xkarpenters.aws.platform.upbound.io
xkarpenters.aws.platform.upbound.io
xkarpenters.aws.platform.upbound.io
upbound/configuration-aws-eks-karpenter@v0.6.0xkarpenters.aws.platform.upbound.io
Type
Composition
Referenced XRD
XKarpenter
YAML
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: xkarpenters.aws.platform.upbound.io
creationTimestamp: null
labels:
provider: aws
spec:
compositeTypeRef:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XKarpenter
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
patchSets:
- name: providerConfigRef
patches:
- fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- name: deletionPolicy
patches:
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
type: FromCompositeFieldPath
- name: region
patches:
- fromFieldPath: spec.parameters.region
toFieldPath: spec.forProvider.region
type: FromCompositeFieldPath
resources:
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
role: karpenter
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
name: instanceNodeRole
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: spec.parameters.clusterName
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- string:
fmt: KarpenterNodeRole-%s
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.karpenter.instanceProfileRoleArn
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.arn
toFieldPath: status.karpenter.accountId
transforms:
- string:
regexp:
group: 1
match: "::(\\d+):"
type: Regexp
type: string
type: ToCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
roleSelector:
matchControllerRef: true
matchLabels:
role: karpenter
name: instanceNodeRoleEKSPolicy
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
roleSelector:
matchControllerRef: true
matchLabels:
role: karpenter
name: InstanceNodeRoleCNIPolicy
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
roleSelector:
matchControllerRef: true
matchLabels:
role: karpenter
name: instanceNodeRoleECRPolicy
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
roleSelector:
matchControllerRef: true
matchLabels:
role: karpenter
name: instanceNodeRoleSSMPolicy
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: InstanceProfile
spec:
forProvider:
roleSelector:
matchControllerRef: true
matchLabels:
role: karpenter
name: instanceProfile
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.karpenter.instanceProfileArn
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.id
policy:
fromFieldPath: Optional
toFieldPath: status.karpenter.instanceProfileName
type: ToCompositeFieldPath
- base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XIRSA
spec:
parameters:
condition: StringEquals
serviceAccount:
name: karpenter
namespace: karpenter
name: IRSA
patches:
- fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.parameters.providerConfigName
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-karpenter"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.id
type: FromCompositeFieldPath
- fromFieldPath: status.roleArn
policy:
fromFieldPath: Optional
toFieldPath: status.karpenter.IRSARoleArn
type: ToCompositeFieldPath
- combine:
strategy: string
string:
fmt: >
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowScopedEC2InstanceActions",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:%[1]s::image/*",
"arn:aws:ec2:%[1]s::snapshot/*",
"arn:aws:ec2:%[1]s:*:spot-instances-request/*",
"arn:aws:ec2:%[1]s:*:security-group/*",
"arn:aws:ec2:%[1]s:*:subnet/*",
"arn:aws:ec2:%[1]s:*:launch-template/*"
],
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
]
},
{
"Sid": "AllowScopedEC2InstanceActionsWithTags",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:%[1]s:*:fleet/*",
"arn:aws:ec2:%[1]s:*:instance/*",
"arn:aws:ec2:%[1]s:*:volume/*",
"arn:aws:ec2:%[1]s:*:network-interface/*",
"arn:aws:ec2:%[1]s:*:launch-template/*"
],
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned"
},
"StringLike": {
"aws:RequestTag/karpenter.sh/nodepool": "*"
}
}
},
{
"Sid": "AllowScopedResourceCreationTagging",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:%[1]s:*:fleet/*",
"arn:aws:ec2:%[1]s:*:instance/*",
"arn:aws:ec2:%[1]s:*:volume/*",
"arn:aws:ec2:%[1]s:*:network-interface/*",
"arn:aws:ec2:%[1]s:*:launch-template/*"
],
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes.io/cluster/%[2]s": "owned",
"ec2:CreateAction": [
"RunInstances",
"CreateFleet",
"CreateLaunchTemplate"
]
},
"StringLike": {
"aws:RequestTag/karpenter.sh/nodepool": "*"
}
}
},
{
"Sid": "AllowScopedResourceTagging",
