diff --git a/pkg/model/components/karpenter.go b/pkg/model/components/karpenter.go index 16beded545..155bc14871 100644 --- a/pkg/model/components/karpenter.go +++ b/pkg/model/components/karpenter.go @@ -36,7 +36,7 @@ func (b *KarpenterOptionsBuilder) BuildOptions(o interface{}) error { } if c.Image == "" { - c.Image = "public.ecr.aws/karpenter/controller:v0.28.1" + c.Image = "public.ecr.aws/karpenter/controller:v0.30.0" } if c.LogEncoding == "" { diff --git a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template index 3f172245fb..ffd576068b 100644 --- a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template +++ b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template @@ -1,7 +1,7 @@ # helm template karpenter oci://public.ecr.aws/karpenter/karpenter-crd \ -# --version v0.28.1 +# --version v0.30.0 # helm template karpenter oci://public.ecr.aws/karpenter/karpenter \ -# --version v0.28.1 \ +# --version v0.30.0 \ # --namespace kube-system \ # --set controller.resources.requests.cpu=500m \ # --set controller.resources.requests.memory=1Gi \ @@ -12,8 +12,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: provisioners.karpenter.sh spec: group: karpenter.sh @@ -26,7 +25,15 @@ spec: singular: provisioner scope: Cluster versions: - - name: v1alpha5 + - additionalPrinterColumns: + - jsonPath: .spec.providerRef.name + name: Template + type: string + - jsonPath: .spec.weight + name: Weight + priority: 1 + type: string + name: v1alpha5 schema: openAPIV3Schema: description: Provisioner is the Schema for the Provisioners API @@ -387,8 +394,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: awsnodetemplates.karpenter.k8s.aws spec: group: karpenter.k8s.aws @@ -702,8 +708,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: machines.karpenter.sh spec: group: karpenter.sh @@ -1060,10 +1065,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm spec: maxUnavailable: 1 @@ -1079,10 +1084,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm --- # Source: karpenter/templates/secret-webhook-cert.yaml @@ -1092,10 +1097,10 @@ metadata: name: karpenter-cert namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm # data: {} # Injected by karpenter-webhook --- @@ -1106,10 +1111,10 @@ metadata: name: config-logging namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm data: # https://github.com/uber-go/zap/blob/aa3e73ec0896f8b066ddf668597a02f89628ee50/config.go @@ -1146,12 +1151,15 @@ metadata: name: karpenter-global-settings namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm data: + "aws.assumeRoleARN": "" + "aws.assumeRoleDuration": "15m" + "aws.clusterCABundle": "" "aws.clusterEndpoint": "https://{{ APIInternalName }}" "aws.clusterName": "{{ ClusterName }}" "aws.defaultInstanceProfile": "" @@ -1166,6 +1174,7 @@ data: "aws.vmMemoryOverheadPercent": "0.075" "batchIdleDuration": "1s" "batchMaxDuration": "10s" + "featureGates.driftEnabled": "false" --- # Source: karpenter/templates/aggregate-clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -1174,10 +1183,10 @@ metadata: name: karpenter-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: ["karpenter.sh"] @@ -1193,10 +1202,10 @@ kind: ClusterRole metadata: name: karpenter-core labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1220,8 +1229,11 @@ rules: verbs: [ "get", "list", "watch" ] # Write - apiGroups: ["karpenter.sh"] - resources: ["provisioners/status", "machines", "machines/status"] - verbs: ["create", "delete", "patch"] + resources: ["machines", "machines/status"] + verbs: ["create", "delete", "update", "patch"] + - apiGroups: ["karpenter.sh"] + resources: ["provisioners", "provisioners/status"] + verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] @@ -1242,10 +1254,10 @@ kind: ClusterRole metadata: name: karpenter labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1262,7 +1274,7 @@ rules: resourceNames: ["defaulting.webhook.karpenter.k8s.aws"] # Write - apiGroups: ["karpenter.k8s.aws"] - resources: ["awsnodetemplates/status"] + resources: ["awsnodetemplates", "awsnodetemplates/status"] verbs: ["patch", "update"] --- # Source: karpenter/templates/clusterrole-core.yaml @@ -1271,10 +1283,10 @@ kind: ClusterRoleBinding metadata: name: karpenter-core labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1291,10 +1303,10 @@ kind: ClusterRoleBinding metadata: name: karpenter labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1312,10 +1324,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1361,10 +1373,10 @@ metadata: name: karpenter-dns namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1373,6 +1385,28 @@ rules: resourceNames: ["kube-dns"] verbs: ["get"] --- +# Source: karpenter/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: karpenter-lease + namespace: kube-node-lease + labels: + helm.sh/chart: karpenter-v0.30.0 + app.kubernetes.io/name: karpenter + app.kubernetes.io/instance: karpenter + app.kubernetes.io/version: "0.30.0" + app.kubernetes.io/managed-by: Helm +rules: + # Read + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch"] + # Write + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["delete"] +--- # Source: karpenter/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -1380,10 +1414,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1401,10 +1435,10 @@ metadata: name: karpenter-dns namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1415,6 +1449,27 @@ subjects: name: karpenter namespace: kube-system --- +# Source: karpenter/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: karpenter-lease + namespace: kube-node-lease + labels: + helm.sh/chart: karpenter-v0.30.0 + app.kubernetes.io/name: karpenter + app.kubernetes.io/instance: karpenter + app.kubernetes.io/version: "0.30.0" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: karpenter-lease +subjects: + - kind: ServiceAccount + name: karpenter + namespace: kube-system +--- # Source: karpenter/templates/service.yaml apiVersion: v1 kind: Service @@ -1422,20 +1477,20 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - name: http-metrics - port: 8080 + port: 8000 targetPort: http-metrics protocol: TCP - name: https-webhook - port: 443 + port: 8443 targetPort: https-webhook protocol: TCP selector: @@ -1449,10 +1504,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm spec: replicas: {{ ControlPlaneControllerReplicas false }} @@ -1472,12 +1527,27 @@ spec: spec: serviceAccountName: karpenter securityContext: - fsGroup: 1000 + fsGroup: 65536 + runAsUser: 65536 + runAsGroup: 65536 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault priorityClassName: "system-cluster-critical" + {{ if not IsIPv6Only }} + dnsPolicy: Default + {{ else }} # Must use ClusterFirst on IPv6 clusters in order to get DNS64 dnsPolicy: ClusterFirst + {{ end }} containers: - name: controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true image: {{ .Karpenter.Image }} imagePullPolicy: IfNotPresent env: @@ -1520,6 +1590,7 @@ spec: path: /healthz port: http readinessProbe: + initialDelaySeconds: 5 timeoutSeconds: 30 httpGet: path: /readyz @@ -1570,13 +1641,6 @@ spec: maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/instance: karpenter - app.kubernetes.io/name: karpenter - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule tolerations: - key: node-role.kubernetes.io/master operator: Exists @@ -1591,10 +1655,10 @@ kind: MutatingWebhookConfiguration metadata: name: defaulting.webhook.karpenter.k8s.aws labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: defaulting.webhook.karpenter.k8s.aws @@ -1603,6 +1667,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None rules: @@ -1634,10 +1699,10 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.karpenter.sh labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: validation.webhook.karpenter.sh @@ -1646,6 +1711,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None rules: @@ -1666,10 +1732,10 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.config.karpenter.sh labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: validation.webhook.config.karpenter.sh @@ -1678,12 +1744,12 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None objectSelector: matchLabels: - app.kubernetes.io/name: karpenter - app.kubernetes.io/instance: karpenter + app.kubernetes.io/part-of: karpenter --- # Source: karpenter/templates/webhooks.yaml apiVersion: admissionregistration.k8s.io/v1 @@ -1691,10 +1757,10 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.karpenter.k8s.aws labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: validation.webhook.karpenter.k8s.aws @@ -1703,6 +1769,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None rules: