Documentation ¶
Overview ¶
Package aws contains the Amazon Web Services (AWS) cloud provider implementation.
This provider is responsible for managing a variety of resources in the AWS cloud, some of which can pre-exist, some are always created explicitly for a given usercluster. These resources are:
- EC2: VPC A VPC must already exist. If the user doesn't specify a VPC, the provider chooses the default VPC for the given AWS account. If during reconciliation the VPC is not found, an error is raised and no further reconciliation can happen.
- EC2: Route Table (RT) A usercluster can use its own RT, but if none is given by the user, the default RT for the VPC will be used (shared among many userclusters). KKP never creates or deletes route tables, it only tags them with the cluster tag.
- EC2: Security Group (SG) This one can be specified by the user, but is otherwise created automatically. Every usercluster lives in its own SG and the SG is always tagged with the cluster tag.
- EC2: Subnets The AWS CCM requires that all subnets are tagged with the cluster name, as documented in https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.1/deploy/subnet_discovery/. KKP does not create or remove subnets, but tags them, so that multiple userclusters can share the same subnets.
- IAM: Control plane role This one can be specified by the user, but is otherwise created automatically. Every usercluster has its own control plan role. If the specified role does not exist, it is created.
- IAM: Worker role & instance profile This one can be specified by the user, but is otherwise created automatically. Every usercluster has its own worker role/profile. If the specified profile does not exist, it is created.
During cluster deletion, KKP will try to clean up and remove unneeded resources again. However, if the user specified a given field (e.g. a SG ID), KKP does not remove the resource, assuming it is shared by either other userclusters or other things. To keep track of ownership, an owner tag is placed on all resources that KKP creates. The cluster tag for the AWS CCM is also removed, regardless whether the resource was created by KKP or not.
Index ¶
- func GetCredentialsForCluster(cloud kubermaticv1.CloudSpec, ...) (accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID string, ...)
- func GetSecurityGroups(...) ([]*ec2.SecurityGroup, error)
- func GetSubnets(...) ([]*ec2.Subnet, error)
- func GetVPCS(...) ([]*ec2.Vpc, error)
- func ValidateCredentials(accessKeyID, secretAccessKey string) error
- type AmazonEC2
- func (a *AmazonEC2) CleanUpCloudProvider(cluster *kubermaticv1.Cluster, updater provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
- func (a *AmazonEC2) DefaultCloudSpec(spec *kubermaticv1.CloudSpec) error
- func (a *AmazonEC2) InitializeCloudProvider(cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
- func (a *AmazonEC2) ReconcileCluster(cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
- func (a *AmazonEC2) ValidateCloudSpec(spec kubermaticv1.CloudSpec) error
- func (a *AmazonEC2) ValidateCloudSpecUpdate(oldSpec kubermaticv1.CloudSpec, newSpec kubermaticv1.CloudSpec) error
- type ClientSet
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetCredentialsForCluster ¶
func GetCredentialsForCluster(cloud kubermaticv1.CloudSpec, secretKeySelector provider.SecretKeySelectorValueFunc) (accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID string, err error)
GetCredentialsForCluster returns the credentials for the passed in cloud spec or an error.
func GetSecurityGroups ¶ added in v2.16.3
func GetSecurityGroups(accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpc string) ([]*ec2.SecurityGroup, error)
GetSecurityGroups returns the list of AWS Security Group.
func GetSubnets ¶
func GetSubnets(accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpcID string) ([]*ec2.Subnet, error)
GetSubnets returns the list of subnets for a selected AWS VPC.
func GetVPCS ¶
func GetVPCS(accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region string) ([]*ec2.Vpc, error)
GetVPCS returns the list of AWS VPCs.
func ValidateCredentials ¶ added in v2.20.0
Types ¶
type AmazonEC2 ¶
type AmazonEC2 struct {
// contains filtered or unexported fields
}
func NewCloudProvider ¶
func NewCloudProvider(dc *kubermaticv1.Datacenter, secretKeyGetter provider.SecretKeySelectorValueFunc) (*AmazonEC2, error)
NewCloudProvider returns a new AmazonEC2 provider.
func (*AmazonEC2) CleanUpCloudProvider ¶
func (a *AmazonEC2) CleanUpCloudProvider(cluster *kubermaticv1.Cluster, updater provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
func (*AmazonEC2) DefaultCloudSpec ¶
func (a *AmazonEC2) DefaultCloudSpec(spec *kubermaticv1.CloudSpec) error
func (*AmazonEC2) InitializeCloudProvider ¶
func (a *AmazonEC2) InitializeCloudProvider(cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
func (*AmazonEC2) ReconcileCluster ¶ added in v2.19.0
func (a *AmazonEC2) ReconcileCluster(cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
func (*AmazonEC2) ValidateCloudSpec ¶
func (a *AmazonEC2) ValidateCloudSpec(spec kubermaticv1.CloudSpec) error
ValidateCloudSpec validates the fields that the user can override while creating a cluster. We only check those that must pre-exist in the AWS account (i.e. the security group and VPC), because the others (like route table) will be created if they do not yet exist / are not explicitly specified. TL;DR: This validation does not need to be extended to cover more than VPC and SG.
func (*AmazonEC2) ValidateCloudSpecUpdate ¶
func (a *AmazonEC2) ValidateCloudSpecUpdate(oldSpec kubermaticv1.CloudSpec, newSpec kubermaticv1.CloudSpec) error
ValidateCloudSpecUpdate verifies whether an update of cloud spec is valid and permitted.