sigificantly improved karpenter UX: Simplified config and fixed issue where cdk destroy would fail

Author: neoakris

config/eks/higher_envs_eks_config.ts

@@ -4,8 +4,7 @@ import * as eks from 'aws-cdk-lib/aws-eks';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31'; //npm install @aws-cdk/lambda-layer-kubectl-v31
 import request from 'sync-request-curl'; //npm install sync-request-curl (cdk requires sync functions, async not allowed)
-import { Karpenter } from 'cdk-eks-karpenter' //npm install cdk-eks-karpenter 
-import { Karpenter_YAML_Generator } from '../../lib/Karpenter_Manifests';
+import { Karpenter_Helm_Config, Karpenter_YAML_Generator, Apply_Karpenter_YAMLs_with_fixes } from '../../lib/Karpenter_Manifests';
 //Intended Use: 
 //EasyEKS Admins: edit this file with config to apply to all lower environment eks cluster's in your org.
 
@@ -92,21 +91,16 @@ export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack,
 
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
     // Install Karpenter.sh
-    const karpenter = new Karpenter(stack, 'Karpenter', {
-        cluster: cluster,
-        namespace: 'kube-system',
-        version: '1.3.3', //https://gallery.ecr.aws/karpenter/karpenter
-        nodeRole: config.baselineNodeRole, //custom NodeRole to pass to Karpenter Nodes
-        helmExtraValues: { //https://github.com/aws/karpenter-provider-aws/blob/v1.2.0/charts/karpenter/values.yaml
+    const karpenter_helm_config: Karpenter_Helm_Config = {
+        helm_chart_version: '1.4.0', //https://gallery.ecr.aws/karpenter/karpenter
+        helm_chart_values: { //https://github.com/aws/karpenter-provider-aws/blob/v1.4.0/charts/karpenter/values.yaml
             replicas: 2,
         },
-    });
-    karpenter.node.addDependency(cluster.awsAuth); //editing order of operations to say deploy karpenter after cluster exists
-
-    const karpenter_YAML_generator = new Karpenter_YAML_Generator({
+    };
+    const karpenter_YAMLs = (new Karpenter_YAML_Generator({
         cluster: cluster,
         config: config,
-        amiSelectorTerms_alias: "bottlerocket@v1.31.0", /* <-- Bottlerocket alias always ends in a zero
+        amiSelectorTerms_alias: "bottlerocket@v1.31.0", /* <-- Bottlerocket alias always ends in a zero, below is proof by command output
         export K8S_VERSION="1.31"
         aws ssm get-parameters-by-path --path "/aws/service/bottlerocket/aws-k8s-$K8S_VERSION" --recursive | jq -cr '.Parameters[].Name' | grep -v "latest" | awk -F '/' '{print $7}' | sort | uniq
         */
@@ -117,17 +111,8 @@ export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack,
             { type: "spot",      arch: "arm64", nodepools_cpu_limit: 1000, weight: 2, },
             { type: "spot",      arch: "amd64", nodepools_cpu_limit: 1000, weight: 1, },
         ]
-    });
-    const karpenter_YAMLs = karpenter_YAML_generator.generate_manifests();
-    const apply_kaprenter_YAML = new eks.KubernetesManifest(stack, 'karpenter_YAMLs',
-        {
-            cluster: cluster,
-            manifest: karpenter_YAMLs,
-            overwrite: true,
-            prune: false,
-        });
-    //cluster.addManifest('karpenter_YAML', ...karpenter_YAMLs); //... is a TypeScript operation to convert array to CSV.
-    apply_kaprenter_YAML.node.addDependency(karpenter); //Inform cdk of order of operations
+    })).generate_manifests();
+    Apply_Karpenter_YAMLs_with_fixes(stack, cluster, config, karpenter_helm_config, karpenter_YAMLs, awsLoadBalancerController);
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 }//end deploy_workloads()

config/eks/lower_envs_eks_config.ts

@@ -4,8 +4,7 @@ import * as eks from 'aws-cdk-lib/aws-eks';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31'; //npm install @aws-cdk/lambda-layer-kubectl-v31
 import request from 'sync-request-curl'; //npm install sync-request-curl (cdk requires sync functions, async not allowed)
-import { Karpenter } from 'cdk-eks-karpenter' //npm install cdk-eks-karpenter 
-import { Karpenter_YAML_Generator } from '../../lib/Karpenter_Manifests';
+import { Karpenter_Helm_Config, Karpenter_YAML_Generator, Apply_Karpenter_YAMLs_with_fixes } from '../../lib/Karpenter_Manifests';
 //Intended Use: 
 //EasyEKS Admins: edit this file with config to apply to all lower environment eks cluster's in your org.
 
