feat(github-arc): optimize Karpenter config and GitHub ARC runner deployment

- Update Karpenter node access to use EC2_LINUX type for proper system:nodes group membership and kubelet-serving CSR auto-approval
- Reduce Karpenter log level from debug to info for production readiness
- Decrease EC2 node volume size from 100Gi to 50Gi to optimize storage costs
- Refine instance type selection to focus on c5/c5a/c5n/c6a/c6i/c7a/m5/m5a/m6a/m6i 2xlarge and 4xlarge sizes for consistent performance
- Change Karpenter disruption policy from WhenEmptyOrUnderutilized to WhenEmpty and increase consolidation interval from 15s to 30s
- Pin GitHub ARC controller and runner scale set Helm charts to version 0.13.1
- Switch runner container mode to kubernetes-novolume for simplified pod management
- Remove Docker-in-Docker sidecar and init container, reducing resource overhead and complexity
- Set minRunners to 0 for cost optimization with on-demand scaling
- Reduce runner resource requests/limits from 3 CPU/6Gi memory to 1-2 CPU/2-3Gi memory
- Add ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER=false to allow containerless job execution

Author: VardyNg

KaaS/Elastic Kubernetes Service(EKS)/Terraform/github-arc/eks.tf

@@ -27,19 +27,11 @@ module "eks" {
         }
       }
     }
-    # Karpenter access
+    # Karpenter node access - must be EC2_LINUX so nodes join the system:nodes group
+    # and kubelet-serving CSRs get auto-approved (required for logs/exec)
     karpenter = {
-      kubernetes_groups = []
-      principal_arn     = aws_iam_role.karpenter_node_role.arn
-
-      policy_associations = {
-        karpenter = {
-          policy_arn = "arn:${data.aws_partition.current.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        }
-      }
+      type          = "EC2_LINUX"
+      principal_arn = aws_iam_role.karpenter_node_role.arn
     }
   }
 

KaaS/Elastic Kubernetes Service(EKS)/Terraform/github-arc/karpenter.tf

@@ -44,7 +44,7 @@ tolerations:
     value: "true"
     effect: "NoSchedule"
 
-logLevel: debug
+logLevel: info
 EOT
 	]
 
@@ -82,7 +82,7 @@ resource "kubectl_manifest" "karpenter_ec2nodeclass_runner" {
 				{
 					deviceName = "/dev/xvda"
 					ebs = {
-						volumeSize = "100Gi"
+						volumeSize = "50Gi"
 						volumeType = "gp3"
 						deleteOnTermination = true
 						encrypted = true
@@ -128,10 +128,14 @@ spec:
         - key: node.kubernetes.io/instance-type
           operator: In
           values: [
-            "c4.large", "c4.xlarge", "c4.2xlarge", "c4.4xlarge",
-            "c5.large", "c5.xlarge", "c5.2xlarge", "c5.4xlarge",
-            "c5a.large", "c5a.xlarge", "c5a.2xlarge", "c5a.4xlarge",
-            "c5n.large", "c5n.xlarge", "c5n.2xlarge", "c5n.4xlarge"
+            "c5.2xlarge", "c5.4xlarge",
+            "c5a.2xlarge", "c5a.4xlarge",
+            "c5n.2xlarge", "c5n.4xlarge",
+            "c6a.2xlarge", "c6a.4xlarge",
+            "c6i.2xlarge", "c6i.4xlarge",
+            "c7a.2xlarge", "c7a.4xlarge",
+            "m5.2xlarge", "m5a.2xlarge",
+            "m6a.2xlarge", "m6i.2xlarge"
           ]
       nodeClassRef:
         group: karpenter.k8s.aws
@@ -141,8 +145,8 @@ spec:
   limits:
     cpu: 1000
   disruption:
-    consolidationPolicy: WhenEmptyOrUnderutilized
-    consolidateAfter: 15s
+    consolidationPolicy: WhenEmpty
+    consolidateAfter: 30s
 EOT
 
 	depends_on = [

KaaS/Elastic Kubernetes Service(EKS)/Terraform/github-arc/runner-scale-set-controller.tf

@@ -2,7 +2,7 @@ resource "helm_release" "arc" {
   name             = "arc"
   namespace        = "arc-systems"
   create_namespace = true
-
+	version 				 = "0.13.1"
   repository = "oci://ghcr.io/actions/actions-runner-controller-charts"
   chart      = "gha-runner-scale-set-controller"
 

KaaS/Elastic Kubernetes Service(EKS)/Terraform/github-arc/runner-scale-set.tf

@@ -23,7 +23,7 @@ resource "kubernetes_secret_v1" "pre_defined" {
 resource "helm_release" "arc_runner_set" {
   name             = "arc-runner-set-eks"
   namespace        = kubernetes_namespace.arc_runners.metadata[0].name
-
+	version 				 = "0.13.1"
   repository = "oci://ghcr.io/actions/actions-runner-controller-charts"
   chart      = "gha-runner-scale-set"
   values     = [
@@ -34,7 +34,10 @@ githubConfigSecret: "${kubernetes_secret_v1.pre_defined.metadata[0].name}"
 
 maxRunners: 20
 
-minRunners: 1
+minRunners: 0
+
+containerMode:
+  type: "kubernetes-novolume"
 
 listenerTemplate:
   spec:
@@ -52,57 +55,20 @@ listenerTemplate:
 
 template:
   spec:
-    initContainers:
-    - name: init-dind-externals
-      image: ghcr.io/actions/actions-runner:latest
-      command: ["cp", "-r", "/home/runner/externals/.", "/home/runner/tmpDir/"]
-      volumeMounts:
-        - name: dind-externals
-          mountPath: /home/runner/tmpDir
     containers:
     - name: runner
       image: ghcr.io/actions/actions-runner:latest
       command: ["/home/runner/run.sh"]
       env:
-        - name: DOCKER_HOST
-          value: unix:///var/run/docker.sock
-      volumeMounts:
-        - name: work
-          mountPath: /home/runner/_work
-        - name: dind-sock
-          mountPath: /var/run
+        - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+          value: "false"
       resources:
         limits:
-          cpu: 3
-          memory: 6Gi
+          cpu: "2"
+          memory: 3Gi
         requests:
-          cpu: 3
-          memory: 6Gi
-    - name: dind
-      image: docker:dind
-      args:
-        - dockerd
-        - --host=unix:///var/run/docker.sock
-        - --group=$(DOCKER_GROUP_GID)
-      env:
-        - name: DOCKER_GROUP_GID
-          value: "123"
-      securityContext:
-        privileged: true
-      volumeMounts:
-        - name: work
-          mountPath: /home/runner/_work
-        - name: dind-sock
-          mountPath: /var/run
-        - name: dind-externals
-          mountPath: /home/runner/externals
-    volumes:
-    - name: work
-      emptyDir: {}
-    - name: dind-sock
-      emptyDir: {}
-    - name: dind-externals
-      emptyDir: {}
+          cpu: "1"
+          memory: 2Gi
 EOT
   ]