diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 0cc4007..c648512 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -9,7 +9,6 @@ env: EnvironmentSetup/AWS/Source/deployments/ EnvironmentSetup/AWS/Source/hpa/ EnvironmentSetup/AWS/Source/ingress/ - EnvironmentSetup/AWS/Source/ingress-controller/ EnvironmentSetup/AWS/Source/namespace/ EnvironmentSetup/AWS/Source/pvc/ EnvironmentSetup/AWS/Source/services/ diff --git a/EnvironmentSetup/AWS/Source/ingress-controller/deploy.yaml b/EnvironmentSetup/AWS/Source/ingress-controller/deploy.yaml deleted file mode 100644 index 7cd3a7c..0000000 --- a/EnvironmentSetup/AWS/Source/ingress-controller/deploy.yaml +++ /dev/null @@ -1,624 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - name: ingress-nginx ---- -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - ingress-controller-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller - namespace: ingress-nginx ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - service.beta.kubernetes.io/aws-load-balancer-type: nlb - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - externalTrafficPolicy: Local - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - minReadySeconds: 0 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - spec: - containers: - - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.2.1@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - name: http - protocol: TCP - - containerPort: 443 - name: https - protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - runAsUser: 101 - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-create - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-patch - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: nginx -spec: - controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: ingress-nginx - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None \ No newline at end of file diff --git a/EnvironmentSetup/AWS/Source/ingress/was-ingress-awes-service.yml b/EnvironmentSetup/AWS/Source/ingress/was-ingress-awes-service.yml index 388d062..501dcb3 100644 --- a/EnvironmentSetup/AWS/Source/ingress/was-ingress-awes-service.yml +++ b/EnvironmentSetup/AWS/Source/ingress/was-ingress-awes-service.yml @@ -8,12 +8,12 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-connect-timeout: "360" nginx.ingress.kubernetes.io/proxy-send-timeout: "360" nginx.ingress.kubernetes.io/proxy-read-timeout: "360" nginx.ingress.kubernetes.io/load-balance: "ewma" spec: + ingressClassName: nginx rules: - http: paths: @@ -34,7 +34,6 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /restart/kubernetes/active-web-elements-server-deployment nginx.ingress.kubernetes.io/auth-type: basic @@ -42,11 +41,12 @@ metadata: nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' spec: + ingressClassName: nginx rules: - http: paths: - path: /.applicationserver/kernel/restart - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: endpoint-manager diff --git a/EnvironmentSetup/AWS/Source/ingress/was-ingress-endpoint-manager-service.yml b/EnvironmentSetup/AWS/Source/ingress/was-ingress-endpoint-manager-service.yml index 97c1617..e587aad 100644 --- a/EnvironmentSetup/AWS/Source/ingress/was-ingress-endpoint-manager-service.yml +++ b/EnvironmentSetup/AWS/Source/ingress/was-ingress-endpoint-manager-service.yml @@ -7,15 +7,15 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /endpoints/$1 spec: + ingressClassName: nginx rules: - http: paths: - path: /endpoints/?(.*) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: endpoint-manager diff --git a/EnvironmentSetup/AWS/Source/ingress/was-ingress-nodefiles-service.yml b/EnvironmentSetup/AWS/Source/ingress/was-ingress-nodefiles-service.yml index 99594b3..32e4f4b 100644 --- a/EnvironmentSetup/AWS/Source/ingress/was-ingress-nodefiles-service.yml +++ b/EnvironmentSetup/AWS/Source/ingress/was-ingress-nodefiles-service.yml @@ -7,16 +7,16 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/proxy-body-size: 1g nginx.ingress.kubernetes.io/rewrite-target: /nodefiles/$1 spec: + ingressClassName: nginx rules: - http: paths: - path: /nodefiles/?(.*) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: resource-manager diff --git a/EnvironmentSetup/AWS/Source/ingress/was-ingress-resources-manager-service.yml b/EnvironmentSetup/AWS/Source/ingress/was-ingress-resources-manager-service.yml index b933e6c..5324ff9 100644 --- a/EnvironmentSetup/AWS/Source/ingress/was-ingress-resources-manager-service.yml +++ b/EnvironmentSetup/AWS/Source/ingress/was-ingress-resources-manager-service.yml @@ -7,15 +7,15 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /resources/$1 spec: + ingressClassName: nginx rules: - http: paths: - path: /resources/?(.*) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: resource-manager diff --git a/EnvironmentSetup/AWS/Source/setup b/EnvironmentSetup/AWS/Source/setup index 6cc8a53..bfee174 100755 --- a/EnvironmentSetup/AWS/Source/setup +++ b/EnvironmentSetup/AWS/Source/setup @@ -570,7 +570,9 @@ SetupFunction() { echo log_debug "Phase 3 of 5: Deploy Dependencies" printf "${GREEN}☑☑${YELLOW}☑${CYAN}□□${NORMAL} Phase ${YELLOW}3${NORMAL} of ${GREEN}5${NORMAL}: Deploy Dependencies\\n" - run_ok "kubectl apply -f ingress-controller/" "Setup Ingress Controller" + run_ok "helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx && sleep 15" "Helm Repo Add" + run_ok "helm repo update && sleep 30" "Helm Repo Update" + run_ok "helm install ingress-nginx ingress-nginx/ingress-nginx --set rbac.create=true --version 4.8.3 --set controller.service.externalTrafficPolicy=\"Local\" --namespace ingress-nginx --create-namespace & sleep 180" "Setup Ingress Controller" run_ok "kubectl apply -f metrics-server/" "Setup Metrics Server" sed -i -e 's/- --node-group-auto-discovery=asg:tag=k8s.io\/cluster-autoscaler\/enabled,k8s.io\/cluster-autoscaler\/.*/- --node-group-auto-discovery=asg:tag=k8s.io\/cluster-autoscaler\/enabled,k8s.io\/cluster-autoscaler\/'"$GET_CLUSTER_NAME"'/g' cluster-autoscaler/cluster-autoscaler-autodiscover.yaml run_ok "kubectl apply -f cluster-autoscaler/" "Setup Cluster Autoscaler" @@ -610,30 +612,41 @@ fullnameOverride: "" replicaCount: 2 +useFIPS: false + image: repository: amazon/aws-efs-csi-driver - tag: "v1.4.0" + tag: "v1.7.4" pullPolicy: IfNotPresent sidecars: livenessProbe: image: repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe - tag: v2.2.0-eks-1-18-13 + tag: v2.11.0-eks-1-29-2 pullPolicy: IfNotPresent resources: {} + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false nodeDriverRegistrar: image: repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar - tag: v2.1.0-eks-1-18-13 + tag: v2.9.3-eks-1-29-2 pullPolicy: IfNotPresent resources: {} + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false csiProvisioner: image: repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner - tag: v2.1.1-eks-1-18-13 + tag: v3.6.3-eks-1-29-2 pullPolicy: IfNotPresent resources: {} + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false imagePullSecrets: [] @@ -653,7 +666,6 @@ controller: # Enable if you want the controller to also delete the # path on efs when deleteing an access point deleteAccessPointRootDir: false - volMetricsOptIn: false podAnnotations: {} resources: {} @@ -668,6 +680,7 @@ controller: # cpu: 100m # memory: 128Mi nodeSelector: {} + updateStrategy: {} tolerations: [] affinity: {} # Specifies whether a service account should be created @@ -679,11 +692,22 @@ controller: # eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role healthPort: 9909 regionalStsEndpoints: false + # securityContext on the controller pod + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + + ## Node daemonset variables node: # Number for the log level verbosity logLevel: 2 + volMetricsOptIn: false + volMetricsRefreshPeriod: 240 + volMetricsFsRateLimit: 5 hostAliases: {} # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per @@ -712,6 +736,10 @@ node: # cpu: 100m # memory: 128Mi nodeSelector: {} + updateStrategy: {} + # Override default strategy (RollingUpdate) to speed up deployment. + # This can be useful if helm timeouts are observed. + # type: OnDelete tolerations: - operator: Exists # Specifies whether a service account should be created @@ -722,6 +750,13 @@ node: ## Enable if EKS IAM for SA is used # eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role healthPort: 9809 + # securityContext on the node pod + securityContext: + # The node pod must be run as root to bind to the registration/driver sockets + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 storageClasses: - name: was-efs @@ -1137,7 +1172,6 @@ DeleteFunction() { echo log_debug "Phase 3 of 5: Delete Dependencies" printf "${GREEN}☑☑${YELLOW}☑${CYAN}□□${NORMAL} Phase ${YELLOW}3${NORMAL} of ${GREEN}5${NORMAL}: Delete Dependencies\\n" - run_ok "kubectl delete --ignore-not-found=true -f ingress-controller/" "Deleting Ingress Controller" run_ok "kubectl delete --ignore-not-found=true -f metrics-server/" "Deleting Metrics Server" run_ok "kubectl delete --ignore-not-found=true -f cluster-autoscaler/" "Deleting Cluster Autoscaler" sed -i -e 's/- --node-group-auto-discovery=asg:tag=k8s.io\/cluster-autoscaler\/enabled,k8s.io\/cluster-autoscaler\/.*/- --node-group-auto-discovery=asg:tag=k8s.io\/cluster-autoscaler\/enabled,k8s.io\/cluster-autoscaler\/name/g' cluster-autoscaler/cluster-autoscaler-autodiscover.yaml diff --git a/EnvironmentSetup/AWS/Source/terraform/variables.tf b/EnvironmentSetup/AWS/Source/terraform/variables.tf index 4a96ad8..b342198 100644 --- a/EnvironmentSetup/AWS/Source/terraform/variables.tf +++ b/EnvironmentSetup/AWS/Source/terraform/variables.tf @@ -7,7 +7,7 @@ variable "cluster-name" { } variable "cluster-version" { - default = "1.25" + default = "1.27" } variable "disk-size" {