diff --git a/README.md b/README.md
index 6044a5df..76f4aa7e 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,7 @@ module "eks" {
| [external\_secrets](#module\_external\_secrets) | aws-ia/eks-blueprints-addon/aws | 1.1.1 |
| [gatekeeper](#module\_gatekeeper) | aws-ia/eks-blueprints-addon/aws | 1.1.1 |
| [ingress\_nginx](#module\_ingress\_nginx) | aws-ia/eks-blueprints-addon/aws | 1.1.1 |
-| [karpenter](#module\_karpenter) | aws-ia/eks-blueprints-addon/aws | 1.1.1 |
+| [karpenter](#module\_karpenter) | ../terraform-aws-eks-blueprints-addon | n/a |
| [karpenter\_sqs](#module\_karpenter\_sqs) | terraform-aws-modules/sqs/aws | 4.0.1 |
| [kube\_prometheus\_stack](#module\_kube\_prometheus\_stack) | aws-ia/eks-blueprints-addon/aws | 1.1.1 |
| [metrics\_server](#module\_metrics\_server) | aws-ia/eks-blueprints-addon/aws | 1.1.1 |
@@ -120,6 +120,7 @@ module "eks" {
| [aws_cloudwatch_event_target.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_log_group.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_group.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_eks_access_entry.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
| [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
| [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_iam_policy.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -225,6 +226,7 @@ module "eks" {
| [helm\_releases](#input\_helm\_releases) | A map of Helm releases to create. This provides the ability to pass in an arbitrary map of Helm chart definitions to create | `any` | `{}` | no |
| [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
| [karpenter](#input\_karpenter) | Karpenter add-on configuration values | `any` | `{}` | no |
+| [karpenter\_create\_access\_entry](#input\_karpenter\_create\_access\_entry) | Determines whether to create Karpenter Access Entry for Cluster Access Management API. | `bool` | `false` | no |
| [karpenter\_enable\_instance\_profile\_creation](#input\_karpenter\_enable\_instance\_profile\_creation) | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1) or if Terraform will (v1alpha1) | `bool` | `true` | no |
| [karpenter\_enable\_spot\_termination](#input\_karpenter\_enable\_spot\_termination) | Determines whether to enable native node termination handling | `bool` | `true` | no |
| [karpenter\_node](#input\_karpenter\_node) | Karpenter IAM role and IAM instance profile configuration values | `any` | `{}` | no |
diff --git a/main.tf b/main.tf
index 6b77554f..0358365b 100644
--- a/main.tf
+++ b/main.tf
@@ -2749,7 +2749,7 @@ locals {
input_karpenter_node_instance_profile_name = try(var.karpenter_node.instance_profile_name, local.karpenter_node_iam_role_name)
# This is the name passed to the Karpenter Helm chart - either the profile the module creates, or one provided by the user
output_karpenter_node_instance_profile_name = try(aws_iam_instance_profile.karpenter[0].name, var.karpenter_node.instance_profile_name, "")
- karpenter_namespace = try(var.karpenter.namespace, "karpenter")
+ karpenter_namespace = try(var.karpenter.namespace, "kube-system")
karpenter_set = [
# TODO - remove at next breaking change
@@ -3006,6 +3006,21 @@ resource "aws_iam_instance_profile" "karpenter" {
tags = merge(var.tags, try(var.karpenter_node.instance_profile_tags, {}))
}
+resource "aws_eks_access_entry" "node" {
+ count = var.enable_karpenter && var.karpenter_create_access_entry ? 1 : 0
+
+ cluster_name = var.cluster_name
+ principal_arn = local.create_karpenter_node_iam_role ? aws_iam_role.karpenter[0].arn : var.karpenter.node_iam_role_arn
+ type = "EC2_LINUX"
+
+ tags = var.tags
+
+ depends_on = [
+ # If we try to add this too quickly, it fails. So .... we wait
+ module.karpenter_sqs
+ ]
+}
+
module "karpenter" {
source = "aws-ia/eks-blueprints-addon/aws"
version = "1.1.1"
@@ -3021,7 +3036,7 @@ module "karpenter" {
namespace = local.karpenter_namespace
create_namespace = try(var.karpenter.create_namespace, true)
chart = try(var.karpenter.chart, "karpenter")
- chart_version = try(var.karpenter.chart_version, "0.35.0")
+ chart_version = try(var.karpenter.chart_version, "0.37.0")
repository = try(var.karpenter.repository, "oci://public.ecr.aws/karpenter")
values = try(var.karpenter.values, [])
@@ -3058,6 +3073,12 @@ module "karpenter" {
)
set_sensitive = try(var.karpenter.set_sensitive, [])
+ # Pod Identity
+ enable_pod_identity = try(var.karpenter.enable_pod_identity, false)
+ create_pod_identity_association = try(var.karpenter.create_pod_identity_association, false)
+ cluster_name = var.cluster_name
+ service_account = local.karpenter_service_account_name
+
# IAM role for service account (IRSA)
set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
create_role = try(var.karpenter.create_role, true)
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index ebd40e92..2529fe6b 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -81,7 +81,8 @@ module "eks_blueprints_addons" {
vpc-cni = {
most_recent = true
}
- kube-proxy = {}
+ kube-proxy = {}
+ eks-pod-identity-agent = {}
adot = {
most_recent = true
service_account_role_arn = module.adot_irsa.iam_role_arn
@@ -162,8 +163,11 @@ module "eks_blueprints_addons" {
enable_karpenter = true
karpenter_enable_instance_profile_creation = true
- # ECR login required
+ karpenter_create_access_entry = true
karpenter = {
+ enable_pod_identity = true
+ create_pod_identity_association = true
+ # ECR login required
repository_username = data.aws_ecrpublic_authorization_token.token.user_name
repository_password = data.aws_ecrpublic_authorization_token.token.password
}
@@ -266,12 +270,17 @@ module "eks" {
instance_type = "m5.large"
min_size = 1
- max_size = 10
+ max_size = 5
desired_size = 1
}
}
- tags = local.tags
+ tags = merge(local.tags, {
+ # NOTE - if creating multiple security groups with this module, only tag the
+ # security group that Karpenter should utilize with the following tag
+ # (i.e. - at most, only one security group should have this tag in your account)
+ "karpenter.sh/discovery" = local.name
+ })
}
################################################################################
@@ -298,6 +307,7 @@ module "vpc" {
private_subnet_tags = {
"kubernetes.io/role/internal-elb" = 1
+ "karpenter.sh/discovery" = local.name
}
tags = local.tags
diff --git a/variables.tf b/variables.tf
index 928c8cff..5d4874ac 100644
--- a/variables.tf
+++ b/variables.tf
@@ -454,6 +454,12 @@ variable "karpenter_enable_instance_profile_creation" {
default = true
}
+variable "karpenter_create_access_entry" {
+ description = "Determines whether to create Karpenter Access Entry for Cluster Access Management API."
+ type = bool
+ default = false
+}
+
variable "karpenter_sqs" {
description = "Karpenter SQS queue for native node termination handling configuration values"
type = any