Warning
This release is known to have issues when adding or removing SSH access while using features requiring a Launch Template. Issues include:
- Unable to make changes due to detected dependency cycle. This appears to be more than a pair of bugs in Terraform.
- Unable to destroy security group created for SSH access when it is no longer needed, because it is still in use. It appears EKS has the same problem with deleting managed node groups. This module attempted a fix for this issue but it could not be tested because of the above mentioned dependency cycle issue.
breaking changes
Previously, setting enable_cluster_autoscaler = true
turned on tagging sufficient for the Kubernetes Cluster Autoscaler to discover and manage the node group, and also added a policy to the node group worker role that allowed the workers to perform the autoscaling function. Since pods by default use the EC2 instance role, which in EKS node groups is the node group worker role, this allowed the Kubernetes Cluster Autoscaler to work from any node, but also allowed any rogue pod to perform autoscaling actions.
With this release, enable_cluster_autoscaler
is deprecated and its functions are replaced with 2 new variables:
cluster_autoscaler_enabled
, whentrue
, causes this module to perform the labeling and tagging needed for the Kubernetes Cluster Autoscaler to discover and manage the node groupworker_role_autoscale_iam_enabled
, whentrue
, causes this module to add the IAM policy to the worker IAM role to enable the workers (and by default, any pods running on the workers) to perform autoscaling operations
Going forward, we recommend not using enable_cluster_autoscaler
(it will eventually be removed) and leaving worker_role_autoscale_iam_enabled
at its default value of false
. If you want to use the Kubernetes Cluster Autoscaler, set cluster_autoscaler_enabled = true
and use EKS IAM roles for service accounts to give the Cluster Autoscaler service account IAM permissions to perform autoscaling operations. Our Terraform module terraform-aws-eks-iam-role is available to help with this.
Refactor for clarity @Nuru (#33)
what
random_pet
keepers
why
main.tf
was too complex
_enabled
at the end
references