Updates to access, maintenance, and support policy for official packages:On January 31, 2025 Upbound is updating the access policy for Official Providers
upbound/configuration-aws-eks@v0.13.1pat.xeks.aws.platform.upbound.io
YAML
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: pat.xeks.aws.platform.upbound.io
creationTimestamp: null
labels:
function: patch-and-transform
provider: aws
spec:
compositeTypeRef:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
patchSets:
- name: providerConfigRef
patches:
- fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- name: deletionPolicy
patches:
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
type: FromCompositeFieldPath
- name: region
patches:
- fromFieldPath: spec.parameters.region
toFieldPath: spec.forProvider.region
type: FromCompositeFieldPath
resources:
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
role: controlplane
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
forceDetachPolicies: true
managedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
name: controlplaneRole
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta2
kind: Cluster
spec:
forProvider:
accessConfig:
authenticationMode: API
bootstrapClusterCreatorAdminPermissions: true
roleArnSelector:
matchControllerRef: true
matchLabels:
role: controlplane
vpcConfig:
endpointPrivateAccess: true
endpointPublicAccess: true
subnetIdSelector:
matchLabels:
access: public
name: kubernetesCluster
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.vpcConfig.subnetIdSelector.matchLabels[networks.aws.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.version
toFieldPath: spec.forProvider.version
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.roleArn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.accountId
transforms:
- string:
regexp:
group: 1
match: arn:aws:iam::(\d+):.*
type: Regexp
type: string
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.vpcConfig.clusterSecurityGroupId
policy:
fromFieldPath: Optional
toFieldPath: status.eks.clusterSecurityGroupId
type: ToCompositeFieldPath
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
name: clusterSecurityGroupImport
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.eks.clusterSecurityGroupId
policy:
fromFieldPath: Required
toFieldPath: metadata.annotations[crossplane.io/external-name]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.tags[eks.aws.platform.upbound.io/discovery]
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: ClusterAuth
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
connectionDetails:
- fromConnectionSecretKey: kubeconfig
name: kubeconfig
type: FromConnectionSecretKey
name: kubernetesClusterAuth
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.writeConnectionSecretToRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.writeConnectionSecretToRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
role: nodegroup
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
forceDetachPolicies: true
managedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
- arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
- arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
name: nodegroupRole
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.nodeGroupRoleArn
type: ToCompositeFieldPath
- base:
apiVersion: eks.aws.upbound.io/v1beta2
kind: NodeGroup
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
instanceTypes:
- t3.medium
nodeRoleArnSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
scalingConfig:
maxSize: 100
minSize: 1
subnetIdSelector:
matchLabels:
access: public
name: nodeGroupPublic
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.nodes.count
toFieldPath: spec.initProvider.scalingConfig.desiredSize
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.nodes.instanceType
toFieldPath: spec.forProvider.instanceTypes[0]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.subnetIdSelector.matchLabels[networks.aws.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.clusterName
policy:
fromFieldPath: Optional
toFieldPath: status.eks.clusterName
type: ToCompositeFieldPath
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
spec:
forProvider:
addonName: aws-ebs-csi-driver
clusterNameSelector:
matchControllerRef: true
name: aws-ebs-csi-driver-addon
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-ebs-csi-addon"
type: Format
type: string
type: FromCompositeFieldPath
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
spec:
forProvider:
addonName: eks-pod-identity-agent
clusterNameSelector:
matchControllerRef: true
name: eks-pod-identity-agent-addon
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-pod-identity-addon"
type: Format
type: string
type: FromCompositeFieldPath
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
spec:
forProvider:
addonName: vpc-cni
clusterNameSelector:
matchControllerRef: true
configurationValues: '{"env": {"AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG":"false"}}'
preserve: false
name: vpc-cni-addon
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-cni-addon"
type: Format
type: string
type: FromCompositeFieldPath
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: AccessEntry
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
type: STANDARD
name: accessEntry
patches:
- fromFieldPath: spec.parameters.iam.principalArn
toFieldPath: spec.forProvider.principalArn
type: FromCompositeFieldPath
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: AccessPolicyAssociation
spec:
forProvider:
accessScope:
type: cluster
clusterNameSelector:
matchControllerRef: true
policyArn: arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy
principalArnSelector:
matchControllerRef: true
name: accessPolicyAssociation
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfig-helm
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfig-kubernetes
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- step: filter-composed-resources
functionRef:
name: crossplane-contrib-function-cel-filter
input:
apiVersion: cel.fn.crossplane.io/v1beta1
filters:
- expression: |
"iam" in observed.composite.resource.spec.parameters &&
"principalArn" in observed.composite.resource.spec.parameters.iam
name: accessEntry
- expression: |
"iam" in observed.composite.resource.spec.parameters &&
"principalArn" in observed.composite.resource.spec.parameters.iam
name: accessPolicyAssociation
kind: Filters
- step: sequence-creation
functionRef:
name: crossplane-contrib-function-sequencer
input:
apiVersion: sequencer.fn.crossplane.io/v1beta1
kind: Input
rules:
- sequence:
- kubernetesCluster
- kubernetesClusterAuth
- vpc-cni-addon
- nodeGroupPublic
- sequence:
- nodeGroupPublic
- aws-ebs-csi-driver-addon
- sequence:
- nodeGroupPublic
- eks-pod-identity-agent-addon
writeConnectionSecretsToNamespace: upbound-system