Review comments

Author: xdu31

tests/assets/pia-trust-policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "beta.pods.eks.aws.internal"
+        },
+        "Action": [
+          "sts:AssumeRole",
+          "sts:TagSession"
+        ]
+      }
+    ]
+}

tests/pipelines/eks/awscli-eks-cl2-load-with-pod-identity.yaml

@@ -20,8 +20,10 @@ spec:
     default: "500"
   - name: namespace-prefix
     default: "default"
-  - name: namespaces
+    description: "The prefix of namespaces for EKS Pod Identity test."
+  - name: namespace-count
     default: "1"
+    description: "The number of namespaces for EKS Pod Identity test."
   - name: results-bucket
   - name: slack-hook
   - name: slack-message
@@ -37,6 +39,8 @@ spec:
     default: "https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/eks_service_role.json"
   - name: node-role-cfn-url
     default: "https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/eks_node_role.json"
+  - name: pia-trust-policy-url
+    default: "https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/pia-trust-policy.json"
   tasks:
   - name: slack-notification
     params:
@@ -184,8 +188,10 @@ spec:
       value: $(params.endpoint)
     - name: namespace-prefix
       value: $(params.namespace-prefix)
-    - name: namespaces
-      value: $(params.namespaces)
+    - name: namespace-count
+      value: $(params.namespace-count)
+    - name: pia-trust-policy-url
+      value: $(params.pia-trust-policy-url)
     runAfter:
     - create-mng-nodes
     taskRef:
@@ -212,8 +218,8 @@ spec:
       value: $(params.cluster-name)
     - name: namespace-prefix
       value: $(params.namespace-prefix)
-    - name: namespaces
-      value: $(params.namespaces)
+    - name: namespace-count
+      value: $(params.namespace-count)
     - name: amp-workspace-id
       value: '$(params.amp-workspace-id)'
     runAfter:
@@ -249,8 +255,8 @@ spec:
       value: $(params.cluster-name)
     - name: endpoint
       value: $(params.endpoint)
-    - name: namespaces
-      value: $(params.namespaces)
+    - name: namespace-count
+      value: $(params.namespace-count)
     - name: slack-hook
       value: $(params.slack-hook)
     - name: slack-message

tests/tasks/generators/clusterloader/load-pod-identity.yaml

@@ -15,19 +15,19 @@ spec:
     default: "eks-pod-identity"
   - name: cl2-eks-pod-identity-pods
     description: "pods for testing eks pod identity service"
-    default: "5000"
+    default: "2000"
   - name: cl2-default-qps
     description: "default qps"
     default: "500"
   - name: cl2-default-burst
     description: "default burst"
-    default: "1000"
+    default: "800"
   - name: cl2-uniform-qps
     description: "uniform qps"
-    default: "500"
+    default: "400"
   - name: nodes
     description: "number of dataplane nodes to run the load test against"
-    default: "1000"
+    default: "800"
   - name: results-bucket
     description: "Results bucket with path of s3 to upload results"
   - name: region
@@ -37,10 +37,10 @@ spec:
     description: "The name of the EKS cluster you want to spin"
   - name: namespace-prefix
     default: "default"
-    description: "The namespace prefix"
-  - name: namespaces
+    description: "The prefix of namespaces for EKS Pod Identity test."
+  - name: namespace-count
     default: "1"
-    description: "The number of namespaces"
+    description: "The number of namespaces for EKS Pod Identity test"
   - name: amp-workspace-id
     description: The AMP workspace ID where remote write needs to happen.
     default: ""
@@ -82,7 +82,7 @@ spec:
       CL2_DEFAULT_BURST: $(params.cl2-default-burst)
       CL2_UNIFORM_QPS: $(params.cl2-uniform-qps)
       CL2_NAMESPACE_PREFIX: $(params.namespace-prefix)
-      CL2_NAMESPACES: $(params.namespaces)
+      CL2_NAMESPACE_COUNT: $(params.namespace-count)
       CL2_PROMETHEUS_NODE_SELECTOR: "eks.amazonaws.com/nodegroup: monitoring-$(params.cluster-name)-nodes-1"
       EOL
       cat $(workspaces.source.path)/overrides.yaml

tests/tasks/setup/eks/awscli-cp-with-vpc.yaml

@@ -27,6 +27,9 @@ spec:
   - name: aws-ebs-csi-driver-version
     default: release-1.13
     description: The release version for aws ebs csi driver.
+  - name: aws-pod-identity-agent-version
+    default: v1.3.5-eksbuild.2
+    description: The release version for aws pod identity agent.
   workspaces:
   - name: config
     mountPath: /config/
@@ -115,5 +118,5 @@ spec:
       if [ -n "$(params.endpoint)" ]; then
         ENDPOINT_FLAG="--endpoint $(params.endpoint)"
       fi
-      aws eks $ENDPOINT_FLAG create-addon --cluster-name $(params.cluster-name) --addon-name eks-pod-identity-agent --addon-version v1.3.5-eksbuild.2
+      aws eks $ENDPOINT_FLAG create-addon --cluster-name $(params.cluster-name) --addon-name eks-pod-identity-agent --addon-version $(params.aws-pod-identity-agent-version)
       aws eks $ENDPOINT_FLAG --region $(params.region) wait cluster-active --name $(params.cluster-name)

tests/tasks/setup/eks/awscli-pod-identity-association.yaml

@@ -18,8 +18,12 @@ spec:
     default: ""
   - name: namespace-prefix
     default: "default"
-  - name: namespaces
+    description: "The prefix of namespaces for EKS Pod Identity test."
+  - name: namespace-count
     default: "1"
+    description: "The number of namespaces for EKS Pod Identity test."
+  - name: pia-trust-policy-url
+    default: "https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/pia-trust-policy.json"
   workspaces:
   - name: config
     mountPath: /config/
@@ -47,6 +51,7 @@ spec:
       MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
       TRUST_POLICY_FILE="pia-trust-policy.json"
       # create a trust policy json file
+      curl -s $(params.pia-trust-policy-url) -o ./$TRUST_POLICY_FILE
       cat > $TRUST_POLICY_FILE <<EOF
       {
         "Version": "2012-10-17",
@@ -64,7 +69,7 @@ spec:
         ]
       }
       EOF
-      for i in $(seq 1 $(params.namespaces)); do
+      for i in $(seq 1 $(params.namespace-count)); do
         kubectl create namespace $(params.namespace-prefix)-$i
 
         PIA_ROLE_NAME=$(params.cluster-name)-pia-role-$i

tests/tasks/teardown/awscli-eks.yaml

@@ -16,8 +16,9 @@ spec:
     description: The region where the cluster is in.
   - name: endpoint
     default: ""
-  - name: namespaces
-    default: "1"
+  - name: namespace-count
+    description: The number of namespaces for EKS Pod Identity test.
+    default: "0"
   - name: slack-hook
     default: ""
   - name: slack-message
@@ -42,7 +43,7 @@ spec:
       aws eks delete-cluster --name $(params.cluster-name) --region $(params.region) $ENDPOINT_FLAG
 
       MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
-      for i in $(seq 1 $(params.namespaces)); do
+      for i in $(seq 1 $(params.namespace-count)); do
         PIA_ROLE_NAME=$(params.cluster-name)-pia-role-$i
         PIA_ROLE_EXISTS=$(aws iam get-role --role-name $PIA_ROLE_NAME --query 'Role.RoleName' --output text 2>/dev/null)
         if [ "$PIA_ROLE_EXISTS" == "$PIA_ROLE_NAME" ]; then