Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eksctl utils update-aws-node removes role annotation #2043

Closed
dylanenabled opened this issue Apr 16, 2020 · 2 comments
Closed

eksctl utils update-aws-node removes role annotation #2043

dylanenabled opened this issue Apr 16, 2020 · 2 comments
Labels
closed/duplicate kind/bug needs-investigation priority/important-soon Ideally to be resolved in time for the next release

Comments

@dylanenabled
Copy link

dylanenabled commented Apr 16, 2020
edited
Loading

What happened?
I ran eksctl utils update-aws-node on my cluster. After upgrading, aws-node would no longer run due to losing its IAM role annotation in the aws-node serviceaccount, which let it use AmazonEKS_CNI_Policy (as shown here)

I had previously removed the arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy from my nodegroups and added it to an iamservice account as shown here:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: foo
  region: ap-southeast-2

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: aws-node
        namespace: kube-system
        labels: {aws-usage: "cluster-ops"}
      attachPolicyARNs:
        - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

nodeGroups:
  - name: worker-v3 # updated to k8s 1.15
    instanceType: c5.xlarge
    desiredCapacity: 1
    privateNetworking: true
    volumeSize: 80
    iam:
      attachPolicyARNs:
        # Attach the default EKS worker node policies, except for AmazonEKS_CNI_Policy.
        # This stops all containers from accessing the EC2 networking apis, and limits it to only the aws-node management one.
        - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
        # - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy # DO NOT include AmazonEKS_CNI_Policy. It is insecure. The aws-node service account now includes it. https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-cni-walkthrough.html

cloudWatch:
  clusterLogging:
    enableTypes: ["*"]

What you expected to happen?
eksctl utils update-aws-node should maintain annotations on the serviceaccount if there is an iam: serviceaccount definition for kube-system/aws-node in the config yaml.

How to reproduce it?

  1. Create a cluster with the definition above using aws-node 1.5.5
  2. Run eksctl utils update-aws-node
  3. aws-node will no longer work

Anything else we need to know?
Not really?

Versions
eksctl version 0.17.0

kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.1", GitCommit:"7879fc12a63337efff607952a323df90cdc7a335", GitTreeState:"clean", BuildDate:"2020-04-10T21:53:51Z", GoVersion:"go1.14.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15+", GitVersion:"v1.15.11-eks-af3caf", GitCommit:"af3caf6136cd355f467083651cc1010a499f59b1", GitTreeState:"clean", BuildDate:"2020-03-27T21:51:36Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"}

Logs
N/A
@dylanenabled dylanenabled mentioned this issue Apr 16, 2020
Closed
@TBBle
Copy link
Contributor

TBBle commented Apr 27, 2020
edited
Loading

Is this a duplicate of #1645?

@martina-if martina-if added priority/important-soon Ideally to be resolved in time for the next release needs-investigation labels Apr 27, 2020
@dylanenabled
Copy link
Author

Seems like it is a duplicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed/duplicate kind/bug needs-investigation priority/important-soon Ideally to be resolved in time for the next release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TBBle @martina-if @dylanenabled