temporary fix for missing permissions (#373)

pxaws · web-flow · commit 217cda8f0920 · 2025-02-14T18:01:33.000-08:00
*Issue description:* *Description of changes:* Temporarily add the missing permissions to cloudwatch agent. The permission will be added in the next release of cloudwatch agent operator. *Rollback procedure:* <Can we safely revert this commit if needed? If not, detail what must be done to safely revert and why it is needed.> *Ensure you've run the following tests on your changes and include the link below:* To do so, create a `test.yml` file with `name: Test` and workflow description to test your changes, then remove the file for your PR. Link your test run in your PR description. This process is a short term solution while we work on creating a staging environment for testing. NOTE: TESTS RUNNING ON A SINGLE EKS CLUSTER CANNOT BE RUN IN PARALLEL. See the [needs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds) keyword to run tests in succession. - Run Java EKS on `e2e-playground` in us-east-1 and eu-central-2 - Run Python EKS on `e2e-playground` in us-east-1 and eu-central-2 - Run metric limiter on EKS cluster `e2e-playground` in us-east-1 and eu-central-2 - Run EC2 tests in all regions - Run K8s on a separate K8s cluster (check IAD test account for master node endpoints; these will change as we create and destroy clusters for OS patching) By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/terraform/dotnet/k8s/deploy/main.tf b/terraform/dotnet/k8s/deploy/main.tf
@@ -83,6 +83,9 @@ resource "null_resource" "deploy" {
         sleep 10
         kubectl wait --for=condition=Ready pod --all -n amazon-cloudwatch
       elif [ "${var.repository}" = "amazon-cloudwatch-agent" ]; then
+        # tempory fix for missing permissions that will be added by next release of cloudwatch agent operator
+        kubectl patch clusterrole cloudwatch-agent-role --type=json \
+        -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["discovery.k8s.io"], "resources": ["endpointslices"], "verbs": ["list", "watch", "get"]}}]'
         kubectl patch amazoncloudwatchagents -n amazon-cloudwatch cloudwatch-agent --type='json' -p='[{"op": "replace", "path": "/spec/image", "value": ${var.patch_image_arn}}]'
         kubectl delete pods --all -n amazon-cloudwatch
         sleep 10
diff --git a/terraform/java/k8s/deploy/main.tf b/terraform/java/k8s/deploy/main.tf
@@ -84,6 +84,9 @@ resource "null_resource" "deploy" {
         sleep 10
         kubectl wait --for=condition=Ready pod --all -n amazon-cloudwatch
       elif [ "${var.repository}" = "amazon-cloudwatch-agent" ]; then
+        # tempory fix for missing permissions that will be added by next release of cloudwatch agent operator
+        kubectl patch clusterrole cloudwatch-agent-role --type=json \
+        -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["discovery.k8s.io"], "resources": ["endpointslices"], "verbs": ["list", "watch", "get"]}}]'
         kubectl patch amazoncloudwatchagents -n amazon-cloudwatch cloudwatch-agent --type='json' -p='[{"op": "replace", "path": "/spec/image", "value": ${var.patch_image_arn}}]'
         kubectl delete pods --all -n amazon-cloudwatch
         sleep 10
diff --git a/terraform/node/k8s/deploy/main.tf b/terraform/node/k8s/deploy/main.tf
@@ -86,6 +86,9 @@ resource "null_resource" "deploy" {
         sleep 10
         kubectl wait --for=condition=Ready pod --all -n amazon-cloudwatch
       elif [ "${var.repository}" = "amazon-cloudwatch-agent" ]; then
+        # tempory fix for missing permissions that will be added by next release of cloudwatch agent operator
+        kubectl patch clusterrole cloudwatch-agent-role --type=json \
+        -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["discovery.k8s.io"], "resources": ["endpointslices"], "verbs": ["list", "watch", "get"]}}]'
         kubectl patch amazoncloudwatchagents -n amazon-cloudwatch cloudwatch-agent --type='json' -p='[{"op": "replace", "path": "/spec/image", "value": ${var.patch_image_arn}}]'
         kubectl delete pods --all -n amazon-cloudwatch
         sleep 10
diff --git a/terraform/python/k8s/deploy/main.tf b/terraform/python/k8s/deploy/main.tf
@@ -85,6 +85,9 @@ resource "null_resource" "deploy" {
         sleep 10
         kubectl wait --for=condition=Ready pod --all -n amazon-cloudwatch
       elif [ "${var.repository}" = "amazon-cloudwatch-agent" ]; then
+        # tempory fix for missing permissions that will be added by next release of cloudwatch agent operator
+        kubectl patch clusterrole cloudwatch-agent-role --type=json \
+        -p='[{"op": "add", "path": "/rules/-", "value": {"apiGroups": ["discovery.k8s.io"], "resources": ["endpointslices"], "verbs": ["list", "watch", "get"]}}]'
         kubectl patch amazoncloudwatchagents -n amazon-cloudwatch cloudwatch-agent --type='json' -p='[{"op": "replace", "path": "/spec/image", "value": ${var.patch_image_arn}}]'
         kubectl delete pods --all -n amazon-cloudwatch
         sleep 10
