Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(eks): connect all custom resources to the cluster VPC #10200

Merged
merged 13 commits into from
Dec 21, 2020

Conversation

iliapolo
Copy link
Contributor

@iliapolo iliapolo commented Sep 5, 2020

Allow all our lambda handlers to be provisioned inside the cluster VPC.

The KubectlProvider handlers were already placed inside the VPC is they could have, the missing was to include the ClusterHandler. This is now possible via the placeClusterHandlerInVpc (names are welcome) property.

Default value remains false because if the VPC happens to be isolated (i.e no outbound internet access) this would break the deployment. (See #12171)

Closes #9509


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@mergify
Copy link
Contributor

mergify bot commented Sep 5, 2020

Title does not follow the guidelines of Conventional Commits. Please adjust title before merge.

@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 5, 2020
@oleksii-boiko-ua
Copy link

is it possible to add ability to define proxy for lambda functions as aws doesn't have vpc endpoints for api's, for example to reach eks api from private network?

@iliapolo
Copy link
Contributor Author

iliapolo commented Sep 7, 2020

@alexey-boyko Yes it will be possible

@oleksii-boiko-ua
Copy link

@alexey-boyko Yes it will be possible

cool thanks, ping me if you need me to test

@oleksii-boiko-ua
Copy link

@iliapolo hello, any plans to merge it this year?

@iliapolo
Copy link
Contributor Author

@alexey-boyko Yes it is on our roadmap for this quarter.

@gitpod-io
Copy link

gitpod-io bot commented Dec 13, 2020

@iliapolo iliapolo force-pushed the epolon/eks-vpc-all-functions branch from 84a0b92 to 18716b0 Compare December 13, 2020 20:17
@@ -97,6 +97,8 @@ export class KubectlProvider extends NestedStack {

const provider = new cr.Provider(this, 'Provider', {
onEventHandler: handler,
vpc: cluster.kubectlPrivateSubnets ? cluster.vpc : undefined,
Copy link
Contributor Author

@iliapolo iliapolo Dec 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't related to the placeClusterHandlerInVpc property. But seems like we should have done this when we introduced private endpoints, consolidating all the related functions into the same network.

const CLUSTER_VERSION = eks.KubernetesVersion.V1_18;


class EksAllHandlersInVpcStack extends TestStack {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reluctantly, adding another integ test because this property affects the cluster deployment and operation.

@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Dec 21, 2020
@iliapolo iliapolo marked this pull request as ready for review December 21, 2020 11:27
@iliapolo iliapolo requested a review from eladb December 21, 2020 11:35
*
* @default false
*/
readonly placeClusterHandlerInVpc?: boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would make sense to use a similar prefix:

Suggested change
readonly placeClusterHandlerInVpc?: boolean;
readonly clusterHandlerVpc?: boolean;

@@ -459,7 +460,18 @@ If the endpoint does not expose private access (via `EndpointAccess.PUBLIC`) **o

#### Cluster Handler

The `ClusterHandler` is a Lambda function responsible to interact the EKS API in order to control the cluster lifecycle. At the moment, this function cannot be provisioned inside the VPC. See [Attach all Lambda Function to a VPC](https://github.com/aws/aws-cdk/issues/9509) for more details.
The `ClusterHandler` is a Lambda function responsible to interact with the EKS API in order to control the cluster lifecycle. To provision this function inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the function inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about the kubectl handler?

@eladb
Copy link
Contributor

eladb commented Dec 21, 2020

Okay now just saw the PR description

@mergify
Copy link
Contributor

mergify bot commented Dec 21, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 9407f5e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Dec 21, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit eaa8222 into master Dec 21, 2020
@mergify mergify bot deleted the epolon/eks-vpc-all-functions branch December 21, 2020 19:04
flochaz pushed a commit to flochaz/aws-cdk that referenced this pull request Jan 5, 2021
Allow all our lambda handlers to be provisioned inside the cluster VPC.

The `KubectlProvider` handlers were already placed inside the VPC is they could have, the missing was to include the `ClusterHandler`. This is now possible via the `placeClusterHandlerInVpc` (names are welcome) property.

Default value remains `false` because if the VPC happens to be isolated (i.e no outbound internet access) this would break the deployment. (See aws#12171)

Closes aws#9509 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mergify bot pushed a commit that referenced this pull request Feb 21, 2021
Following #10200, our `KubectlProvider` functions are now provisioned inside a VPC when applicable. A somewhat unintended side effect is that the provider framework will **create** and use a dedicated security group for its functions. 

This can violate organizational policies that don't allow CDK to create security groups. We can easily avoid this by simply reusing the `kubectlSecurityGroup`, which must be defined in this case, and passing it to the provider. 

Fixes #12952

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
eladb pushed a commit that referenced this pull request Feb 22, 2021
Following #10200, our `KubectlProvider` functions are now provisioned inside a VPC when applicable. A somewhat unintended side effect is that the provider framework will **create** and use a dedicated security group for its functions. 

This can violate organizational policies that don't allow CDK to create security groups. We can easily avoid this by simply reusing the `kubectlSecurityGroup`, which must be defined in this case, and passing it to the provider. 

Fixes #12952

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service contribution/core This is a PR that came from AWS.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[aws-eks] Construct Library custom resources can't be used within vpc
4 participants