From 3bc989bd75261ff32ff65eadabbef4e1fb7c26ec Mon Sep 17 00:00:00 2001 From: Christian Roth Date: Mon, 27 Apr 2026 18:21:44 +0200 Subject: [PATCH] feat: Update Karpenter sub-module to support Karpenter `v1.12` (#3690) * feat: Update Karpenter sub-module to support Karpenter v1.12 * feat: Update Karpenter example to demonstrate zonal shift support Co-Authored-By: Claude Opus 4.6 * refactor: Remove enable_zonal_shift gate, include permission unconditionally Per maintainer feedback, the module should default to full permissions and let users enable/disable features via the controller's Helm values. Co-Authored-By: Claude Opus 4.6 --------- Co-authored-by: Claude Opus 4.6 --- examples/karpenter/main.tf | 1 + modules/karpenter/policy.tf | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf index 62ef9bc..6e80d06 100644 --- a/examples/karpenter/main.tf +++ b/examples/karpenter/main.tf @@ -155,6 +155,7 @@ resource "helm_release" "karpenter" { clusterName: ${module.eks.cluster_name} clusterEndpoint: ${module.eks.cluster_endpoint} interruptionQueue: ${module.karpenter.queue_name} + enableZonalShift: true webhook: enabled: false EOT diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf index 36f95de..6fc8421 100644 --- a/modules/karpenter/policy.tf +++ b/modules/karpenter/policy.tf @@ -190,6 +190,7 @@ data "aws_iam_policy_document" "controller" { "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", + "ec2:DescribeInstanceStatus", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSubnets", "ec2:DescribePlacementGroups" @@ -214,6 +215,12 @@ data "aws_iam_policy_document" "controller" { actions = ["pricing:GetProducts"] } + statement { + sid = "AllowZonalShiftReadActions" + resources = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${var.cluster_name}"] + actions = ["arc-zonal-shift:GetManagedResource"] + } + dynamic "statement" { for_each = local.enable_spot_termination ? [1] : []