Documentation ¶
Overview ¶
Package aws contains the Amazon Web Services (AWS) cloud provider implementation.
This provider is responsible for managing a variety of resources in the AWS cloud, some of which can pre-exist, some are always created explicitly for a given usercluster. These resources are:
EC2: VPC A VPC must already exist. If the user doesn't specify a VPC, the provider chooses the default VPC for the given AWS account. If during reconciliation the VPC is not found, an error is raised and no further reconciliation can happen.
EC2: Route Table (RT) A usercluster can use its own RT, but if none is given by the user, the default RT for the VPC will be used (shared among many userclusters). KKP never creates or deletes route tables, it only tags them with the cluster tag.
EC2: Security Group (SG) This one can be specified by the user, but is otherwise created automatically. Every usercluster lives in its own SG and the SG is always tagged with the cluster tag.
EC2: Subnets The AWS CCM requires that all subnets are tagged with the cluster name, as documented in https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.1/deploy/subnet_discovery/. KKP does not create or remove subnets, but tags them, so that multiple userclusters can share the same subnets.
IAM: Control plane role This one can be specified by the user, but is otherwise created automatically. Every usercluster has its own control plan role. If the specified role does not exist, it is created.
IAM: Worker role & instance profile This one can be specified by the user, but is otherwise created automatically. Every usercluster has its own worker role/profile. If the specified profile does not exist, it is created.
During cluster deletion, KKP will try to clean up and remove unneeded resources again. However, if the user specified a given field (e.g. a SG ID), KKP does not remove the resource, assuming it is shared by either other userclusters or other things. To keep track of ownership, an owner tag is placed on all resources that KKP creates. The cluster tag for the AWS CCM is also removed, regardless whether the resource was created by KKP or not.
Index ¶
- func GetAWSConfig(ctx context.Context, ...) (aws.Config, error)
- func GetCredentialsForCluster(cloud kubermaticv1.CloudSpec, ...) (accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID string, ...)
- func GetInstanceTypes(ctx context.Context, ...) ([]ec2types.InstanceTypeOffering, error)
- func GetSecurityGroups(ctx context.Context, ...) ([]ec2types.SecurityGroup, error)
- func GetSecurityGroupsByVPC(ctx context.Context, ...) ([]ec2types.SecurityGroup, error)
- func GetSubnets(ctx context.Context, ...) ([]ec2types.Subnet, error)
- func GetVPCS(ctx context.Context, ...) ([]ec2types.Vpc, error)
- func ValidateCredentials(ctx context.Context, accessKeyID, secretAccessKey string) error
- type AmazonEC2
- func (a *AmazonEC2) CleanUpCloudProvider(ctx context.Context, cluster *kubermaticv1.Cluster, ...) (*kubermaticv1.Cluster, error)
- func (a *AmazonEC2) DefaultCloudSpec(ctx context.Context, spec *kubermaticv1.ClusterSpec) error
- func (a *AmazonEC2) InitializeCloudProvider(ctx context.Context, cluster *kubermaticv1.Cluster, ...) (*kubermaticv1.Cluster, error)
- func (a *AmazonEC2) ReconcileCluster(ctx context.Context, cluster *kubermaticv1.Cluster, ...) (*kubermaticv1.Cluster, error)
- func (a *AmazonEC2) ValidateCloudSpec(ctx context.Context, spec kubermaticv1.CloudSpec) error
- func (a *AmazonEC2) ValidateCloudSpecUpdate(_ context.Context, oldSpec kubermaticv1.CloudSpec, ...) error
- type ClientSet
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetAWSConfig ¶
func GetCredentialsForCluster ¶
func GetCredentialsForCluster(cloud kubermaticv1.CloudSpec, secretKeySelector provider.SecretKeySelectorValueFunc) (accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID string, err error)
GetCredentialsForCluster returns the credentials for the passed in cloud spec or an error.
func GetInstanceTypes ¶
func GetInstanceTypes(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region string) ([]ec2types.InstanceTypeOffering, error)
GetInstanceTypes returns the list of instancetypes.
func GetSecurityGroups ¶
func GetSecurityGroups(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpc string) ([]ec2types.SecurityGroup, error)
GetSecurityGroups returns the list of AWS Security Group.
func GetSecurityGroupsByVPC ¶
func GetSecurityGroupsByVPC(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpcID string) ([]ec2types.SecurityGroup, error)
GetSecurityGroups returns the list of AWS Security Group filtered by VPC.
func GetSubnets ¶
func GetSubnets(ctx context.Context, accessKeyID, secretAccessKey, assumeRoleARN, assumeRoleExternalID, region, vpcID string) ([]ec2types.Subnet, error)
GetSubnets returns the list of subnets for a selected AWS VPC.
Types ¶
type AmazonEC2 ¶
type AmazonEC2 struct {
// contains filtered or unexported fields
}
func NewCloudProvider ¶
func NewCloudProvider(dc *kubermaticv1.Datacenter, secretKeyGetter provider.SecretKeySelectorValueFunc) (*AmazonEC2, error)
NewCloudProvider returns a new AmazonEC2 provider.
func (*AmazonEC2) CleanUpCloudProvider ¶
func (a *AmazonEC2) CleanUpCloudProvider(ctx context.Context, cluster *kubermaticv1.Cluster, updater provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
func (*AmazonEC2) DefaultCloudSpec ¶
func (a *AmazonEC2) DefaultCloudSpec(ctx context.Context, spec *kubermaticv1.ClusterSpec) error
func (*AmazonEC2) InitializeCloudProvider ¶
func (a *AmazonEC2) InitializeCloudProvider(ctx context.Context, cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
func (*AmazonEC2) ReconcileCluster ¶
func (a *AmazonEC2) ReconcileCluster(ctx context.Context, cluster *kubermaticv1.Cluster, update provider.ClusterUpdater) (*kubermaticv1.Cluster, error)
func (*AmazonEC2) ValidateCloudSpec ¶
ValidateCloudSpec validates the fields that the user can override while creating a cluster. We only check those that must pre-exist in the AWS account (i.e. the security group and VPC), because the others (like route table) will be created if they do not yet exist / are not explicitly specified. TL;DR: This validation does not need to be extended to cover more than VPC and SG.
func (*AmazonEC2) ValidateCloudSpecUpdate ¶
func (a *AmazonEC2) ValidateCloudSpecUpdate(_ context.Context, oldSpec kubermaticv1.CloudSpec, newSpec kubermaticv1.CloudSpec) error
ValidateCloudSpecUpdate verifies whether an update of cloud spec is valid and permitted.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package data is separate from the regular AWS provider package because it initializes a large chunk of data that might not be relevant to everyone using the AWS provider code.
|
Package data is separate from the regular AWS provider package because it initializes a large chunk of data that might not be relevant to everyone using the AWS provider code. |