aws-eks: Cannot update cluster endpoint access #21439
Assignees
Labels
@aws-cdk/aws-eks
Related to Amazon Elastic Kubernetes Service
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p2
Comments
resnikb
added
bug
github-actions
bot
added
the
@aws-cdk/aws-eks
|
we're getting this too now. v2.33 |
|
One way we've worked around it was to turn off logging on the first run, switch-over endpoint access and then turn on logging. Not ideal since it doesn't resolve the root issue because we're doing three deploys instead of one. |
pahud
added
the
investigating
|
I can reproduce this issue in cdk v2.50.0 and I'm assigning this to myself as p2. I'll look into it for the root cause and investigate if there's anything we can do to fix it. |
pahud
added
p2
effort/medium
|
I think we probably should fix here. aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts Lines 139 to 154 in 5b3d06d According to the lambda logs: {
"updates": {
"replaceName": false,
"replaceVpc": false,
"updateAccess": true,
"replaceRole": false,
"updateVersion": false,
"updateEncryption": false,
"updateLogging": false
}
}We actually need to |
4 tasks
|
Just created a PR draft for a quick fix #22957 I can successfully update the stack by simply updating the endpoint access like new eks.Cluster(this, 'Cluster', {
vpc,
endpointAccess: eks.EndpointAccess.PRIVATE,
version: eks.KubernetesVersion.V1_23,
clusterLogging: [
eks.ClusterLoggingTypes.API,
eks.ClusterLoggingTypes.AUDIT,
eks.ClusterLoggingTypes.AUTHENTICATOR,
eks.ClusterLoggingTypes.CONTROLLER_MANAGER,
eks.ClusterLoggingTypes.SCHEDULER,
],
});Will look into previous commits to see if I miss anything. |
pahud
removed
the
investigating
|
We're seeing a similar problem when mutating the list of Example:
# assume clusterLogging also enabled here
allowAccessFrom:
- 2.4.6.0/24
# assume clusterLogging is still the same as before, no delta
allowAccessFrom:
- 2.4.6.0/24
- 1.2.3.4/32
- 3.3.3.3/32
This was tested using cdk 2.50. |
mergify bot
pushed a commit
that referenced
this issue
Dec 20, 2022
…#22957) This PR addresses the following known issues: 1. When updating the cluster endpoint access type only with logging predefined yet unchanged, the cluster-resource-handler updates both the logging and access, which is not allowed and throws the SDK error. This PR fixed this and will update access type only, which is allowed. 2. When updating the cluster endpoint public cidr with exactly the same size of cidr, the `setsEqual` function should return correctly. 3. When updating the cluster endpoint public access from one cidr to multiple cidr with logging predefined yet unchanged, the update should return correctly. 4. Updating both access and logging now throws an error from CDK custom resource. This PR is just a temporary fix that does not implement multiple operations in the cluster-resource-handler custom resource provider(i.e. update both logging and access). Fixes: #21439 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
brennanho
pushed a commit
to brennanho/aws-cdk
that referenced
this issue
Jan 20, 2023
…aws#22957) This PR addresses the following known issues: 1. When updating the cluster endpoint access type only with logging predefined yet unchanged, the cluster-resource-handler updates both the logging and access, which is not allowed and throws the SDK error. This PR fixed this and will update access type only, which is allowed. 2. When updating the cluster endpoint public cidr with exactly the same size of cidr, the `setsEqual` function should return correctly. 3. When updating the cluster endpoint public access from one cidr to multiple cidr with logging predefined yet unchanged, the update should return correctly. 4. Updating both access and logging now throws an error from CDK custom resource. This PR is just a temporary fix that does not implement multiple operations in the cluster-resource-handler custom resource provider(i.e. update both logging and access). Fixes: aws#21439 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho
pushed a commit
to brennanho/aws-cdk
that referenced
this issue
Feb 22, 2023
…aws#22957) This PR addresses the following known issues: 1. When updating the cluster endpoint access type only with logging predefined yet unchanged, the cluster-resource-handler updates both the logging and access, which is not allowed and throws the SDK error. This PR fixed this and will update access type only, which is allowed. 2. When updating the cluster endpoint public cidr with exactly the same size of cidr, the `setsEqual` function should return correctly. 3. When updating the cluster endpoint public access from one cidr to multiple cidr with logging predefined yet unchanged, the update should return correctly. 4. Updating both access and logging now throws an error from CDK custom resource. This PR is just a temporary fix that does not implement multiple operations in the cluster-resource-handler custom resource provider(i.e. update both logging and access). Fixes: aws#21439 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Changing endpoint access for an existing EKS cluster fails.
I have an existing EKS cluster with
If I change that to
CloudFormation update fails with error:
Expected Behavior
The update should succeed, and change the endpoint access to
PRIVATE.Current Behavior
Cluster update fails with:
Reproduction Steps
Create a new cluster with logging enabled:
Change endpoint access to
EndpointAccess.PRIVATEand redeployPossible Solution
The cluster handler lambda specifies logging configuration even when only endpoint access needs to be updated. If logging configuration doesn't need updating, it should not be specified in the call to
updateClusterConfig.Additional Information/Context
CloudWatch logs for lambda execution:
CDK CLI Version
2.35.0 (build 5c23578)
Framework Version
No response
Node.js Version
v16.16.0
OS
Linux
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: