K8S Cluster Autoscaler IAM Policy Module
This Terraform Module defines an IAM policy that defines the minimal set of permissions necessary for the Kubernetes Cluster Autoscaler. This policy can then be attached to the EC2 instance profile of the worker nodes in a Kubernetes cluster which will allow the autoscaler to manage scaling up and down EC2 instances in targeted Auto Scaling Groups in response to resource utilization.
See the eks-k8s-cluster-autoscaler module for a module that deploys the Cluster Autoscaler to your EKS cluster.
Attaching IAM policy to workers
To allow the Cluster Autoscaler to manage Auto Scaling Groups, it needs IAM permissions to monitor and adjust them. Currently, the way to grant Pods IAM privileges is to use the worker IAM profiles provisioned by the eks-cluster-workers module.
The Terraform templates in this module create an IAM policy that has the required permissions. You then need to use an aws_iam_policy_attachment to attach that policy to the IAM roles of your EC2 Instances.
module "eks_workers" {
# (arguments omitted)
}
module "k8s_cluster_autoscaler_iam_policy" {
# (arguments omitted)
eks_worker_asg_arns = module.eks_workers.eks_worker_asg_arns
}
resource "aws_iam_role_policy_attachment" "attach_k8s_cluster_autoscaler_iam_policy" {
role = module.eks_workers.eks_worker_iam_role_name
policy_arn = module.k8s_cluster_autoscaler_iam_policy.k8s_cluster_autoscaler_policy_arn
}
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-CLUSTER-AUTOSCALER-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------
module "eks_k_8_s_cluster_autoscaler_iam_policy" {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-cluster-autoscaler-iam-policy?ref=v0.70.2"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# A name that uniquely identified in which context this module is being
# invoked. This also helps to avoid creating two resources with the same name
# from different terraform applies.
name_prefix = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# ARNs of the EKS Managed Node Groups to grant access to. If this is not
# specified the policy will match based on tags only (specifically, the tag
# 'k8s.io/cluster-autoscaler/NAME_PREFIX').
eks_managed_node_group_arns = []
# ARNs of the Auto Scaling Groups to grant access to. If this is not specified
# the policy will match based on tags only (specifically, the tag
# 'k8s.io/cluster-autoscaler/NAME_PREFIX').
eks_worker_asg_arns = []
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-K8S-CLUSTER-AUTOSCALER-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-k8s-cluster-autoscaler-iam-policy?ref=v0.70.2"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# A name that uniquely identified in which context this module is being
# invoked. This also helps to avoid creating two resources with the same name
# from different terraform applies.
name_prefix = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# ARNs of the EKS Managed Node Groups to grant access to. If this is not
# specified the policy will match based on tags only (specifically, the tag
# 'k8s.io/cluster-autoscaler/NAME_PREFIX').
eks_managed_node_group_arns = []
# ARNs of the Auto Scaling Groups to grant access to. If this is not specified
# the policy will match based on tags only (specifically, the tag
# 'k8s.io/cluster-autoscaler/NAME_PREFIX').
eks_worker_asg_arns = []
}
Reference
- Inputs
- Outputs
Required
name_prefix
stringA name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies.
Optional
create_resources
boolIf you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.
true
eks_managed_node_group_arns
list(string)ARNs of the EKS Managed Node Groups to grant access to. If this is not specified the policy will match based on tags only (specifically, the tag 'k8s.io/cluster-autoscaler/NAME_PREFIX').
[]
eks_worker_asg_arns
list(string)ARNs of the Auto Scaling Groups to grant access to. If this is not specified the policy will match based on tags only (specifically, the tag 'k8s.io/cluster-autoscaler/NAME_PREFIX').
[]
The ARN of the IAM policy created with the permissions for the Kubernetes cluster autoscaler.
The AWS ID of the IAM policy created with the permissions for the Kubernetes cluster autoscaler.
The name of the IAM policy created with the permissions for the Kubernetes cluster autoscaler.