-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(eks): Warnings about insecure kubeconfig
file when running helm
#14560
Comments
I am unassigning and marking this issue as We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization. |
This makes debugging of helm failures more complicated, because this error is also returned by cloudformation (you have to know that this is not the error causing the fail of resource update/creation, but format is not good in cf webconsole). |
Probably. You want to take a stab at it? If it is that simple we should probably be able to merge it quickly. |
I really think this should be looked into. Post EKS update 1.19 to 1.20 seeing this regularly and it is causing helm charts to fail.
|
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20 ``` 2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an other operation (install/upgrade/rollback) is in progress\n' ``` Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. Fixes #14560 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20 ``` 2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an other operation (install/upgrade/rollback) is in progress\n' ``` Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. Fixes aws#14560 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20 ``` 2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an other operation (install/upgrade/rollback) is in progress\n' ``` Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. Fixes aws#14560 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20 ``` 2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an other operation (install/upgrade/rollback) is in progress\n' ``` Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. Fixes aws#14560 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20 ``` 2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an other operation (install/upgrade/rollback) is in progress\n' ``` Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. Fixes aws#14560 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When installing helm charts, we started seeing these warning pop up in the lambda handler log:
[INFO] 2021-05-05T10:25:13.417Z a5811ffd-8493-4ea7-b3ed-eaabebc456e6 b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig
There doesn't seem to be any apparent disruption caused by this, but it probably still requires some investigation.
Reproduction Steps
Install any helm chart and inspect the lambda handler logs.
What did you expect to happen?
No warnings.
What actually happened?
Warnings about an insecure
kubeconfig
file.Environment
Other
Originally reported in #14416
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: