Add tests for EKS Pod Identity

tests/assets/eks-pod-identity/config.yaml

@@ -0,0 +1,84 @@
+{{$namespacePrefix := DefaultParam .CL2_NAMESPACE_PREFIX "default"}}
+{{$namespaceCount := DefaultParam .CL2_NAMESPACE_COUNT 1}}
+{{$totalEksPodIdentityPods := DefaultParam .CL2_EKS_POD_IDENTITY_PODS 5000}}
+{{$timeoutEksPodIdentityPodCreation := DefaultParam .CL2_TIMEOUT_EKS_POD_IDENTITY_POD_CREATION "5m"}}
+{{$defaultQps := DefaultParam .CL2_DEFAULT_QPS  500}}
+{{$defaultBurst := DefaultParam .CL2_DEFAULT_BURST 1000}}
+{{$uniformQps := DefaultParam .CL2_UNIFORM_QPS 500}}
+
+{{$SCHEDULER_THROUGHPUT_THRESHOLD := DefaultParam .CL2_SCHEDULER_THROUGHPUT_THRESHOLD 100}}
+
+name: eks-pod-identity
+tuningSets:
+# default is a tuningset that is meant to be used when we don't have any specific requirements on pace of operations.
+- name: default
+  globalQPSLoad:
+    qps: {{$defaultQps}}
+    burst: {{$defaultBurst}}
+- name: UniformQPS
+  qpsLoad:
+    qps: {{$uniformQps}}
+steps:
+- name: Creating eks pod identity measurements
+  measurements:
+  - Identifier: EksPodIdentityPodStartupLatency
+    Method: PodStartupLatency
+    Params:
+      action: start
+      labelSelector: group = eks-pod-identity
+      threshold: 300s
+  - Identifier: EksPodIdentity
+# TODO: Move to SchedulingThroughputPrometheus which requires cl2 prom stack setup as pre-req
+    Method: SchedulingThroughput
+    Params:
+      action: start
+      labelSelector: group = eks-pod-identity
+      measurmentInterval: 1s
+# a pod identity association with (namespace: default, sa: default) is created as prerequisite
+- name: create eks pod identity pods
+  phases:
+  - namespaceRange:
+      min: 1
+      max: {{$namespaceCount}}
+      baseName: {{$namespacePrefix}}
+    replicasPerNamespace: {{$totalEksPodIdentityPods}}
+    tuningSet: UniformQPS
+    objectBundle:
+    - basename: eks-pod-identity
+      objectTemplatePath: pod-default.yaml
+      templateFillMap:
+        Group: eks-pod-identity
+- name: Waiting for eks pod identity pods to be created
+  measurements:
+  - Identifier: WaitForEksPodIdentityPods
+    Method: WaitForRunningPods
+    Params:
+      action: gather
+      timeout: {{$timeoutEksPodIdentityPodCreation}}
+      desiredPodCount: {{$totalEksPodIdentityPods}}
+      labelSelector: group = eks-pod-identity
+- name: Collecting eks pod identity measurements
+  measurements:
+  - Identifier: EksPodIdentityPodStartupLatency
+    Method: PodStartupLatency
+    Params:
+      action: gather
+  - Identifier: EksPodIdentity
+    Method: SchedulingThroughput
+    Params:
+      action: gather
+      enableViolations: true
+      threshold: {{$SCHEDULER_THROUGHPUT_THRESHOLD}}
+- name: Delete eks pod identity pods
+  phases:
+  - namespaceRange:
+      min: 1
+      max: {{$namespaceCount}}
+      baseName: {{$namespacePrefix}}
+    replicasPerNamespace: 0
+    tuningSet: default
+    objectBundle:
+    - basename: eks-pod-identity
+      objectTemplatePath: pod-default.yaml
+      templateFillMap:
+        Group: eks-pod-identity

tests/assets/eks-pod-identity/pia-trust-policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "beta.pods.eks.aws.internal"
+        },
+        "Action": [
+          "sts:AssumeRole",
+          "sts:TagSession"
+        ]
+      }
+    ]
+}

tests/assets/eks-pod-identity/pod-default.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  generateName: eks-pod-identity-pod-churn-
+  labels:
+    group: {{.Group}}
+spec:
+  containers:
+  - image: registry.k8s.io/pause:3.9
+    name: pause
+  initContainers:
+  - name: app-init
+    image: amazon/aws-cli:latest
+    command: ["/bin/sh"]
+    args: ["-c", "aws sts get-caller-identity"]

tests/tekton-resources/pipelines/eks/awscli-cl2-load-with-addons-slos.yaml

@@ -21,6 +21,8 @@ spec:
       value: $(params.cluster-name)-node-role
     - name: launch-template-stack-name
       value: $(params.cluster-name)-launch-template
+    - name: namespace-count
+      value: $(params.namespace-count)
     retries: 10
     taskRef:
       kind: Task
@@ -61,6 +63,29 @@ spec:
   - default: https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/eks_node_role.json
     name: node-role-cfn-url
     type: string
+  - name: namespace-prefix
+    default: "default"
+    description: "The prefix of namespaces for EKS Pod Identity test."
+  - name: namespace-count
+    default: "1"
+    description: "The number of namespaces for EKS Pod Identity test."
+  - name: pia-trust-policy-url
+    default: "https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/eks-pod-identity/pia-trust-policy.json"
+    type: string
+  - name: pia-test-config-url
+    default: "https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/eks-pod-identity/eks-pod-identity/config.yaml"
+  - name: pia-test-pod-spec-url
+    default: "https://raw.githubusercontent.com/awslabs/kubernetes-iteration-toolkit/main/tests/assets/eks-pod-identity/eks-pod-identity/pod-default.yaml"
+  - name: cl2-eks-pod-identity-pods
+    default: "5000"
+  - name: cl2-default-qps
+    default: "200"
+  - name: cl2-default-burst
+    default: "400"
+  - name: cl2-uniform-qps
+    default: "200"
+  - name: timeout-pia-pod-creation
+    default: "10m"
   tasks:
   - name: slack-notification
     params:
@@ -193,6 +218,66 @@ spec:
     workspaces:
     - name: config
       workspace: config
+  - name: create-pod-identity-association
+    params:
+    - name: cluster-name
+      value: $(params.cluster-name)
+    - name: endpoint
+      value: $(params.endpoint)
+    - name: namespace-prefix
+      value: $(params.namespace-prefix)
+    - name: namespace-count
+      value: $(params.namespace-count)
+    - name: pia-trust-policy-url
+      value: $(params.pia-trust-policy-url)
+    runAfter:
+    - create-mng-nodes
+    taskRef:
+      kind: Task
+      name:  awscli-eks-pia-create
+    workspaces:
+    - name: config
+      workspace: config
+  - name: generate-eks-pod-identity
+    params:
+    - name: cl2-eks-pod-identity-pods
+      value: $(params.cl2-eks-pod-identity-pods)
+    - name: cl2-default-qps
+      value: $(params.cl2-default-qps)
+    - name: cl2-default-burst
+      value: $(params.cl2-default-burst)
+    - name: cl2-uniform-qps
+      value: $(params.cl2-uniform-qps)
+    - name: results-bucket
+      value: $(params.results-bucket)
+    - name: nodes
+      value: $(params.desired-nodes)
+    - name: cluster-name
+      value: $(params.cluster-name)
+    - name: namespace-prefix
+      value: $(params.namespace-prefix)
+    - name: namespace-count
+      value: $(params.namespace-count)
+    - name: pia-test-config-url
+      value: $(params.pia-test-config-url)
+    - name: pia-test-pod-spec-url
+      value: $(params.pia-test-pod-spec-url)
+    - name: timeout-pia-pod-creation
+      value: $(params.timeout-pia-pod-creation)
+    - name: amp-workspace-id
+      value: '$(params.amp-workspace-id)'
+    runAfter:
+    - create-pod-identity-association
+    taskRef:
+      kind: Task
+      name: load-pod-identity
+    workspaces:
+    - name: source
+      workspace: source
+    - name: results
+      workspace: results
+    - name: config
+      workspace: config
   - name: generate
     params:
     - name: cluster-name
@@ -210,7 +295,7 @@ spec:
     - name: amp-workspace-id
       value: $(params.amp-workspace-id)
     runAfter:
-    - create-mng-nodes
+    - generate-eks-pod-identity
     taskRef:
       kind: Task
       name: load-slos
@@ -230,11 +315,11 @@ spec:
     - name: namespace
       value: $(params.kubernetes-version)
     runAfter:
-    - generate
+    - generate-eks-pod-identity
     taskRef:
       kind: Task
       name: cloudwatch
   workspaces:
   - name: source
   - name: results
-  - name: config
+  - name: config