Merge pull request #25 from doitintl/updating_node_size_and_IMDSv2_settings

Updating node size and IMDSv2 settings

Author: neoakris

config/eks/dev_eks_config.ts

@@ -13,7 +13,7 @@ import {
 //EasyEKS Admins: edit this file with config to apply to all dev / sandbox cluster's in your org.
 
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack) { //config: is of type Easy_EKS_Config_Data
-  config.addTag("Environment", "Dev");
+  config.add_tag("Environment", "Dev");
 }//end apply_config()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

config/eks/global_baseline_eks_config.ts

@@ -10,14 +10,14 @@ import request from 'sync-request-curl'; //npm install sync-request-curl (cdk re
 
 //export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster){ //config: is of type Easy_EKS_Config_Data
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data    
-    config.addTag("IaC Tooling used for Provisioning and Management of this EKS Cluster", "cdk: a CLI tool that stands for AWS Cloud Development Kit.");
-    config.addTag("Upstream Methodology Docs", "https://github.com/doitintl/easyeks");
+    config.add_tag("IaC Tooling used for Provisioning and Management of this EKS Cluster", "cdk: a CLI tool that stands for AWS Cloud Development Kit.");
+    config.add_tag("Upstream Methodology Docs", "https://github.com/doitintl/easyeks");
     //^-- NOTE: AWS tag restrictions vary by service, but generally only letters, numbers, spaces, and the following characters are allowed: + - = . _ : / @
     //    Tags are validated by the validateTag() function in lib/Utilities.ts before deployment
     //    More details:
     //      - https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html#tag-restrictions
     //      - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions
-    config.addClusterAdminARN(`arn:aws:iam::${process.env.CDK_DEFAULT_ACCOUNT}:role/kubectl-helm-lambda-deployer-role-used-by-easy-eks`);
+    config.add_cluster_wide_kubectl_Admin_Access_using_ARN(`arn:aws:iam::${process.env.CDK_DEFAULT_ACCOUNT}:role/kubectl-helm-lambda-deployer-role-used-by-easy-eks`);
     //^-- cdk-main.ts calls a Utility.ts library that uses aws cli to ensure this role exists (cdk errors would occur if it wasn't pre-existing.)
 }//end apply_config()
 
@@ -29,7 +29,7 @@ export function deploy_addons(config: Easy_EKS_Config_Data, stack: cdk.Stack, cl
 
     /*To see official names of all eks add-ons:
     aws eks describe-addon-versions  \
-    --kubernetes-version=1.31 \
+    --kubernetes-version=1.33 \
     --query 'sort_by(addons  &owner)[].{owner: owner, addonName: addonName}' \
     --output table
     */

config/eks/higher_envs_eks_config.ts

@@ -12,27 +12,27 @@ import { KubectlV33Layer } from '@aws-cdk/lambda-layer-kubectl-v33'; //npm insta
 //EasyEKS Admins: edit this file with config to apply to all lower environment eks cluster's in your org.
 
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data
-    config.setKmsKeyAlias("eks/higher-envs"); //kms key with this alias will be created or reused if pre-existing
-    config.setVpcByName("higher-envs-vpc", config, stack); //Name as in VPC's Name Tag
-    //config.setVpcById("vpc-0dbcacb511f9bac4e", config, stack); //Alternative pre-existing VPC deployment option
-    config.setBaselineMNGSize(2);
-    config.setBaselineMNGType(eks.CapacityType.ON_DEMAND);
+    config.set_KMS_Key_Alias_to_provision_and_reuse("eks/higher-envs"); //kms key with this alias will be created or reused if pre-existing
+    config.set_VPC_using_name_tag("higher-envs-vpc", config, stack); //Name as in VPC's Name Tag
+    //config.set_VPC_using_VPC_Id("vpc-0dbcacb511f9bac4e", config, stack); //Alternative pre-existing VPC deployment option
+    config.set_number_of_baseline_nodes(2);
+    config.set_capacity_type_of_baseline_nodes(eks.CapacityType.ON_DEMAND);
     if(process.env.CDK_DEFAULT_ACCOUNT==="111122223333"){
-        config.addClusterAdminARN(`arn:aws:iam::111122223333:user/example`); 
+        config.add_cluster_wide_kubectl_Admin_Access_using_ARN(`arn:aws:iam::111122223333:user/example`); 
         /* Note 1:
            The IAM user/role running cdk deploy dev1-eks, gets added to the list of Cluster Admins by default.
            This is done for convenience, if you want to change this default, you'll need to edit ./lib/Easy_EKS.ts
 
            Note 2: 
-           config.addClusterAdminARN('...:user/example') should only be used in an if statement,
+           config.add_cluster_wide_kubectl_Admin_Access_using_ARN('...:user/example') should only be used in an if statement,
            Because the identity referenced in ARN must exist or the deployment will fail
            This allows you to create a explicit list of ARNs (representing IAM roles or users)
            That act as EKS Admins of all higher environments.
         */
     }
     //Kubernetes verson and addon's that may depend on Kubernetes version / should be updated along side it should be specified here
-    config.setKubernetesVersion(eks.KubernetesVersion.V1_33);
-    config.setKubectlLayer(new KubectlV32Layer(stack, 'kubectl')); //<--It's fine for this to stay on an old version
+    config.set_clusters_version_of_Kubernetes(eks.KubernetesVersion.V1_33);
+    config.set_version_of_kubectl_used_by_lambda(new KubectlV32Layer(stack, 'kubectl')); //<--It's fine for this to stay on an old version
     //^--refers to version of kubectl & helm installed in AWS Lambda Layer responsible for kubectl & helm deployments
     //Note: As of Sept 9th, 2025 KubectlV33Layer (which currently has latest available versions of kubectl & helm)
     //      results in error 'Error: media type "application/vnd.cncf.helm.chart.provenance.v1.prov" is not allowed'
@@ -68,10 +68,8 @@ export function deploy_addons(config: Easy_EKS_Config_Data, stack: cdk.Stack, cl
     const karpenter_YAMLs = (new Karpenter_YAML_Generator({
         cluster: cluster,
         config: config,
-        amiSelectorTerms_alias: "[email protected]", /* <-- Bottlerocket alias always ends in a zero, below is proof by command output
-        export K8S_VERSION="1.33"
-        aws ssm get-parameters-by-path --path "/aws/service/bottlerocket/aws-k8s-$K8S_VERSION" --recursive | jq -cr '.Parameters[].Name' | grep -v "latest" | awk -F '/' '{print $7}' | sort | uniq
-        */
+        amiSelectorTerms_alias: "[email protected]",
+        //aws ssm get-parameters-by-path --path "/aws/service/bottlerocket/aws-k8s-1.33" --recursive | jq -cr '.Parameters[].Name' | grep -v "latest" | awk -F '/' '{print $7}' | sort | uniq
         consolidationPolicy: "WhenEmpty", //"WhenEmpty" is slightly higher cost and stability
         manifest_inputs: [ //Note highest weight = default, higher = preferred
             { type: "on-demand", arch: "arm64", nodepools_cpu_limit: 1000, weight: 4, },

config/eks/lower_envs_eks_config.ts

@@ -12,27 +12,27 @@ import { KubectlV33Layer } from '@aws-cdk/lambda-layer-kubectl-v33'; //npm insta
 //EasyEKS Admins: edit this file with config to apply to all lower environment eks cluster's in your org.
 
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data
-    config.setKmsKeyAlias("eks/lower-envs"); //kms key with this alias will be created or reused if pre-existing
-    config.setVpcByName("lower-envs-vpc", config, stack); //Name as in VPC's Name Tag
-    //config.setVpcById("vpc-0dbcacb511f9bac4e", config, stack); //Alternative pre-existing VPC deployment option
-    config.setBaselineMNGSize(2);
-    config.setBaselineMNGType(eks.CapacityType.SPOT);
+    config.set_KMS_Key_Alias_to_provision_and_reuse("eks/lower-envs"); //kms key with this alias will be created or reused if pre-existing
+    config.set_VPC_using_name_tag("lower-envs-vpc", config, stack); //Name as in VPC's Name Tag
+    //config.set_VPC_using_VPC_Id("vpc-0dbcacb511f9bac4e", config, stack); //Alternative pre-existing VPC deployment option
+    config.set_number_of_baseline_nodes(2);
+    config.set_capacity_type_of_baseline_nodes(eks.CapacityType.SPOT);
     if(process.env.CDK_DEFAULT_ACCOUNT==="111122223333"){
-        config.addClusterAdminARN(`arn:aws:iam::111122223333:user/example`);
+        config.add_cluster_wide_kubectl_Admin_Access_using_ARN(`arn:aws:iam::111122223333:user/example`);
         /* Note 1:
            The IAM user/role running cdk deploy dev1-eks, gets added to the list of Cluster Admins by default.
            This is done for convenience, if you want to change this default, you'll need to edit ./lib/Easy_EKS.ts
 
            Note 2: 
-           config.addClusterAdminARN('...:user/example') should only be used in an if statement,
+           config.add_cluster_wide_kubectl_Admin_Access_using_ARN('...:user/example') should only be used in an if statement,
            Because the identity referenced in ARN must exist or the deployment will fail
            This allows you to create a explicit list of ARNs (representing IAM roles or users)
            That act as EKS Admins of all lower environments.
         */
     }
     //Kubernetes verson and addon's that may depend on Kubernetes version / should be updated along side it should be specified here
-    config.setKubernetesVersion(eks.KubernetesVersion.V1_33); //version of eks cluster
-    config.setKubectlLayer(new KubectlV32Layer(stack, 'kubectl')); //<--It's fine for this to stay on an old version
+    config.set_clusters_version_of_Kubernetes(eks.KubernetesVersion.V1_33); //version of eks cluster
+    config.set_version_of_kubectl_used_by_lambda(new KubectlV32Layer(stack, 'kubectl')); //<--It's fine for this to stay on an old version
     //^--refers to version of kubectl & helm installed in AWS Lambda Layer responsible for kubectl & helm deployments
     //Note: As of Sept 9th, 2025 KubectlV33Layer (which currently has latest available versions of kubectl & helm)
     //      results in error 'Error: media type "application/vnd.cncf.helm.chart.provenance.v1.prov" is not allowed'
@@ -68,10 +68,8 @@ export function deploy_addons(config: Easy_EKS_Config_Data, stack: cdk.Stack, cl
     const karpenter_YAMLs = (new Karpenter_YAML_Generator({
         cluster: cluster,
         config: config,
-        amiSelectorTerms_alias: "[email protected]", /* <-- Bottlerocket alias always ends in a zero, below is proof by command output
-        export K8S_VERSION="1.33"
-        aws ssm get-parameters-by-path --path "/aws/service/bottlerocket/aws-k8s-$K8S_VERSION" --recursive | jq -cr '.Parameters[].Name' | grep -v "latest" | awk -F '/' '{print $7}' | sort | uniq
-        */
+        amiSelectorTerms_alias: "[email protected]",
+        //aws ssm get-parameters-by-path --path "/aws/service/bottlerocket/aws-k8s-1.33" --recursive | jq -cr '.Parameters[].Name' | grep -v "latest" | awk -F '/' '{print $7}' | sort | uniq
         consolidationPolicy: "WhenEmptyOrUnderutilized", //WhenUnderutilized is more agressive cost savings / slightly worse stability
         manifest_inputs: [ //Note highest weight = default, higher = preferred
             { type: "spot",      arch: "arm64", nodepools_cpu_limit: 1000, weight: 4, },

config/eks/my_orgs_baseline_eks_config.ts

@@ -11,13 +11,13 @@ import request from 'sync-request-curl'; //npm install sync-request-curl (cdk re
 //EasyEKS Admins would be expected to edit this file with defaults specific to their org. (that rarely change and are low risk to add)
 
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data
-    config.addTag("Internally Maintained By", "[email protected] and [email protected] of Cloud Platform Team Updated 2024/12/15");
-    config.addTag("Internal Contact Methods for Questions", "devops slack channel or email [email protected]");
-    config.addTag("IaC Tooling used for Provisioning and Management of EKS Workloads", "To be Determined maybe github actions flux or argo");
+    config.add_tag("Internally Maintained By", "[email protected] and [email protected] of Cloud Platform Team Updated 2024/12/15");
+    config.add_tag("Internal Contact Methods for Questions", "devops slack channel or email [email protected]");
+    config.add_tag("IaC Tooling used for Provisioning and Management of EKS Workloads", "To be Determined maybe github actions flux or argo");
     //^-- NOTE: hashtag(#)   comma(,)   singlequote(')   doublequote(\")   parenthesis()   and more are not valid tag values
     //    https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/limits-tags.html
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-    config.addClusterViewerAccount(process.env.CDK_DEFAULT_ACCOUNT!); //<-- comment out to disable read_only_viewer_by_default
+    config.grant_cluster_wide_Viewer_Access_to_all_IAM_Identities_within_AWS_Account(process.env.CDK_DEFAULT_ACCOUNT!); //<-- comment out to disable read_only_viewer_by_default
     /* Explanation of what this-^ does:
     It adds current account to eks cluster's aws-auth configmap
     kubectl get cm -n=kube-system aws-auth -o yaml | grep Accounts:
@@ -50,7 +50,7 @@ export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //
       * Can't kubectl exec -it into existing pods
     */ 
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-    config.setIpMode(eks.IpFamily.IP_V6); 
+    config.set_IPv4_or_IPv6(eks.IpFamily.IP_V6); 
     //^--EasyEKS Recommended Default: is IP_V6
     /* Useful Notes:
     * eks.IpFamily.IP_V4

config/eks/prod_eks_config.ts

@@ -8,7 +8,7 @@ import request from 'sync-request-curl'; //npm install sync-request-curl (cdk re
 //EasyEKS Admins: edit this file with config to apply to all Prod / Production cluster's in your org.
 
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data
-    config.addTag("Environment", "Prod");
+    config.add_tag("Environment", "Prod");
 }//end apply_config()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

config/eks/stage_eks_config.ts

@@ -8,7 +8,7 @@ import request from 'sync-request-curl'; //npm install sync-request-curl (cdk re
 //EasyEKS Admins: edit this file with config to apply to all Stage / Staging / Pre-Production / UAT (User Acceptance Testing) cluster's in your org.
 
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data
-    config.addTag("Environment", "Stage");
+    config.add_tag("Environment", "Stage");
 }//end apply_config()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

config/eks/test_eks_config.ts

@@ -8,7 +8,7 @@ import request from 'sync-request-curl'; //npm install sync-request-curl (cdk re
 //EasyEKS Admins: edit this file with config to apply to all Test / QA (Quality Assurance) / Int (CICD Integration Testing) cluster's in your org.
 
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data
-    config.addTag("Environment", "Test");
+    config.add_tag("Environment", "Test");
 }//end apply_config()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

lib/Easy_EKS_Cluster.ts

@@ -90,7 +90,9 @@ export class Easy_EKS_Cluster{ //purposefully don't extend stack, to implement b
         const baseline_MNG: eks.NodegroupOptions = {
             subnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
             amiType: eks.NodegroupAmiType.BOTTLEROCKET_ARM_64,
-            instanceTypes: [new ec2.InstanceType('t4g.small')], //t4g.small = 2cpu, 2gb ram, 11pod max
+            instanceTypes: [new ec2.InstanceType('t4g.medium')], //medium = 2cpu, 4gb ram, 17 max pods per node
+            //^-- Can't go smaller. small supports 11 max pods per node, medium supports 17 max pods per node
+            //    daemonsets make it so medium is smallest acceptable baseline node size.
             capacityType: eks.CapacityType.SPOT,
             desiredSize: config.baselineNodesNumber,
             minSize: 0,
@@ -198,7 +200,7 @@ export class Easy_EKS_Cluster{ //purposefully don't extend stack, to implement b
         // For good security we lock this down to whitelisted IAM access entries, defined in the Access tab of EKS's web console
         // For convienence we make an assumption that the IAM identity running cdk deploy dev1-eks, should be auto-added to that list.
         // A singleton pattern is used to avoid multiple lookups.
-        config.addClusterAdminARN(Easy_EKS_Dynamic_Config.get_ARN_of_IAM_Identity_running_CDK_Deploy());
+        config.add_cluster_wide_kubectl_Admin_Access_using_ARN(Easy_EKS_Dynamic_Config.get_ARN_of_IAM_Identity_running_CDK_Deploy());
         ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
         ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -468,9 +470,13 @@ function initalize_baseline_LT_Spec(stack: cdk.Stack, config: Easy_EKS_Config_Da
     //v-- avoid editing this, invalid config prevents nodes from joining cluster, and results in a slow and annoying feedback loop.
     const Bottlerocket_baseline_MNG_TOML = `
     [settings.kubernetes]
-    max-pods = 11
+    max-pods = 17
     `;
-    //^-- 11 = max pods of t4g.small, per https://github.com/aws/amazon-vpc-cni-k8s/blob/master/misc/eni-max-pods.txt
+    //^-- per https://github.com/aws/amazon-vpc-cni-k8s/blob/master/misc/eni-max-pods.txt
+    // t4g.small supports max-pods = 11
+    // t4g.medium supports max-pods = 17
+    // Before adding observability stack daemonsets took up 8/11 of small's pod capacity
+    // Proactively bumping min node size from t4g.small to t4g.medium to account for daemonsets needed by observability stack
     const Bottlerocket_baseline_MNG_userdata = ec2.UserData.custom(Bottlerocket_baseline_MNG_TOML);
     const Baseline_MNG_LT = new ec2.LaunchTemplate(stack, `ARM64-Bottlerocket-${baseline_node_type}_MNG_LT`, {
       launchTemplateName: `${config.cluster_name}/baseline-MNG/arm64-bottlerocket-${baseline_node_type}`, //EKS Layer2 construct makes 2 LT's for some reason, uses the eks-* one.