"Effect": "Allow",
"Resource": "arn:aws:ec2:%[1]s:*:instance/*",
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned"
},
"StringLike": {
"aws:ResourceTag/karpenter.sh/nodepool": "*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"karpenter.sh/nodeclaim",
"Name"
]
}
}
},
{
"Sid": "AllowScopedDeletion",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:%[1]s:*:instance/*",
"arn:aws:ec2:%[1]s:*:launch-template/*"
],
"Action": [
"ec2:TerminateInstances",
"ec2:DeleteLaunchTemplate"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/kubernetes.io/cluster/%[2]s": "owned"
},
"StringLike": {
"aws:ResourceTag/karpenter.sh/nodepool": "*"
}
}
},
{
"Sid": "AllowRegionalReadActions",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "%[1]s"
}
}
},
{
"Sid": "AllowSSMReadActions",
"Effect": "Allow",
"Resource": "arn:aws:ssm:%[1]s::parameter/aws/service/*",
"Action": "ssm:GetParameter"
},
{
"Sid": "AllowPricingReadActions",
"Effect": "Allow",
"Resource": "*",
"Action": "pricing:GetProducts"
},
{
"Sid": "AllowInterruptionQueueActions",
"Effect": "Allow",
"Resource": "%[3]s",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage"
]
},
{
"Sid": "AllowPassingInstanceRole",
"Effect": "Allow",
"Resource": "%[5]s",
"Action": "iam:PassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "AllowAPIServerEndpointDiscovery",
"Effect": "Allow",
"Resource": "arn:aws:eks:%[1]s:%[4]s:cluster/%[2]s",
"Action": "eks:DescribeCluster"
}
]
}
variables:
- fromFieldPath: spec.parameters.region
- fromFieldPath: spec.parameters.clusterName
- fromFieldPath: status.karpenter.sqsQueueArn
- fromFieldPath: status.karpenter.accountId
- fromFieldPath: status.karpenter.instanceProfileRoleArn
policy:
fromFieldPath: Required
toFieldPath: spec.parameters.policyDocument
type: CombineFromComposite
- base:
apiVersion: sqs.aws.upbound.io/v1beta1
kind: Queue
spec:
forProvider:
messageRetentionSeconds: 300
name: sqsQueue
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.name
transforms:
- string:
fmt: "%s-karpenter"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.karpenter.sqsQueueArn
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.name
policy:
fromFieldPath: Optional
toFieldPath: status.karpenter.sqsQueueName
type: ToCompositeFieldPath
- base:
apiVersion: sqs.aws.upbound.io/v1beta1
kind: QueuePolicy
spec:
forProvider:
queueUrlSelector:
matchControllerRef: true
name: sqsQueuePolicy
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- combine:
strategy: string
string:
fmt: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SqsWrite",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "%s",
"Principal": {
"Service": [
"events.amazonaws.com",
"sqs.amazonaws.com"
]
}
}
]
}
variables:
- fromFieldPath: status.karpenter.sqsQueueArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.policy
type: CombineFromComposite
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Rule
metadata:
labels:
type: HealthEvent
spec:
forProvider:
eventBusName: default
eventPattern: |
{
"source": [
"aws.health"
],
"detail-type": [
"AWS Health Event"
]
}
name: ruleHealthEvent
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: healthevent
type: regexp
type: match
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: healthevent
type: regexp
type: match
type: FromCompositeFieldPath
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Rule
metadata:
labels:
type: SpotInterrupt
spec:
forProvider:
eventBusName: default
eventPattern: |
{
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Spot Instance Interruption Warning"
]
}
name: ruleSpotInterrupt
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: spotinterrupt
type: regexp
type: match
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: spotinterrupt
type: regexp
type: match
type: FromCompositeFieldPath
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Rule
metadata:
labels:
type: InstanceRebalance
spec:
forProvider:
eventBusName: default
eventPattern: |
{
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance Rebalance Recommendation"
]
}
name: ruleInstanceRebalance
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: instancerebalance
type: regexp
type: match
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: instancerebalance
type: regexp
type: match
type: FromCompositeFieldPath
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Rule
metadata:
labels:
type: InstanceStateChange
spec:
forProvider:
eventBusName: default
eventPattern: |
{
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance State-change Notification"
]
}
name: ruleInstanceStateChange
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: instancestatechange
type: regexp
type: match
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: instancestatechange
type: regexp
type: match
type: FromCompositeFieldPath
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Target
spec:
forProvider:
eventBusName: default
ruleSelector:
matchControllerRef: true
matchLabels:
type: HealthEvent
targetId: healthevent
name: ruleHealthEventTarget
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.karpenter.sqsQueueArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.arn
type: FromCompositeFieldPath
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Target
spec:
forProvider:
eventBusName: default
ruleSelector:
matchControllerRef: true
matchLabels:
type: SpotInterrupt
targetId: spotinterrupt
name: ruleSpotInterruptTarget
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.karpenter.sqsQueueArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.arn
type: FromCompositeFieldPath
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Target
spec:
forProvider:
eventBusName: default
ruleSelector:
matchControllerRef: true
matchLabels:
type: InstanceRebalance
targetId: instancerebalance
name: ruleInstanceRebalanceTarget
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.karpenter.sqsQueueArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.arn
type: FromCompositeFieldPath
- base:
apiVersion: cloudwatchevents.aws.upbound.io/v1beta1
kind: Target
spec:
forProvider:
eventBusName: default
ruleSelector:
matchControllerRef: true
matchLabels:
type: InstanceStateChange
targetId: instancestatechange
name: ruleInstanceStateChangeTarget
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.karpenter.sqsQueueArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.arn
type: FromCompositeFieldPath
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
deletionPolicy: Orphan
forProvider:
chart:
name: karpenter
repository: oci://public.ecr.aws/karpenter
version: v0.33.1
namespace: karpenter
name: karpenterChart
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: status.karpenter.IRSARoleArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.values.serviceAccount.annotations[eks.amazonaws.com/role-arn]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.clusterName
toFieldPath: spec.forProvider.values.settings.clusterName
type: FromCompositeFieldPath
- fromFieldPath: status.karpenter.sqsQueueName
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.values.settings.interruptionQueueName
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- match:
fallbackValue: null
patterns:
- regexp: .*
result: karpenter
type: regexp
type: match
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
spec:
deletionPolicy: Orphan
forProvider:
manifest:
apiVersion: karpenter.sh/v1beta1
kind: NodePool
metadata:
name: default
spec:
disruption:
consolidationPolicy: WhenUnderutilized
expireAfter: 168h
limits:
cpu: 1000
memory: 500Gi
template:
metadata:
labels:
intent: apps
spec:
nodeClassRef:
apiVersion: karpenter.k8s.aws/v1beta1
kind: EC2NodeClass
name: default
requirements:
- key: karpenter.k8s.aws/instance-category
operator: In
values:
- c
- m
- r
- i
- d
- key: karpenter.k8s.aws/instance-cpu
operator: In
values:
- "4"
- "8"
- "16"
- "32"
- "48"
- "64"
- key: karpenter.sh/capacity-type
operator: In
values:
- spot
- on-demand
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
name: karpenterNodePool
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
spec:
deletionPolicy: Orphan
forProvider:
manifest:
apiVersion: karpenter.k8s.aws/v1beta1
kind: EC2NodeClass
metadata:
name: default
spec:
amiFamily: AL2
tags:
KarpenterNodePoolName: default
NodeType: default
intent: apps
name: karpenterNodeClass
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.spec.subnetSelectorTerms[0].tags[networks.aws.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.spec.securityGroupSelectorTerms[0].tags[eks.aws.platform.upbound.io/discovery]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.spec.tags[karpenter.sh/discovery]
type: FromCompositeFieldPath
- fromFieldPath: status.karpenter.instanceProfileName
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.manifest.spec.instanceProfile
type: FromCompositeFieldPath
writeConnectionSecretsToNamespace: upbound-system