@@ -50,7 +49,7 @@ export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack,
     const ALBC_Version = 'v2.12.0'; //April 9th, 2025 latest from https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases
     const ALBC_IAM_Policy_Url = `https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/tags/${ALBC_Version}/docs/install/iam_policy.json`
     const ALBC_IAM_Policy_JSON = JSON.parse(request("GET", ALBC_IAM_Policy_Url).body.toString());
-    const ALBC_IAM_Policy = new iam.Policy(stack, `${config.id}_AWS_LB_Controller_policy_for_EKS`, {
+    const ALBC_IAM_Policy = new iam.Policy(stack, 'AWS_LB_Controller_IAM_policy_for_EKS', {
         document: iam.PolicyDocument.fromJson( ALBC_IAM_Policy_JSON ),
     });
     const ALBC_Kube_SA = new eks.ServiceAccount(stack, 'aws-load-balancer-controller_kube-sa', {
@@ -92,20 +91,16 @@ export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack,
 
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
     // Install Karpenter.sh
-    const karpenter = new Karpenter(stack, 'Karpenter', {
-        cluster: cluster,
-        namespace: 'kube-system',
-        version: '1.3.3', //https://gallery.ecr.aws/karpenter/karpenter
-        nodeRole: config.baselineNodeRole, //custom NodeRole to pass to Karpenter Nodes
-        helmExtraValues: { //https://github.com/aws/karpenter-provider-aws/blob/v1.2.0/charts/karpenter/values.yaml
+    const karpenter_helm_config: Karpenter_Helm_Config = {
+        helm_chart_version: '1.4.0', //https://gallery.ecr.aws/karpenter/karpenter
+        helm_chart_values: { //https://github.com/aws/karpenter-provider-aws/blob/v1.4.0/charts/karpenter/values.yaml
             replicas: 1,
         },
-    });
-    karpenter.node.addDependency(cluster.awsAuth); //editing order of operations to say deploy karpenter after cluster exists
-    const karpenter_YAML_generator = new Karpenter_YAML_Generator({
+    };
+    const karpenter_YAMLs = (new Karpenter_YAML_Generator({
         cluster: cluster,
         config: config,
-        amiSelectorTerms_alias: "bottlerocket@v1.31.0", /* <-- Bottlerocket alias always ends in a zero
+        amiSelectorTerms_alias: "bottlerocket@v1.31.0", /* <-- Bottlerocket alias always ends in a zero, below is proof by command output
         export K8S_VERSION="1.31"
         aws ssm get-parameters-by-path --path "/aws/service/bottlerocket/aws-k8s-$K8S_VERSION" --recursive | jq -cr '.Parameters[].Name' | grep -v "latest" | awk -F '/' '{print $7}' | sort | uniq
         */
@@ -116,17 +111,8 @@ export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack,
             { type: "on-demand", arch: "arm64", nodepools_cpu_limit: 1000, weight: 2, },
             { type: "on-demand", arch: "amd64", nodepools_cpu_limit: 1000, weight: 1, },
         ]
-    });
-    const karpenter_YAMLs = karpenter_YAML_generator.generate_manifests();
-    const apply_kaprenter_YAML = new eks.KubernetesManifest(stack, 'karpenter_YAMLs',
-        {
-            cluster: cluster,
-            manifest: karpenter_YAMLs,
-            overwrite: true,
-            prune: false,
-        });
-    //cluster.addManifest('karpenter_YAML', ...karpenter_YAMLs); //... is a TypeScript operation to convert array to CSV.
-    apply_kaprenter_YAML.node.addDependency(karpenter); //Inform cdk of order of operations
+    })).generate_manifests();
+    Apply_Karpenter_YAMLs_with_fixes(stack, cluster, config, karpenter_helm_config, karpenter_YAMLs, awsLoadBalancerController);
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 }//end deploy_workloads()

config/eks/my_orgs_baseline_eks_config.ts

@@ -238,13 +238,12 @@ export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack,
         managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonEBSCSIDriverPolicy') ],
         assumedBy: (new cdk.aws_iam.ServicePrincipal("pods.eks.amazonaws.com")),
     });
-    ebs_csi_addon_iam_role.assumeRolePolicy!.addStatements(
+    ebs_csi_addon_iam_role.assumeRolePolicy!.addStatements( //<-- ! is TypeScript for "I know this variable isn't null"
         new iam.PolicyStatement({
             actions: ['sts:AssumeRole', 'sts:TagSession'],
             principals: [new iam.ServicePrincipal('pods.eks.amazonaws.com')],
         })
     );
-
     const ebs_csi_addon = new eks.CfnAddon(stack, 'aws-ebs-csi-driver', {
         clusterName: cluster.clusterName,
         addonName: 'aws-ebs-csi-driver',

lib/Easy_EKS.ts

@@ -70,7 +70,8 @@ export class Easy_EKS{ //purposefully don't extend stack, to implement builder p
     deploy_eks_construct_into_this_objects_stack(){
         ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
         //Logic to define baseline Managed Node Group
-        this.config.baselineNodeRole = initialize_baselineNodeRole(this.stack);
+        this.config.workerNodeRole = initialize_WorkerNodeRole(this.stack);
+        //^-- Both have the same IAM rights, but 2 objects were needed to avoid a cdk destroy error
         const baseline_LT_Spec = initalize_baseline_LT_Spec(this.stack, this.config);
         const baseline_MNG: eks.NodegroupOptions = {
             subnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
@@ -80,7 +81,7 @@ export class Easy_EKS{ //purposefully don't extend stack, to implement builder p
             desiredSize: this.config.baselineNodesNumber,
             minSize: 0,
             maxSize: 50,
-            nodeRole: this.config.baselineNodeRole,
+            nodeRole: this.config.workerNodeRole,
             launchTemplateSpec: baseline_LT_Spec, //<-- necessary to add tags to EC2 instances
         };
         ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -206,7 +207,7 @@ export class Easy_EKS{ //purposefully don't extend stack, to implement builder p
 
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-function initialize_baselineNodeRole(stack: cdk.Stack){
+function initialize_WorkerNodeRole(stack: cdk.Stack){
   const ipv6_support_iam_policy = new iam.PolicyDocument({
       statements: [
           new iam.PolicyStatement({
@@ -219,7 +220,7 @@ function initialize_baselineNodeRole(stack: cdk.Stack){
           }),
       ],
   });
-  const EKS_Node_Role = new iam.Role(stack, `EKS_Node_Role`, {
+  const EKS_Worker_Node_Role = new iam.Role(stack, 'EKS_Worker_Node_Role', {
       //roleName: //cdk isn't great about cleaning up resources, so leting it generate name is more reliable
       assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
       managedPolicies: [
@@ -234,7 +235,8 @@ function initialize_baselineNodeRole(stack: cdk.Stack){
           ipv6_support_iam_policy,
       },
   });
-  return EKS_Node_Role
+  EKS_Worker_Node_Role.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN); //Workaround to avoid cdk destroy bug
+  return EKS_Worker_Node_Role
 }
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 

lib/Easy_EKS_Config_Data.ts

@@ -25,7 +25,7 @@ export class Easy_EKS_Config_Data { //This object just holds config data.
     kmsKeyAlias: string; //kms key with this alias will be created or reused if pre-existing
     baselineNodesNumber: number;
     baselineNodesType: eks.CapacityType; //enum eks.CapacityType.SPOT or eks.CapacityType.ON_DEMAND
-    baselineNodeRole: iam.Role; //used by baselineMNG & Karpenter
+    workerNodeRole: iam.Role; //used by baselineMNG & Karpenter
     constructor(id_for_stack_and_eks: string){
         this.id = id_for_stack_and_eks; /*
         Constructor with minimal args is on purpose for desired UX of "builder pattern".

lib/Karpenter_Manifests.ts

@@ -1,6 +1,14 @@
 import { Easy_EKS_Config_Data } from './Easy_EKS_Config_Data';
 import * as cdk from 'aws-cdk-lib';
 import * as eks from 'aws-cdk-lib/aws-eks';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { IConstruct } from 'constructs';
+import { Karpenter } from 'cdk-eks-karpenter' //npm install cdk-eks-karpenter 
+
+export interface Karpenter_Helm_Config {
+    helm_chart_version: string,
+    helm_chart_values?: Record<string, any> | undefined,
+}
 
 export interface Karpenter_Manifest_Loop_Inputs {
     arch: string,
@@ -9,6 +17,8 @@ export interface Karpenter_Manifest_Loop_Inputs {
     nodepools_cpu_limit: number,
 }
 
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
 export class Karpenter_YAML_Generator{
 
     config: Easy_EKS_Config_Data;
@@ -54,7 +64,7 @@ export class Karpenter_YAML_Generator{
                 },
                 "spec": {
                     "amiFamily": "Bottlerocket",
-                    "role": `${config.baselineNodeRole.roleName}`,
+                    "role": `${config.workerNodeRole.roleName}`,
                     "subnetSelectorTerms": subnetSelectorTerms,
                     "securityGroupSelectorTerms": [ { "tags": { "aws:eks:cluster-name": `${cluster.clusterName}` } } ],
                     "tags": {//ARM64-bottlerocket-spot
@@ -132,9 +142,83 @@ export class Karpenter_YAML_Generator{
             array_of_yaml_manifests_to_return.push(karpenter_bottlerocket_NodePool);
         }//end for
 
-
-
         return array_of_yaml_manifests_to_return;
     } //end generate_manifests
 
 } //end class Karepnter_Manifests
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+export function Apply_Karpenter_YAMLs_with_fixes(stack: cdk.Stack, cluster: eks.Cluster, config: Easy_EKS_Config_Data,
+                                                karpenter_helm_config: Karpenter_Helm_Config, 
+                                                karpenter_YAMLs: {[key: string]: any;}[],
+                                                readiness_dependency: IConstruct){
+
+    //v-- Creates a ton of prerequisites and a release/instance of karpenter helm chart
+    const karpenter = new Karpenter(stack, 'Karpenter', {
+        cluster: cluster,
+        namespace: 'kube-system',
+        version: karpenter_helm_config.helm_chart_version,
+        nodeRole: config.workerNodeRole,
+        helmExtraValues: karpenter_helm_config.helm_chart_values,
+    });
+    //v-- The following 2 lines update cdk's order of operations to wait to deploy karpenter, until cluster is ready
+    karpenter.node.addDependency(readiness_dependency); //Expected value of awsLoadBalancerController Helm Release
+    karpenter.node.addDependency(cluster.awsAuth);
+    //v-- Patch fix for https://github.com/aws-samples/cdk-eks-karpenter/issues/231
+    Patch_Karpenters_IAM_Role(stack, config);
+    //v-- The following 2 lines help prevent cdk destroy issue
+    const karpenter_helm_chart_CFR = (stack.node.tryFindChild(config.id)?.node.tryFindChild('chart-karpenter')?.node.defaultChild as cdk.CfnResource);
+    if(karpenter_helm_chart_CFR){ karpenter_helm_chart_CFR.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN); }
+
+    //v-- kubectl apply -f karpenter_YAMLs
+    const apply_karpenter_YAML = new eks.KubernetesManifest(stack, 'karpenter_YAMLs',
+        {
+            cluster: cluster,
+            manifest: karpenter_YAMLs,
+            overwrite: true,
+            prune: true,   
+        }
+    );
+    //v-- Inform cdk of order of operations
+    apply_karpenter_YAML.node.addDependency(karpenter);
+    //v-- The following 2 lines prevent cdk destroy issue
+    const apply_karpenter_YAML_CFR = (apply_karpenter_YAML.node.defaultChild as cdk.CfnResource);
+    if(apply_karpenter_YAML_CFR){ apply_karpenter_YAML_CFR.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN); }
+
+} //end function Apply_Karpenter_YAMLs_with_fixes
+
+function Patch_Karpenters_IAM_Role(stack: cdk.Stack, config: Easy_EKS_Config_Data){
+    //Patch fix for https://github.com/aws-samples/cdk-eks-karpenter/issues/231
+    let karpenter_controller_pods_role = stack.node.tryFindChild(config.id)?.node.tryFindChild('karpenter')?.node.tryFindChild('Role') as iam.Role;
+    const karpenter_IAM_Policy_JSON = {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Sid": "AllowInstanceProfileActions",
+            "Effect": "Allow",
+            "Resource": `arn:aws:iam::${process.env.CDK_DEFAULT_ACCOUNT!}:instance-profile/*`,
+            "Action": [
+              "iam:GetInstanceProfile",
+              "iam:AddRoleToInstanceProfile",
+              "iam:RemoveRoleFromInstanceProfile",
+              ],
+          },
+          { //v-- This isn't a hard requirement, but enables faster convergence
+            //    without it karpenter logs temporarily mention an IAM rights failure, that fixes itself within 11 mins.
+            "Sid": "LessRestrictivePassRoleForFasterConvergence",
+            "Effect": "Allow",
+            "Resource": `arn:aws:iam::${process.env.CDK_DEFAULT_ACCOUNT!}:role/*`,
+            "Action": [
+              "iam:PassRole",
+              ],
+          },
+        ]
+      };
+    const karpenter_IAM_Policy = new iam.Policy(stack, `karpenter_controller_pod_IAM_policy_for_EKS`, {
+        document: iam.PolicyDocument.fromJson( karpenter_IAM_Policy_JSON ),
+    });
+    karpenter_controller_pods_role.attachInlinePolicy(karpenter_IAM_Policy);
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

package-lock.json

@@ -21,7 +21,7 @@
   "dependencies": {
     "@aws-cdk/lambda-layer-kubectl-v31": "^2.0.3",
     "aws-cdk": "^2.1010.0",
-    "cdk-eks-karpenter": "^1.0.13",
+    "cdk-eks-karpenter": "^1.0.16",
     "cdk-fck-nat": "^1.5.6",
     "constructs": "^10.0.0",
     "i": "^0.3.7",