diff --git a/pkg/model/components/karpenter.go b/pkg/model/components/karpenter.go index 16beded545..155bc14871 100644 --- a/pkg/model/components/karpenter.go +++ b/pkg/model/components/karpenter.go @@ -36,7 +36,7 @@ func (b *KarpenterOptionsBuilder) BuildOptions(o interface{}) error { } if c.Image == "" { - c.Image = "public.ecr.aws/karpenter/controller:v0.28.1" + c.Image = "public.ecr.aws/karpenter/controller:v0.30.0" } if c.LogEncoding == "" { diff --git a/tests/e2e/kubetest2-kops/deployer/up.go b/tests/e2e/kubetest2-kops/deployer/up.go index c5f47e95e1..872fbf6127 100644 --- a/tests/e2e/kubetest2-kops/deployer/up.go +++ b/tests/e2e/kubetest2-kops/deployer/up.go @@ -261,14 +261,8 @@ func (d *deployer) updateCluster(yes bool) error { func (d *deployer) IsUp() (bool, error) { wait := d.ValidationWait if wait == 0 { - if d.TerraformVersion != "" || d.CloudProvider == "digitalocean" { - // `--target terraform` doesn't precreate the API DNS records, - // so kops is more likely to hit negative TTLs during validation. - // Digital Ocean also occasionally takes longer to validate. - wait = time.Duration(20) * time.Minute - } else { - wait = time.Duration(15) * time.Minute - } + // kOps is more likely to hit negative TTLs for API DNS during validation. + wait = time.Duration(20) * time.Minute } args := []string{ d.KopsBinaryPath, "validate", "cluster", diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content index 340e8392b1..d0bf6491c3 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content @@ -57,7 +57,7 @@ spec: karpenter: cpuRequest: 100m enabled: true - image: public.ecr.aws/karpenter/controller:v0.28.1 + image: public.ecr.aws/karpenter/controller:v0.30.0 logEncoding: console logLevel: debug memoryLimit: 2Gi diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index e9fad92a81..c704f34f7c 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -120,7 +120,7 @@ spec: version: 9.99.0 - id: k8s-1.19 manifest: karpenter.sh/k8s-1.19.yaml - manifestHash: 83732936b11b5830020d8af7bf0955c4b6334c7a1ba93bf051b40bb79294075d + manifestHash: 4d98502de7554ba20b42fd19517a874e79df1db60336e72d9ecfefaa5e980c78 name: karpenter.sh prune: kinds: @@ -168,11 +168,13 @@ spec: kind: Role labelSelector: addon.kops.k8s.io/name=karpenter.sh,app.kubernetes.io/managed-by=kops namespaces: + - kube-node-lease - kube-system - group: rbac.authorization.k8s.io kind: RoleBinding labelSelector: addon.kops.k8s.io/name=karpenter.sh,app.kubernetes.io/managed-by=kops namespaces: + - kube-node-lease - kube-system selector: k8s-addon: karpenter.sh diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content index e992cff26f..7d771070ba 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: addon.kops.k8s.io/name: karpenter.sh @@ -20,7 +20,15 @@ spec: singular: provisioner scope: Cluster versions: - - name: v1alpha5 + - additionalPrinterColumns: + - jsonPath: .spec.providerRef.name + name: Template + type: string + - jsonPath: .spec.weight + name: Weight + priority: 1 + type: string + name: v1alpha5 schema: openAPIV3Schema: description: Provisioner is the Schema for the Provisioners API @@ -382,7 +390,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: addon.kops.k8s.io/name: karpenter.sh @@ -702,7 +710,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: addon.kops.k8s.io/name: karpenter.sh @@ -1068,8 +1076,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1091,8 +1099,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1108,8 +1116,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-cert namespace: kube-system @@ -1151,8 +1159,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: config-logging namespace: kube-system @@ -1161,6 +1169,9 @@ metadata: apiVersion: v1 data: + aws.assumeRoleARN: "" + aws.assumeRoleDuration: 15m + aws.clusterCABundle: "" aws.clusterEndpoint: https://api.internal.minimal.example.com aws.clusterName: minimal.example.com aws.defaultInstanceProfile: "" @@ -1171,6 +1182,7 @@ data: aws.vmMemoryOverheadPercent: "0.075" batchIdleDuration: 1s batchMaxDuration: 10s + featureGates.driftEnabled: "false" kind: ConfigMap metadata: creationTimestamp: null @@ -1179,8 +1191,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-global-settings namespace: kube-system @@ -1196,8 +1208,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh rbac.authorization.k8s.io/aggregate-to-admin: "true" name: karpenter-admin @@ -1239,8 +1251,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-core rules: @@ -1307,12 +1319,20 @@ rules: - apiGroups: - karpenter.sh resources: - - provisioners/status - machines - machines/status verbs: - create - delete + - update + - patch +- apiGroups: + - karpenter.sh + resources: + - provisioners + - provisioners/status + verbs: + - update - patch - apiGroups: - "" @@ -1356,8 +1376,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter rules: @@ -1388,6 +1408,7 @@ rules: - apiGroups: - karpenter.k8s.aws resources: + - awsnodetemplates - awsnodetemplates/status verbs: - patch @@ -1404,8 +1425,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-core roleRef: @@ -1428,8 +1449,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter roleRef: @@ -1452,8 +1473,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1531,8 +1552,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-dns namespace: kube-system @@ -1548,6 +1569,38 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: karpenter.sh + app.kubernetes.io/instance: karpenter + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: karpenter + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 + k8s-addon: karpenter.sh + name: karpenter-lease + namespace: kube-node-lease +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - delete + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -1557,8 +1610,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1582,8 +1635,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter-dns namespace: kube-system @@ -1598,6 +1651,31 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: karpenter.sh + app.kubernetes.io/instance: karpenter + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: karpenter + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 + k8s-addon: karpenter.sh + name: karpenter-lease + namespace: kube-node-lease +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: karpenter-lease +subjects: +- kind: ServiceAccount + name: karpenter + namespace: kube-system + +--- + apiVersion: v1 kind: Service metadata: @@ -1607,19 +1685,19 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system spec: ports: - name: http-metrics - port: 8080 + port: 8000 protocol: TCP targetPort: http-metrics - name: https-webhook - port: 443 + port: 8443 protocol: TCP targetPort: https-webhook selector: @@ -1638,8 +1716,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: karpenter namespace: kube-system @@ -1718,7 +1796,7 @@ spec: value: arn:aws-test:iam::123456789012:role/karpenter.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: public.ecr.aws/karpenter/controller:v0.28.1 + image: public.ecr.aws/karpenter/controller:v0.30.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -1741,6 +1819,7 @@ spec: httpGet: path: /readyz port: http + initialDelaySeconds: 5 timeoutSeconds: 30 resources: limits: @@ -1748,14 +1827,25 @@ spec: requests: cpu: 100m memory: 500Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/run/secrets/amazonaws.com/ name: token-amazonaws-com readOnly: true - dnsPolicy: ClusterFirst + dnsPolicy: Default priorityClassName: system-cluster-critical securityContext: - fsGroup: 1000 + fsGroup: 65536 + runAsGroup: 65536 + runAsNonRoot: true + runAsUser: 65536 + seccompProfile: + type: RuntimeDefault serviceAccountName: karpenter tolerations: - key: node-role.kubernetes.io/master @@ -1772,13 +1862,6 @@ spec: maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/instance: karpenter - app.kubernetes.io/name: karpenter - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - name: token-amazonaws-com projected: @@ -1800,8 +1883,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: defaulting.webhook.karpenter.k8s.aws webhooks: @@ -1811,6 +1894,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: defaulting.webhook.karpenter.k8s.aws rules: @@ -1848,8 +1932,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: validation.webhook.karpenter.sh webhooks: @@ -1859,6 +1943,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: validation.webhook.karpenter.sh rules: @@ -1885,8 +1970,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: validation.webhook.config.karpenter.sh webhooks: @@ -1896,12 +1981,12 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: validation.webhook.config.karpenter.sh objectSelector: matchLabels: - app.kubernetes.io/instance: karpenter - app.kubernetes.io/name: karpenter + app.kubernetes.io/part-of: karpenter sideEffects: None --- @@ -1915,8 +2000,8 @@ metadata: app.kubernetes.io/instance: karpenter app.kubernetes.io/managed-by: kops app.kubernetes.io/name: karpenter - app.kubernetes.io/version: 0.28.1 - helm.sh/chart: karpenter-v0.28.1 + app.kubernetes.io/version: 0.30.0 + helm.sh/chart: karpenter-v0.30.0 k8s-addon: karpenter.sh name: validation.webhook.karpenter.k8s.aws webhooks: @@ -1926,6 +2011,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail name: validation.webhook.karpenter.k8s.aws rules: diff --git a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template index 3f172245fb..ffd576068b 100644 --- a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template +++ b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template @@ -1,7 +1,7 @@ # helm template karpenter oci://public.ecr.aws/karpenter/karpenter-crd \ -# --version v0.28.1 +# --version v0.30.0 # helm template karpenter oci://public.ecr.aws/karpenter/karpenter \ -# --version v0.28.1 \ +# --version v0.30.0 \ # --namespace kube-system \ # --set controller.resources.requests.cpu=500m \ # --set controller.resources.requests.memory=1Gi \ @@ -12,8 +12,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: provisioners.karpenter.sh spec: group: karpenter.sh @@ -26,7 +25,15 @@ spec: singular: provisioner scope: Cluster versions: - - name: v1alpha5 + - additionalPrinterColumns: + - jsonPath: .spec.providerRef.name + name: Template + type: string + - jsonPath: .spec.weight + name: Weight + priority: 1 + type: string + name: v1alpha5 schema: openAPIV3Schema: description: Provisioner is the Schema for the Provisioners API @@ -387,8 +394,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: awsnodetemplates.karpenter.k8s.aws spec: group: karpenter.k8s.aws @@ -702,8 +708,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: machines.karpenter.sh spec: group: karpenter.sh @@ -1060,10 +1065,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm spec: maxUnavailable: 1 @@ -1079,10 +1084,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm --- # Source: karpenter/templates/secret-webhook-cert.yaml @@ -1092,10 +1097,10 @@ metadata: name: karpenter-cert namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm # data: {} # Injected by karpenter-webhook --- @@ -1106,10 +1111,10 @@ metadata: name: config-logging namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm data: # https://github.com/uber-go/zap/blob/aa3e73ec0896f8b066ddf668597a02f89628ee50/config.go @@ -1146,12 +1151,15 @@ metadata: name: karpenter-global-settings namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm data: + "aws.assumeRoleARN": "" + "aws.assumeRoleDuration": "15m" + "aws.clusterCABundle": "" "aws.clusterEndpoint": "https://{{ APIInternalName }}" "aws.clusterName": "{{ ClusterName }}" "aws.defaultInstanceProfile": "" @@ -1166,6 +1174,7 @@ data: "aws.vmMemoryOverheadPercent": "0.075" "batchIdleDuration": "1s" "batchMaxDuration": "10s" + "featureGates.driftEnabled": "false" --- # Source: karpenter/templates/aggregate-clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -1174,10 +1183,10 @@ metadata: name: karpenter-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: ["karpenter.sh"] @@ -1193,10 +1202,10 @@ kind: ClusterRole metadata: name: karpenter-core labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1220,8 +1229,11 @@ rules: verbs: [ "get", "list", "watch" ] # Write - apiGroups: ["karpenter.sh"] - resources: ["provisioners/status", "machines", "machines/status"] - verbs: ["create", "delete", "patch"] + resources: ["machines", "machines/status"] + verbs: ["create", "delete", "update", "patch"] + - apiGroups: ["karpenter.sh"] + resources: ["provisioners", "provisioners/status"] + verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] @@ -1242,10 +1254,10 @@ kind: ClusterRole metadata: name: karpenter labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1262,7 +1274,7 @@ rules: resourceNames: ["defaulting.webhook.karpenter.k8s.aws"] # Write - apiGroups: ["karpenter.k8s.aws"] - resources: ["awsnodetemplates/status"] + resources: ["awsnodetemplates", "awsnodetemplates/status"] verbs: ["patch", "update"] --- # Source: karpenter/templates/clusterrole-core.yaml @@ -1271,10 +1283,10 @@ kind: ClusterRoleBinding metadata: name: karpenter-core labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1291,10 +1303,10 @@ kind: ClusterRoleBinding metadata: name: karpenter labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1312,10 +1324,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1361,10 +1373,10 @@ metadata: name: karpenter-dns namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm rules: # Read @@ -1373,6 +1385,28 @@ rules: resourceNames: ["kube-dns"] verbs: ["get"] --- +# Source: karpenter/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: karpenter-lease + namespace: kube-node-lease + labels: + helm.sh/chart: karpenter-v0.30.0 + app.kubernetes.io/name: karpenter + app.kubernetes.io/instance: karpenter + app.kubernetes.io/version: "0.30.0" + app.kubernetes.io/managed-by: Helm +rules: + # Read + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch"] + # Write + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["delete"] +--- # Source: karpenter/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -1380,10 +1414,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1401,10 +1435,10 @@ metadata: name: karpenter-dns namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -1415,6 +1449,27 @@ subjects: name: karpenter namespace: kube-system --- +# Source: karpenter/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: karpenter-lease + namespace: kube-node-lease + labels: + helm.sh/chart: karpenter-v0.30.0 + app.kubernetes.io/name: karpenter + app.kubernetes.io/instance: karpenter + app.kubernetes.io/version: "0.30.0" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: karpenter-lease +subjects: + - kind: ServiceAccount + name: karpenter + namespace: kube-system +--- # Source: karpenter/templates/service.yaml apiVersion: v1 kind: Service @@ -1422,20 +1477,20 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - name: http-metrics - port: 8080 + port: 8000 targetPort: http-metrics protocol: TCP - name: https-webhook - port: 443 + port: 8443 targetPort: https-webhook protocol: TCP selector: @@ -1449,10 +1504,10 @@ metadata: name: karpenter namespace: kube-system labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm spec: replicas: {{ ControlPlaneControllerReplicas false }} @@ -1472,12 +1527,27 @@ spec: spec: serviceAccountName: karpenter securityContext: - fsGroup: 1000 + fsGroup: 65536 + runAsUser: 65536 + runAsGroup: 65536 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault priorityClassName: "system-cluster-critical" + {{ if not IsIPv6Only }} + dnsPolicy: Default + {{ else }} # Must use ClusterFirst on IPv6 clusters in order to get DNS64 dnsPolicy: ClusterFirst + {{ end }} containers: - name: controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true image: {{ .Karpenter.Image }} imagePullPolicy: IfNotPresent env: @@ -1520,6 +1590,7 @@ spec: path: /healthz port: http readinessProbe: + initialDelaySeconds: 5 timeoutSeconds: 30 httpGet: path: /readyz @@ -1570,13 +1641,6 @@ spec: maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/instance: karpenter - app.kubernetes.io/name: karpenter - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule tolerations: - key: node-role.kubernetes.io/master operator: Exists @@ -1591,10 +1655,10 @@ kind: MutatingWebhookConfiguration metadata: name: defaulting.webhook.karpenter.k8s.aws labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: defaulting.webhook.karpenter.k8s.aws @@ -1603,6 +1667,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None rules: @@ -1634,10 +1699,10 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.karpenter.sh labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: validation.webhook.karpenter.sh @@ -1646,6 +1711,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None rules: @@ -1666,10 +1732,10 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.config.karpenter.sh labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: validation.webhook.config.karpenter.sh @@ -1678,12 +1744,12 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None objectSelector: matchLabels: - app.kubernetes.io/name: karpenter - app.kubernetes.io/instance: karpenter + app.kubernetes.io/part-of: karpenter --- # Source: karpenter/templates/webhooks.yaml apiVersion: admissionregistration.k8s.io/v1 @@ -1691,10 +1757,10 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.karpenter.k8s.aws labels: - helm.sh/chart: karpenter-v0.28.1 + helm.sh/chart: karpenter-v0.30.0 app.kubernetes.io/name: karpenter app.kubernetes.io/instance: karpenter - app.kubernetes.io/version: "0.28.1" + app.kubernetes.io/version: "0.30.0" app.kubernetes.io/managed-by: Helm webhooks: - name: validation.webhook.karpenter.k8s.aws @@ -1703,6 +1769,7 @@ webhooks: service: name: karpenter namespace: kube-system + port: 8443 failurePolicy: Fail sideEffects: None rules: