.PodIdentityAssociations != nil && len(*vpcCNIAddonEntry.PodIdentityAssociations) == 0)) { + return fmt.Errorf("Set one of: addonsConfig.autoApplyPodIdentityAssociations, useDefaultPodIdentityAssociations on the vpc-cni addon, apply a custom pod identity on the vpc-cni addon") + } } } diff --git a/pkg/apis/eksctl.io/v1alpha5/validation_test.go b/pkg/apis/eksctl.io/v1alpha5/validation_test.go index ff12b876f8..204f93674f 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation_test.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation_test.go @@ -1181,6 +1181,72 @@ var _ = Describe("ClusterConfig validation", func() { }) }) + When("ipFamily is set to IPV6, OIDC is disabled", func() { + JustBeforeEach(func() { + cfg.VPC.NAT = nil + cfg.IAM = &api.ClusterIAM{ + WithOIDC: api.Disabled(), + } + cfg.Addons = append(cfg.Addons, &api.Addon{Name: api.KubeProxyAddon}, &api.Addon{Name: api.CoreDNSAddon}) + }) + When("Pod identity addon is missing", func() { + It("returns an error", func() { + cfg.Addons = append(cfg.Addons, &api.Addon{Name: api.VPCCNIAddon}) + err = api.ValidateClusterConfig(cfg) + Expect(err).To(MatchError(ContainSubstring("either pod identity or oidc needs to be enabled if IPv6 is set; set either one or use EKS Auto Mode"))) + + }) + }) + + When("Pod identity addon is present", func() { + JustBeforeEach(func() { + cfg.Addons = append(cfg.Addons, + &api.Addon{Name: api.PodIdentityAgentAddon}) + }) + + When("Use default pod identity associations is set", func() { + It("accepts the setting", func() { + cfg.Addons = append(cfg.Addons, &api.Addon{Name: api.VPCCNIAddon}) + cfg.AddonsConfig.AutoApplyPodIdentityAssociations = true + + err = api.ValidateClusterConfig(cfg) + Expect(err).ToNot(HaveOccurred()) + }) + }) + + When("Use default pod identity association is set on the vpc-cni addon", func() { + It("accepts the setting", func() { + cfg.Addons = append(cfg.Addons, &api.Addon{Name: api.VPCCNIAddon, UseDefaultPodIdentityAssociations: true}) + + err = api.ValidateClusterConfig(cfg) + Expect(err).ToNot(HaveOccurred()) + }) + }) + + When("The vpc-cni addon has a pod identity association configured", func() { + It("accepts the setting", func() { + cfg.Addons = append(cfg.Addons, &api.Addon{Name: api.VPCCNIAddon, + PodIdentityAssociations: &[]api.PodIdentityAssociation{{ + Namespace: "test-namespace", + ServiceAccountName: "fakeserviceaccount", + RoleARN: "fakerolearn", + }}}) + + err = api.ValidateClusterConfig(cfg) + Expect(err).ToNot(HaveOccurred()) + }) + }) + + When("The vpc-cni addon is missing a pod identity configuration", func() { + It("returns an error", func() { + cfg.Addons = append(cfg.Addons, &api.Addon{Name: api.VPCCNIAddon}) + err = api.ValidateClusterConfig(cfg) + Expect(err).To(MatchError(ContainSubstring("Set one of: addonsConfig.autoApplyPodIdentityAssociations, useDefaultPodIdentityAssociations on the vpc-cni addon, apply a custom pod identity on the vpc-cni addon"))) + }) + }) + }) + }) + When("ipFamily is set to IPv6, no managed addons are provided, but auto-mode is used", func() { It("accepts the setting", func() { cfg.VPC.NAT = nil From 7beb9f5c987d6aa30688ebacb7cce8180227e380 Mon Sep 17 00:00:00 2001 From: Simon Marty Date: Mon, 31 Mar 2025 15:47:31 -0700 Subject: [PATCH 4/7] Whitespace --- pkg/apis/eksctl.io/v1alpha5/validation.go | 1 - pkg/apis/eksctl.io/v1alpha5/validation_test.go | 1 - 2 files changed, 2 deletions(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index 3ca65cc365..2c5bc07785 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -609,7 +609,6 @@ func (c *ClusterConfig) validateKubernetesNetworkConfig() error { return fmt.Errorf("the default core addons must be defined for IPv6; missing addon(s): %s; either define them or use EKS Auto Mode", strings.Join(missing, ", ")) } if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) != 0 && (c.IAM == nil || c.IAM != nil && IsDisabled(c.IAM.WithOIDC)) { - return fmt.Errorf("either pod identity or oidc needs to be enabled if IPv6 is set; set either one or use EKS Auto Mode") } diff --git a/pkg/apis/eksctl.io/v1alpha5/validation_test.go b/pkg/apis/eksctl.io/v1alpha5/validation_test.go index 204f93674f..afff46923f 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation_test.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation_test.go @@ -1194,7 +1194,6 @@ var _ = Describe("ClusterConfig validation", func() { cfg.Addons = append(cfg.Addons, &api.Addon{Name: api.VPCCNIAddon}) err = api.ValidateClusterConfig(cfg) Expect(err).To(MatchError(ContainSubstring("either pod identity or oidc needs to be enabled if IPv6 is set; set either one or use EKS Auto Mode"))) - }) }) From 289418260c28634a30b1fa91041a99af21b9390d Mon Sep 17 00:00:00 2001 From: Simon Marty Date: Mon, 31 Mar 2025 17:14:49 -0700 Subject: [PATCH 5/7] Add a getAddon helper method --- pkg/apis/eksctl.io/v1alpha5/validation.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index 2c5bc07785..0a230bec62 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -5,7 +5,6 @@ import ( "fmt" "net" "regexp" - "slices" "strconv" "strings" @@ -536,6 +535,15 @@ func (c *ClusterConfig) addonContainsManagedAddons(addons []string) []string { return missing } +func (c *ClusterConfig) getAddon(name string) *Addon { + for _, addon := range c.Addons { + if addon.Name == name { + return addon + } + } + return nil +} + // ValidateClusterEndpointConfig checks the endpoint configuration for potential issues func (c *ClusterConfig) ValidateClusterEndpointConfig() error { if c.VPC.ClusterEndpoints != nil { @@ -614,7 +622,7 @@ func (c *ClusterConfig) validateKubernetesNetworkConfig() error { if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) == 0 && !c.AddonsConfig.AutoApplyPodIdentityAssociations { // Assuming user intends to use pod identities if the pod identity agent addon is added. - vpcCNIAddonEntry := c.Addons[slices.IndexFunc(c.Addons, func(a *Addon) bool { return a.Name == VPCCNIAddon })] + vpcCNIAddonEntry := c.getAddon(VPCCNIAddon) if !vpcCNIAddonEntry.UseDefaultPodIdentityAssociations && (vpcCNIAddonEntry.PodIdentityAssociations == nil || (vpcCNIAddonEntry.PodIdentityAssociations != nil && len(*vpcCNIAddonEntry.PodIdentityAssociations) == 0)) { From 32c7d0f37d7eb3ef2fb34312dfcc6bf0e62691a0 Mon Sep 17 00:00:00 2001 From: Simon Marty Date: Tue, 1 Apr 2025 09:35:43 -0700 Subject: [PATCH 6/7] Add null check on vpcCNIAddonEntry --- pkg/apis/eksctl.io/v1alpha5/validation.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index 0a230bec62..4743f07c5d 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -617,13 +617,17 @@ func (c *ClusterConfig) validateKubernetesNetworkConfig() error { return fmt.Errorf("the default core addons must be defined for IPv6; missing addon(s): %s; either define them or use EKS Auto Mode", strings.Join(missing, ", ")) } if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) != 0 && (c.IAM == nil || c.IAM != nil && IsDisabled(c.IAM.WithOIDC)) { - return fmt.Errorf("either pod identity or oidc needs to be enabled if IPv6 is set; set either one or use EKS Auto Mode") + return errors.New("either pod identity or oidc needs to be enabled if IPv6 is set; set either one or use EKS Auto Mode") } if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) == 0 && !c.AddonsConfig.AutoApplyPodIdentityAssociations { // Assuming user intends to use pod identities if the pod identity agent addon is added. vpcCNIAddonEntry := c.getAddon(VPCCNIAddon) + if vpcCNIAddonEntry == nil { + return errors.New("the vpc-cni addon must be defined for IPv6; either define it or use EKS Auto Mode") + } + if !vpcCNIAddonEntry.UseDefaultPodIdentityAssociations && (vpcCNIAddonEntry.PodIdentityAssociations == nil || (vpcCNIAddonEntry.PodIdentityAssociations != nil && len(*vpcCNIAddonEntry.PodIdentityAssociations) == 0)) { return fmt.Errorf("Set one of: addonsConfig.autoApplyPodIdentityAssociations, useDefaultPodIdentityAssociations on the vpc-cni addon, apply a custom pod identity on the vpc-cni addon") From cb3f85d512006f71f78fcf501646ecd381ba0457 Mon Sep 17 00:00:00 2001 From: Simon Marty Date: Tue, 1 Apr 2025 13:15:08 -0700 Subject: [PATCH 7/7] Add comments --- pkg/apis/eksctl.io/v1alpha5/validation.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go index 4743f07c5d..27698dd7e4 100644 --- a/pkg/apis/eksctl.io/v1alpha5/validation.go +++ b/pkg/apis/eksctl.io/v1alpha5/validation.go @@ -616,20 +616,24 @@ func (c *ClusterConfig) validateKubernetesNetworkConfig() error { if missing := c.addonContainsManagedAddons([]string{VPCCNIAddon, CoreDNSAddon, KubeProxyAddon}); len(missing) != 0 { return fmt.Errorf("the default core addons must be defined for IPv6; missing addon(s): %s; either define them or use EKS Auto Mode", strings.Join(missing, ", ")) } + + // Check if at least one credential provider (Pod identity or IRSA) is configured if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) != 0 && (c.IAM == nil || c.IAM != nil && IsDisabled(c.IAM.WithOIDC)) { return errors.New("either pod identity or oidc needs to be enabled if IPv6 is set; set either one or use EKS Auto Mode") } + // If the pod identity addon is present, verify it is correctly configured for use by the VPC CNI addon + // Assuming user intends to use pod identities if the pod identity agent addon is added. if len(c.addonContainsManagedAddons([]string{PodIdentityAgentAddon})) == 0 && !c.AddonsConfig.AutoApplyPodIdentityAssociations { - // Assuming user intends to use pod identities if the pod identity agent addon is added. vpcCNIAddonEntry := c.getAddon(VPCCNIAddon) if vpcCNIAddonEntry == nil { + // should be unreachable return errors.New("the vpc-cni addon must be defined for IPv6; either define it or use EKS Auto Mode") } if !vpcCNIAddonEntry.UseDefaultPodIdentityAssociations && - (vpcCNIAddonEntry.PodIdentityAssociations == nil || (vpcCNIAddonEntry.PodIdentityAssociations != nil && len(*vpcCNIAddonEntry.PodIdentityAssociations) == 0)) { + (vpcCNIAddonEntry.PodIdentityAssociations == nil || len(*vpcCNIAddonEntry.PodIdentityAssociations) == 0) { return fmt.Errorf("Set one of: addonsConfig.autoApplyPodIdentityAssociations, useDefaultPodIdentityAssociations on the vpc-cni addon, apply a custom pod identity on the vpc-cni addon") } }