Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EKS] [Fargate] [request]: fargate daemon set support #971

Open
runningman84 opened this issue Jul 6, 2020 · 5 comments
Open

[EKS] [Fargate] [request]: fargate daemon set support #971

runningman84 opened this issue Jul 6, 2020 · 5 comments
Labels
EKS Amazon Elastic Kubernetes Service Fargate AWS Fargate Proposed Community submitted issue

Comments

@runningman84
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Allow us to run daemon sets like kube2iam, fluentbit and others in a fargate env.

What do you want us to build?
Improve the scheduler to allow running whitelisted daemon sets on fargate nodes.

Which service(s) is this request for?
Fargate, EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Right it is very difficult to run fargate as a replacement for ec2 nodes because you do not have exporter logs, iam integration and so on...

Are you currently working around this issue?
Use fargate only for non ciritical tasks which do not need iam, logs or anything else...
@runningman84 runningman84 added the Proposed Community submitted issue label Jul 6, 2020
@mikestef9 mikestef9 added EKS Amazon Elastic Kubernetes Service Fargate AWS Fargate labels Jul 6, 2020
@mikestef9
Copy link
Contributor

Hey @runningman84,

You can track #701 for a logging solution for EKS/Fargate.

Can you explain more on the IAM integration point and why you are using kube2iam? IAM roles for service accounts works today with EKS/Fargate.

@runningman84
Copy link
Author

Yes IAM stuff can be solved using the native integration. But there is still software which runs an old sdk.

I think there should be a general solution for daemon sets in fargate.

@dalgibbard
Copy link

FWIW; we would like daemon-sets in EKS Fargate for two main reasons:

  • Parity between mixed workloads on EC2 + Fargate (daemonsets that can perform the same actions irrelevant of underlying node type, for consistancy/compliance)
  • To offer k8s as a 'platform as a service' to our internal users: specifically, allowing them to deploy whatever they need/want, without needing to worry about things like datadog sidecars (just for example) in their configurations.

This has the potential added advantage that the Datadog Daemonset in particular supports log exporting too (as well as container metrics and events etc), so removes our current blocker of log centralisation for compliance as an extra benefit.

We looked at https://github.com/tumblr/k8s-sidecar-injector for example to auto-inject sidecars, but really, this is exactly the purpose of a daemonset for our use case, and sidecars have limited scope compared to daemonsets.

@SaloniSonpal SaloniSonpal changed the title [EKS] [request]: fargate daemon set support [EKS] [Fargate] [request]: fargate daemon set support Aug 6, 2020
@omieomye omieomye mentioned this issue Mar 30, 2022
Closed
@mziyabo
Copy link

mziyabo commented Apr 27, 2023

Similar to @dalgibbard I ended up writing a mutating webhook that injects sidecars on fargate specifically - https://github.com/mziyabo/fargate-eks-sidecar-injector.
Could give someone else an idea on how to tackle this while we wait.

@t0mbombadil
Copy link

t0mbombadil commented Jul 19, 2024
edited
Loading

Lack of this ability actually cripples AWS GuardDuty EKS Runtime Monitoring

When this feature is enabled and you are using Fargate, GuardDuty shows that your EKS
clusters are covered by Runtime Monitoring and healthy and even it deploys automatically guardduty-agent daemonset
to your EKS clusters, but if you inspect it closely you will see that it's not doing anything on Fargate nodes.

So basically it's even worse if GuardDuty would say to you that your EKS clusters are not covered in RuntimeMonitoring, because it gives you false belief that they are

kubectl get daemonset aws-guardduty-agent  -n amazon-guardduty -o yaml  
...
 spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
                - arm64
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                - fargate
...

Also beside GuardDuty runtime monitoring, it also stops us from using 3rd party tools to achieve this same, that run as a daemonset, for example - https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-standalone.html

@t0mbombadil t0mbombadil mentioned this issue Jul 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
EKS Amazon Elastic Kubernetes Service Fargate AWS Fargate Proposed Community submitted issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dalgibbard @runningman84 @mikestef9 @mziyabo @t0mbombadil