(eks): Warnings about insecure kubeconfig file when running helm

[iliapolo]

When installing helm charts, we started seeing these warning pop up in the lambda handler log:

[INFO]	2021-05-05T10:25:13.417Z	a5811ffd-8493-4ea7-b3ed-eaabebc456e6	b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig

There doesn't seem to be any apparent disruption caused by this, but it probably still requires some investigation.

Reproduction Steps

Install any helm chart and inspect the lambda handler logs.

What did you expect to happen?

No warnings.

What actually happened?

Warnings about an insecure kubeconfig file.

Environment

• CDK CLI Version :ALL
• Framework Version: 1.102.0
• Node.js Version: ALL
• OS : ALL
• Language (Version): ALL

Other

Originally reported in #14416

---

This is 🐛 Bug Report

[iliapolo]

I am unassigning and marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

[markussiebert]

This makes debugging of helm failures more complicated, because this error is also returned by cloudformation (you have to know that this is not the error causing the fail of resource update/creation, but format is not good in cf webconsole).
Shouldn't an chmod og-r kubeconfig fix everything?

[iliapolo]

@Markus7811

Shouldn't an chmod og-r kubeconfig fix everything?

Probably. You want to take a stab at it? If it is that simple we should probably be able to merge it quickly.

[mrsiejas]

I really think this should be looked into. Post EKS update 1.19 to 1.20 seeing this regularly and it is causing helm charts to fail.
I believe it was the reason for my Helm chart to fail after bumping EKS to 1.20

[0%] start: Publishing 43079f879513e0d85eeb42ddfe71e5ead66edf1ee02c33bb165d7c2f926030c4:current
[50%] success: Published 43079f879513e0d85eeb42ddfe71e5ead66edf1ee02c33bb165d7c2f926030c4:current
[50%] start: Publishing 8b2396257db75f5c068dfee5c236fd4848b84b56787007694f8a0cd72a8e6485:current
[100%] success: Published 8b2396257db75f5c068dfee5c236fd4848b84b56787007694f8a0cd72a8e6485:current
sandbox-k8s-kube-system: creating CloudFormation changeset...
[█████████████▋············································] (9/38)
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
Logs: /aws/lambda/sandbox-eks-cluster-awscdkawseksKu-Handler886CB40B-1V85KA7BA9OY7
[█████████████▋············································] (9/38)
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
Logs: /aws/lambda/sandbox-eks-cluster-awscdkawseksKu-Handler886CB40B-1V85KA7BA9OY7
[███████▋··················································] (5/38)
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
Logs: /aws/lambda/sandbox-eks-cluster-awscdkawseksKu-Handler886CB40B-1V85KA7BA9OY7
[█████████▏················································] (6/38)
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
Logs: /aws/lambda/sandbox-eks-cluster-awscdkawseksKu-Handler886CB40B-1V85KA7BA9OY7
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController680308DF
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
Logs: /aws/lambda/sandbox-eks-cluster-awscdkawseksKu-Handler886CB40B-1V85KA7BA9OY7
at invokeUserFunction (/var/task/framework.js:95:19)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async onEvent (/var/task/framework.js:19:27)
at async Runtime.handler (/var/task/cfn-response.js:48:13) (RequestId: d4017144-ae9c-4cb4-a879-38eb2c9c73e5)
new CustomResource (/tmp/jsii-kernel-3Swpl2/node_modules/@aws-cdk/core/lib/custom-resource.js:30:25)
 \_ new HelmChart (/tmp/jsii-kernel-3Swpl2/node_modules/@aws-cdk/aws-eks/lib/helm-chart.js:35:9)
 \_ obj._wrapSandboxCode (/tmp/tmpk8zx_eps/lib/program.js:8154:58)
 \_ Kernel._wrapSandboxCode (/tmp/tmpk8zx_eps/lib/program.js:8582:24)
 \_ Kernel._create (/tmp/tmpk8zx_eps/lib/program.js:8154:34)
 \_ Kernel.create (/tmp/tmpk8zx_eps/lib/program.js:7895:29)
 \_ KernelHost.processRequest (/tmp/tmpk8zx_eps/lib/program.js:9479:36)
 \_ KernelHost.run (/tmp/tmpk8zx_eps/lib/program.js:9442:22)
 \_ Immediate.setImmediate [as _onImmediate] (/tmp/tmpk8zx_eps/lib/program.js:9443:46)
 \_ runCallback (timers.js:705:18)
 \_ tryOnImmediate (timers.js:676:5)
 \_ processImmediate (timers.js:658:5)
 
 
❌ sandbox-k8s-kube-system failed: Error: The stack named sandbox-k8s-kube-system failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
The stack named sandbox-k8s-kube-system failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE```

[iliapolo]

@mrgrain What makes you say this is the reason for failure? Looks like this is the exact same phenomena we discussed here and came to the conclusion the error is actually unrelated to the (granted confusing) warning.

cc @otaviomacedo

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.