karpenter-provider-aws icon indicating copy to clipboard operation
karpenter-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon aws

Allow modifying and reusing a launch template instead of recreating it each time

Open nitrocode opened this issue 1 year ago • 4 comments

Description

What problem are you trying to solve? We need to create a separate node pool with a public IP address

When karpenter provisions this, it creates a launch template, runs a fleet, and deletes the launch template.

The creation of this launch template results in triggering the security hub issue EC2.25 which, if you have slack integration setup, will ping the slack channel each time.

Since the launch template is created and removed, the securityhub issue will auto-close, however the slack message has already fired, and the finding still needs to auto-close which takes time.

A better method for this provider, would be to

  1. create a launch template once
  2. check if it exists
  3. modify it
  4. run a fleet
  5. repeat from step 2 when needed.

This way, we can retain the launch template, and we can allowlist it in securityhub because it would only have a single finding for the single public node pool.

The workaround now is to navigate to the control in the account and disable the entire control which is far from what we'd like. I double (and triple) checked with AWS support to see if there are alternatives.

How important is this feature to you?

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

nitrocode avatar Aug 01 '24 19:08 nitrocode

So you can't ignore the message because the launch template that's created is different every time? We create and then delete the launch template after it hasn't been used, because there's no need for us to keep it around. Keeping an existing one around that gets continually modified can have unintended failure modes, and requires different permissions.

I'm wondering if there's any benefit to an existing LT besides the fact that you can filter out the securityhub message? Can you filter out a subset of LT names based on some regex?

njtran avatar Aug 02 '24 17:08 njtran

Hi @njtran. Thanks for the quick response.

I worked with aws support and there is no way to filter out launch templates in security hub and no way to exclude them in event bridge.

Another benefit to persisting a launch template is that it's convenient if you want to manually spin up another node pool based on the last one.

nitrocode avatar Aug 06 '24 03:08 nitrocode

Sounds reasonable. Will mark this as accepted, but we still need to figure out what the best way to enable this is.

njtran avatar Aug 13 '24 15:08 njtran

Thank you very much for considering!

nitrocode avatar Aug 16 '24 23:08 nitrocode