diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index c638f9479..12f3f3aff 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -151,8 +151,9 @@ jobs: - name: "Stage 1: Install and setup helm ${{ env.HELM_VERSION }}" run: | curl -sf https://raw.githubusercontent.com/helm/helm/HEAD/scripts/get-helm-3 | DESIRED_VERSION=${HELM_VERSION} bash - helm dependency update ./mybinder - helm dependency update ./mybinder-kube-system + for d in ./mybinder/ ./system-charts/*/; do + helm dependency update "$d" + done # Action Repo: https://github.com/sliteteam/github-action-git-crypt-unlock - name: "Stage 2: Unlock git-crypt secrets" @@ -309,8 +310,9 @@ jobs: - name: "Stage 1: Install and setup helm ${{ env.HELM_VERSION }}" run: | curl -sf https://raw.githubusercontent.com/helm/helm/HEAD/scripts/get-helm-3 | DESIRED_VERSION=${HELM_VERSION} bash - helm dependency update ./mybinder - helm dependency update ./mybinder-kube-system + for d in ./mybinder/ ./system-charts/*/; do + helm dependency update "$d" + done - name: "Stage 2: Unlock git-crypt secrets" uses: sliteteam/github-action-git-crypt-unlock@8b1fa3ccc81e322c5c45fbab261eee46513fd3f8 diff --git a/.gitignore b/.gitignore index 897a44867..3ba1ca74e 100644 --- a/.gitignore +++ b/.gitignore @@ -8,9 +8,12 @@ __pycache__ config/common/datacenter-*.yaml secrets/banned_hosts.txt secrets/config/common/bans.yaml -mybinder*/charts -mybinder*/requirements.lock -mybinder*/Chart.lock +system-charts/*/charts +system-charts/*/requirements.lock +system-charts/*/Chart.lock +mybinder/charts +mybinder/requirements.lock +mybinder/Chart.lock .ipynb_checkpoints diff --git a/deploy.py b/deploy.py index e76380740..74e8b1dd8 100755 --- a/deploy.py +++ b/deploy.py @@ -329,39 +329,47 @@ def patch_coredns(dry_run=False): ) -def deploy_kube_system_charts(release, name=None, dry_run=False): +def deploy_system_charts(release, name=None, dry_run=False): """ - Some charts must be deployed into the kube-system namespace + Some charts must be deployed into other namespaces """ if not name: name = release - log_name = f"mybinder-kube-system {release}" - config_files = get_config_files(release, config_dir="config-kube-system") - if not config_files: - print(BOLD + GREEN + f"No config files found for {log_name}" + NC, flush=True) - return + charts = glob.glob("system-charts/*/Chart.yaml") + namespaces = [c.split("/")[1] for c in charts] - print(BOLD + GREEN + f"Starting helm upgrade for {log_name}" + NC, flush=True) - helm = [ - "helm", - "upgrade", - "--install", - "--cleanup-on-fail", - "--namespace=kube-system", - name, - "mybinder-kube-system", - ] - for config_file in config_files: - helm.extend(["-f", config_file]) + for ns in namespaces: + log_name = f"mybinder-{ns} {release}" - check_call(helm, dry_run) - print( - BOLD + GREEN + f"SUCCESS: Helm upgrade for {log_name} completed" + NC, - flush=True, - ) + config_files = get_config_files(release, config_dir=f"system-config/{ns}") + if not config_files: + print( + BOLD + GREEN + f"No config files found for {log_name}" + NC, flush=True + ) + return + + print(BOLD + GREEN + f"Starting helm upgrade for {log_name}" + NC, flush=True) + helm = [ + "helm", + "upgrade", + "--install", + "--cleanup-on-fail", + f"--namespace={ns}", + "--create-namespace", + name, + f"system-charts/{ns}", + ] + for config_file in config_files: + helm.extend(["-f", config_file]) + + check_call(helm, dry_run) + print( + BOLD + GREEN + f"SUCCESS: Helm upgrade for {log_name} completed" + NC, + flush=True, + ) - wait_for_deployments_daemonsets("kube-system", dry_run) + wait_for_deployments_daemonsets(ns, dry_run) def main(): @@ -398,7 +406,7 @@ def main(): action="store_true", help="Print commands, but don't run them", ) - stages = ["all", "auth", "networkban", "kubesystem", "certmanager", "mybinder"] + stages = ["all", "auth", "networkban", "system", "certmanager", "mybinder"] argparser.add_argument( "--stage", choices=stages, @@ -454,8 +462,8 @@ def main(): if args.stage in ("all", "networkban"): update_networkbans(cluster, args.dry_run) - if args.stage in ("all", "kubesystem"): - deploy_kube_system_charts(args.release, args.name, args.dry_run) + if args.stage in ("all", "system"): + deploy_system_charts(args.release, args.name, args.dry_run) if args.stage in ("all", "certmanager"): setup_certmanager(args.dry_run) if args.stage in ("all", "mybinder"): diff --git a/mybinder-kube-system/Chart.yaml b/system-charts/kube-system/Chart.yaml similarity index 100% rename from mybinder-kube-system/Chart.yaml rename to system-charts/kube-system/Chart.yaml diff --git a/mybinder-kube-system/values.yaml b/system-charts/kube-system/values.yaml similarity index 100% rename from mybinder-kube-system/values.yaml rename to system-charts/kube-system/values.yaml diff --git a/system-charts/tigera-operator/Chart.yaml b/system-charts/tigera-operator/Chart.yaml new file mode 100644 index 000000000..e1a9a00c1 --- /dev/null +++ b/system-charts/tigera-operator/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +description: A meta-chart for the tiger-operator charts on some mybinder.org hosts +name: mybinder-tiger-operator +version: "0.0.1-set.by.chartpress" +kubeVersion: ">= 1.26.0-0" +dependencies: + # https://artifacthub.io/packages/helm/aws/aws-load-balancer-controller + - name: tigera-operator + version: 3.25.2 + repository: https://docs.tigera.io/calico/charts + condition: tigera-operator.enabled diff --git a/system-charts/tigera-operator/values.yaml b/system-charts/tigera-operator/values.yaml new file mode 100644 index 000000000..8103114d3 --- /dev/null +++ b/system-charts/tigera-operator/values.yaml @@ -0,0 +1,3 @@ +# Tigera operator for installing Calico +tigera-operator: + enabled: false diff --git a/config-kube-system/curvenote.yaml b/system-config/kube-system/curvenote.yaml similarity index 100% rename from config-kube-system/curvenote.yaml rename to system-config/kube-system/curvenote.yaml diff --git a/system-config/tigera-operator/curvenote.yaml b/system-config/tigera-operator/curvenote.yaml new file mode 100644 index 000000000..e87f6009e --- /dev/null +++ b/system-config/tigera-operator/curvenote.yaml @@ -0,0 +1,11 @@ +# Install Calico for proper NetworkPolicy support +tigera-operator: + enabled: true + installation: + kubernetesProvider: EKS + apiServer: + # Doesn't seem to work on EKS + # https://github.com/projectcalico/calico/issues/7555 + # It's not needed anyway since we only want standard NetworkPolicy support, + # not 'projectcalico.org/v3' + enabled: false diff --git a/terraform/aws/binder-eks/README.md b/terraform/aws/binder-eks/README.md index e73b381ca..0382fc111 100644 --- a/terraform/aws/binder-eks/README.md +++ b/terraform/aws/binder-eks/README.md @@ -1,7 +1,30 @@ # BinderHub on AWS EKS +**_Important: Deploying this EKS cluster requires some manual steps after running Terraform_** + This module deploys an AWS EKS cluster with IRSA roles to support BinderHub ECR access. The module has optional support for using a limited non-administrative AWS role with a permissions boundary to deploy the cluster. For an example see [curvenote](../curvenote/README.md) + +## Post-deployment steps + +After running Terraform, you will need to perform the following steps: + +### Install the AWS VPC CNI add-on + +Using the AWS CLI: + +1. Get the available vpc-cni versions: `aws eks describe-addon-versions --addon-name vpc-cni ` +2. `aws eks create-addon --cluster-name binderhub --addon-name vpc-cni --addon-version v1.15.3-eksbuild.1 --resolve-conflicts OVERWRITE` +3. Wait for the status to change to `ACTIVE`: `aws eks describe-addon --cluster-name binderhub --addon-name vpc-cni` + +You can also do this using the AWS EKS web console: + +1. Go to the AWS EKS console and open the EKS cluster +2. Under `Add-ons` choose `Get more add-ons` +3. Select `Amazon VPC CNI`, click `Next` +4. Select latest version of the plugin, use the default IAM role `Inherit from node`, click `Next` +5. Client `Create` +6. Wait for the status to change to `Active` diff --git a/terraform/aws/curvenote/README.md b/terraform/aws/curvenote/README.md index c0edd26ec..0d427ac67 100644 --- a/terraform/aws/curvenote/README.md +++ b/terraform/aws/curvenote/README.md @@ -60,6 +60,8 @@ and deploy again terraform apply ``` +[Install the AWS VPC-CNI plugin](../binder-eks/README.md#install-the-aws-vpc-cni-add-on) + ## Obtaining a kubeconfig file You must have the AWS CLI (v2 is recommended) and kubectl in your PATH. diff --git a/terraform/aws/curvenote/cni/README.md b/terraform/aws/curvenote/cni/README.md deleted file mode 100644 index 0f4f175e9..000000000 --- a/terraform/aws/curvenote/cni/README.md +++ /dev/null @@ -1,20 +0,0 @@ -# Enable NetworkPolicies on EKS - -EKS automatically installs the VPC CNI plugin, but by default NetworkPolicies are not enabled. - -1. Find the recommended version of the VPC CNI plugin - https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html -2. Download the VPC-CNI Kubernetes manifest, replacing `1.15.0` with the recommended version - ``` - curl -O https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.0/config/master/aws-k8s-cni.yaml - ``` -3. Edit `aws-k8s-cni.yaml`: - - Change all mentions of `us-west-2` to your region - - Update the manifest following the `kubectl` instructions in - https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html - - Add `enable-network-policy-controller: "true"` to the `aws-node` ConfigMap - - Set `--enable-network-policy=true` in the `aws-node` DaemonSet `aws-network-policy-agent` container -4. Apply: - ``` - kubectl apply -f cni/aws-k8s-cni.yaml - ``` diff --git a/terraform/aws/curvenote/cni/aws-k8s-cni-us-east-2.yaml b/terraform/aws/curvenote/cni/aws-k8s-cni-us-east-2.yaml deleted file mode 100644 index f7886dc0d..000000000 --- a/terraform/aws/curvenote/cni/aws-k8s-cni-us-east-2.yaml +++ /dev/null @@ -1,564 +0,0 @@ ---- -# Source: crds/customresourcedefinition.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: eniconfigs.crd.k8s.amazonaws.com -spec: - scope: Cluster - group: crd.k8s.amazonaws.com - preserveUnknownFields: false - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - names: - plural: eniconfigs - singular: eniconfig - kind: ENIConfig ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null - labels: - app.kubernetes.io/name: amazon-network-policy-controller-k8s - name: policyendpoints.networking.k8s.aws -spec: - group: networking.k8s.aws - names: - kind: PolicyEndpoint - listKind: PolicyEndpointList - plural: policyendpoints - singular: policyendpoint - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: PolicyEndpoint is the Schema for the policyendpoints API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicyEndpointSpec defines the desired state of PolicyEndpoint - properties: - egress: - description: Egress is the list of egress rules containing resolved - network addresses - items: - description: EndpointInfo defines the network endpoint information - for the policy ingress/egress - properties: - cidr: - description: CIDR is the network address(s) of the endpoint - type: string - except: - description: Except is the exceptions to the CIDR ranges mentioned - above. - items: - type: string - type: array - ports: - description: Ports is the list of ports - items: - description: Port contains information about the transport - port/protocol - properties: - endPort: - description: Endport specifies the port range port to - endPort port must be defined and an integer, endPort - > port - format: int32 - type: integer - port: - description: Port specifies the numerical port for the - protocol. If empty applies to all ports - format: int32 - type: integer - protocol: - default: TCP - description: Protocol specifies the transport protocol, - default TCP - type: string - type: object - type: array - required: - - cidr - type: object - type: array - ingress: - description: Ingress is the list of ingress rules containing resolved - network addresses - items: - description: EndpointInfo defines the network endpoint information - for the policy ingress/egress - properties: - cidr: - description: CIDR is the network address(s) of the endpoint - type: string - except: - description: Except is the exceptions to the CIDR ranges mentioned - above. - items: - type: string - type: array - ports: - description: Ports is the list of ports - items: - description: Port contains information about the transport - port/protocol - properties: - endPort: - description: Endport specifies the port range port to - endPort port must be defined and an integer, endPort - > port - format: int32 - type: integer - port: - description: Port specifies the numerical port for the - protocol. If empty applies to all ports - format: int32 - type: integer - protocol: - default: TCP - description: Protocol specifies the transport protocol, - default TCP - type: string - type: object - type: array - required: - - cidr - type: object - type: array - podIsolation: - description: PodIsolation specifies whether the pod needs to be isolated - for a particular traffic direction Ingress or Egress, or both. If - default isolation is not specified, and there are no ingress/egress - rules, then the pod is not isolated from the point of view of this - policy. This follows the NetworkPolicy spec.PolicyTypes. - items: - description: PolicyType string describes the NetworkPolicy type - This type is beta-level in 1.8 - type: string - type: array - podSelector: - description: PodSelector is the podSelector from the policy resource - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelectorEndpoints: - description: PodSelectorEndpoints contains information about the pods - matching the podSelector - items: - description: PodEndpoint defines the summary information for the - pods - properties: - hostIP: - description: HostIP is the IP address of the host the pod is - currently running on - type: string - name: - description: Name is the pod name - type: string - namespace: - description: Namespace is the pod namespace - type: string - podIP: - description: PodIP is the IP address of the pod - type: string - required: - - hostIP - - name - - namespace - - podIP - type: object - type: array - policyRef: - description: PolicyRef is a reference to the Kubernetes NetworkPolicy - resource. - properties: - name: - description: Name is the name of the Policy - type: string - namespace: - description: Namespace is the namespace of the Policy - type: string - required: - - name - - namespace - type: object - required: - - policyRef - type: object - status: - description: PolicyEndpointStatus defines the observed state of PolicyEndpoint - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: aws-vpc-cni/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: aws-node - namespace: kube-system - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.15.0" ---- -# Source: aws-vpc-cni/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: amazon-vpc-cni - namespace: kube-system - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.15.0" -data: - enable-windows-ipam: "false" - enable-network-policy-controller: "true" ---- -# Source: aws-vpc-cni/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aws-node - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.15.0" -rules: - - apiGroups: - - crd.k8s.amazonaws.com - resources: - - eniconfigs - verbs: ["list", "watch", "get"] - - apiGroups: [""] - resources: - - namespaces - verbs: ["list", "watch", "get"] - - apiGroups: [""] - resources: - - pods - verbs: ["list", "watch", "get"] - - apiGroups: [""] - resources: - - nodes - verbs: ["list", "watch", "get"] - - apiGroups: ["", "events.k8s.io"] - resources: - - events - verbs: ["create", "patch", "list"] - - apiGroups: ["networking.k8s.aws"] - resources: - - policyendpoints - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.aws"] - resources: - - policyendpoints/status - verbs: ["get"] - - apiGroups: - - vpcresources.k8s.aws - resources: - - cninodes - verbs: ["get", "list", "patch"] ---- -# Source: aws-vpc-cni/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: aws-node - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.15.0" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aws-node -subjects: - - kind: ServiceAccount - name: aws-node - namespace: kube-system ---- -# Source: aws-vpc-cni/templates/daemonset.yaml -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: aws-node - namespace: kube-system - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - app.kubernetes.io/version: "v1.15.0" -spec: - updateStrategy: - rollingUpdate: - maxUnavailable: 10% - type: RollingUpdate - selector: - matchLabels: - k8s-app: aws-node - template: - metadata: - labels: - app.kubernetes.io/name: aws-node - app.kubernetes.io/instance: aws-vpc-cni - k8s-app: aws-node - spec: - priorityClassName: "system-node-critical" - serviceAccountName: aws-node - hostNetwork: true - initContainers: - - name: aws-vpc-cni-init - image: "602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon-k8s-cni-init:v1.15.0" - env: - - name: DISABLE_TCP_EARLY_DEMUX - value: "false" - - name: ENABLE_IPv6 - value: "false" - securityContext: - privileged: true - resources: - requests: - cpu: 25m - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - terminationGracePeriodSeconds: 10 - tolerations: - - operator: Exists - securityContext: - {} - containers: - - name: aws-node - image: "602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon-k8s-cni:v1.15.0" - ports: - - containerPort: 61678 - name: metrics - livenessProbe: - exec: - command: - - /app/grpc-health-probe - - -addr=:50051 - - -connect-timeout=5s - - -rpc-timeout=5s - initialDelaySeconds: 60 - timeoutSeconds: 10 - readinessProbe: - exec: - command: - - /app/grpc-health-probe - - -addr=:50051 - - -connect-timeout=5s - - -rpc-timeout=5s - initialDelaySeconds: 1 - timeoutSeconds: 10 - env: - - name: ADDITIONAL_ENI_TAGS - value: "{}" - - name: AWS_VPC_CNI_NODE_PORT_SUPPORT - value: "true" - - name: AWS_VPC_ENI_MTU - value: "9001" - - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG - value: "false" - - name: AWS_VPC_K8S_CNI_EXTERNALSNAT - value: "false" - - name: AWS_VPC_K8S_CNI_LOGLEVEL - value: "DEBUG" - - name: AWS_VPC_K8S_CNI_LOG_FILE - value: "/host/var/log/aws-routed-eni/ipamd.log" - - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT - value: "prng" - - name: AWS_VPC_K8S_CNI_VETHPREFIX - value: "eni" - - name: AWS_VPC_K8S_PLUGIN_LOG_FILE - value: "/var/log/aws-routed-eni/plugin.log" - - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL - value: "DEBUG" - - name: DISABLE_INTROSPECTION - value: "false" - - name: DISABLE_METRICS - value: "false" - - name: DISABLE_NETWORK_RESOURCE_PROVISIONING - value: "false" - - name: ENABLE_IPv4 - value: "true" - - name: ENABLE_IPv6 - value: "false" - - name: ENABLE_POD_ENI - value: "false" - - name: ENABLE_PREFIX_DELEGATION - value: "false" - - name: WARM_ENI_TARGET - value: "1" - - name: WARM_PREFIX_TARGET - value: "1" - - name: MY_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: MY_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - resources: - requests: - cpu: 25m - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /host/var/log/aws-routed-eni - name: log-dir - - mountPath: /var/run/aws-node - name: run-dir - - mountPath: /run/xtables.lock - name: xtables-lock - - name: aws-eks-nodeagent - image: "602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon/aws-network-policy-agent:v1.0.2" - env: - - name: MY_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - args: - - --enable-ipv6=false - - --enable-network-policy=true - - --enable-cloudwatch-logs=false - - --metrics-bind-addr=:8162 - - --health-probe-bind-addr=:8163 - resources: - requests: - cpu: 25m - securityContext: - capabilities: - add: - - NET_ADMIN - privileged: true - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /sys/fs/bpf - name: bpf-pin-path - - mountPath: /var/log/aws-routed-eni - name: log-dir - - mountPath: /var/run/aws-node - name: run-dir - volumes: - - name: bpf-pin-path - hostPath: - path: /sys/fs/bpf - - name: cni-bin-dir - hostPath: - path: /opt/cni/bin - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - - name: log-dir - hostPath: - path: /var/log/aws-routed-eni - type: DirectoryOrCreate - - name: run-dir - hostPath: - path: /var/run/aws-node - type: DirectoryOrCreate - - name: xtables-lock - hostPath: - path: /run/xtables.lock - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate