EKS Hybrid Nodes Module

This commit is the entirety of the EKS Hybrid Nodes module added under
Networking group.

Special thanks to Bo Guan, Eric Anderson, and Curtis Rissi for their
support.

This module includes a change to the eksctl cluster.yaml that adds the
remoteNetworkConfig required by EKS Hybrid Nodes. However, these
parameters have no effect an an EKS cluster that does not make use of
them.

Additionally, IAM permissions were added to the IDE role to allow the
creation of required resources for the hybrid nodes module.

All tests pass.

Author: raykrueger

.spelling

@@ -128,4 +128,7 @@ joshi
 keda
 AIML
 DCGM
-Mountpoint
+Mountpoint
+nodeadm
+containerd
+nodeconfig

cluster/eksctl/cluster.yaml

@@ -19,6 +19,11 @@ vpc:
   clusterEndpoints:
     privateAccess: true
     publicAccess: true
+remoteNetworkConfig:
+  remoteNodeNetworks:
+    - cidrs: ["10.52.0.0/16"]
+  remotePodNetworks:
+    - cidrs: ["10.53.0.0/16"]
 addons:
   - name: vpc-cni
     version: 1.19.2

cluster/terraform/eks.tf

@@ -1,3 +1,8 @@
+locals {
+  remote_node_cidr = var.remote_network_cidr
+  remote_pod_cidr  = var.remote_pod_cidr
+}
+
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 20.0"
@@ -30,6 +35,56 @@ module "eks" {
 
   create_cluster_security_group = false
   create_node_security_group    = false
+  cluster_security_group_additional_rules = {
+    hybrid-node = {
+      cidr_blocks = [local.remote_node_cidr]
+      description = "Allow all traffic from remote node/pod network"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "all"
+      type        = "ingress"
+    }
+
+    hybrid-pod = {
+      cidr_blocks = [local.remote_pod_cidr]
+      description = "Allow all traffic from remote node/pod network"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "all"
+      type        = "ingress"
+    }
+  }
+
+  node_security_group_additional_rules = {
+    hybrid_node_rule = {
+      cidr_blocks = [local.remote_node_cidr]
+      description = "Allow all traffic from remote node/pod network"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "all"
+      type        = "ingress"
+    }
+
+    hybrid_pod_rule = {
+      cidr_blocks = [local.remote_pod_cidr]
+      description = "Allow all traffic from remote node/pod network"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "all"
+      type        = "ingress"
+    }
+  }
+
+
+  cluster_remote_network_config = {
+    remote_node_networks = {
+      cidrs = [local.remote_node_cidr]
+    }
+    # Required if running webhooks on Hybrid nodes
+    remote_pod_networks = {
+      cidrs = [local.remote_pod_cidr]
+    }
+  }
 
   eks_managed_node_groups = {
     default = {

cluster/terraform/variables.tf

@@ -20,4 +20,16 @@ variable "vpc_cidr" {
   description = "Defines the CIDR block used on Amazon VPC created for Amazon EKS."
   type        = string
   default     = "10.42.0.0/16"
+}
+
+variable "remote_network_cidr" {
+  description = "Defines the remote CIDR blocks used on Amazon VPC created for Amazon EKS Hybrid Nodes."
+  type        = string
+  default     = "10.52.0.0/16"
+}
+
+variable "remote_pod_cidr" {
+  description = "Defines the remote CIDR blocks used on Amazon VPC created for Amazon EKS Hybrid Nodes."
+  type        = string
+  default     = "10.53.0.0/16"
 }

lab/iam/iam-role-cfn.yaml

@@ -41,6 +41,15 @@ Resources:
       PolicyDocument:
         file: ./iam/policies/ec2.yaml
 
+  EksWorkshopSsmPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Roles:
+        - !Ref EksWorkshopIdeRole
+      ManagedPolicyName: ${Env}-ide-ssm
+      PolicyDocument:
+        file: ./iam/policies/ssm.yaml
+
   EksWorkshopLabsPolicy1:
     Type: AWS::IAM::ManagedPolicy
     DependsOn:

lab/iam/policies/base.yaml

@@ -86,3 +86,7 @@ Statement:
       - kms:Get*
       - kms:Describe*
     Resource: ["*"]
+  - Effect: Allow
+    Action:
+      - ssm:GetParameter
+    Resource: !Sub arn:aws:ssm:${AWS::Region}::parameter/aws/service/*

lab/iam/policies/ec2.yaml

@@ -6,11 +6,14 @@ Statement:
       - ec2:Describe*
       - ec2:List*
       - ec2:RunInstances
+      - ec2:ImportKeyPair
+      - ec2:DeleteKeyPair
     Resource: ["*"]
   - Effect: Allow
     Action:
       - ec2:StopInstances
       - ec2:TerminateInstances
+      - ec2:ModifyInstanceAttribute
     Resource: ["*"]
     Condition:
       StringLike:
@@ -46,6 +49,21 @@ Statement:
       - ec2:DeleteNatGateway
       - ec2:CreateNetworkInterface
       - ec2:DeleteNetworkInterface
+      - ec2:DescribeNetworkInterfaces
+      - ec2:CreateTransitGateway
+      - ec2:DeleteTransitGateway
+      - ec2:CreateTransitGatewayVpcAttachment
+      - ec2:DeleteTransitGatewayVpcAttachment
+      - ec2:CreateTransitGatewayRoute
+      - ec2:SearchTransitGatewayRoutes
+      - ec2:DeleteTransitGatewayRoute
+      - ec2:ModifyNetworkInterfaceAttribute
+      - ec2:CreateNetworkInterfacePermission
+      - ec2:AssignIpv6Addresses
+      - ec2:UnAssignIpv6Addresses
+      - ec2:ImportKeyPair
+      - ec2:CreateKeyPair
+      - ec2:DeleteKeyPair
     Resource: ["*"]
   - Effect: Allow
     Action:
@@ -74,10 +92,6 @@ Statement:
       - ec2:AuthorizeSecurityGroup*
       - ec2:RevokeSecurityGroup*
     Resource: ["*"]
-    Condition:
-      StringLike:
-        aws:ResourceTag/aws:eks:cluster-name:
-          - ${Env}*
   - Effect: Allow
     Action:
       - ec2:CreateTags

lab/iam/policies/iam.yaml

@@ -82,3 +82,4 @@ Statement:
           - guardduty.amazonaws.com
           - spot.amazonaws.com
           - fis.amazonaws.com
+          - transitgateway.amazonaws.com

lab/iam/policies/ssm.yaml

@@ -0,0 +1,7 @@
+Version: "2012-10-17"
+Statement:
+  - Effect: Allow
+    Action:
+      ssm:CreateActivation
+    Resource:
+      - !Sub arn:aws:iam::${AWS::AccountId}:role/${Env}-hybrid-node-role-*

manifests/modules/networking/eks-hybrid-nodes/.workshop/cleanup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+logmessage "Cleaning up EKS Hybrid Nodes Module"
+
+kubectl delete -k ~/environment/eks-workshop/modules/networking/eks-hybrid-nodes/kustomize --ignore-not-found=true
+
+kubectl delete deployment nginx-deployment --ignore-not-found=true
+
+kubectl delete clusterpolicies.kyverno.io set-pod-deletion-cost --ignore-not-found 
+
+uninstall-helm-chart cilium cilium
+uninstall-helm-chart kyverno kyverno
+
+kubectl delete namespace cilium --ignore-not-found
+kubectl delete namespace kyverno --ignore-not-found
+
+kubectl delete nodes -l eks.amazonaws.com/compute-type=hybrid --ignore-not-found=true