-
Notifications
You must be signed in to change notification settings - Fork 311
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EKS] [request]: Managed Node Groups using role with extra path do not join cluster #926
Labels
EKS Managed Nodes
EKS Managed Nodes
EKS
Amazon Elastic Kubernetes Service
Proposed
Community submitted issue
Projects
Comments
4 tasks
dpiddockcmp
pushed a commit
to terraform-aws-modules/terraform-aws-eks
that referenced
this issue
May 30, 2020
* fix: Work around path bug in aws-iam-authenticator `aws-iam-authenticator` has an open issue where it will not recognize IAM roles that include paths. This change causes the path supplied to `var.iam_path` to be stripped when generating the `aws-auth` ConfigMap in order to work around this. kubernetes-sigs/aws-iam-authenticator#153 aws/containers-roadmap#926
mikestef9
added
EKS
Amazon Elastic Kubernetes Service
EKS Managed Nodes
EKS Managed Nodes
labels
Jun 11, 2020
This behavior is documented here: |
It would be good if the aws-auth inserts generated by AWS when using Managed Node Groups followed their own documentation 馃槅 |
@mikestef9 Any updates on this? It's been almost two years and this is still an issue. |
baibailiha
added a commit
to baibailiha/terraform-aws-eks
that referenced
this issue
Sep 13, 2022
* fix: Work around path bug in aws-iam-authenticator `aws-iam-authenticator` has an open issue where it will not recognize IAM roles that include paths. This change causes the path supplied to `var.iam_path` to be stripped when generating the `aws-auth` ConfigMap in order to work around this. kubernetes-sigs/aws-iam-authenticator#153 aws/containers-roadmap#926
Anyone using CDK that ends up here, I did this as a "workaround": #573 (comment) |
Addressed with #185 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
EKS Managed Nodes
EKS Managed Nodes
EKS
Amazon Elastic Kubernetes Service
Proposed
Community submitted issue
Community Note
Tell us about your request
Bug report - Managed Node Group nodes are unable to join a cluster when using an IAM role with extra path.
Which service(s) is this request for?
EKS, Managed Node Groups
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard
The MNG service adds a section to aws-auth's mapRoles with the full ARN for the role. But when joining the cluster aws-iam-authenticator does not receive the full ARN as
GetCallerIdentity
lacks the extra path element.Adding a section to the ConfigMap with the "correct" ARN before creating the MNG results in a duplicate block. Also nicely demonstrates the two cases:
Are you currently working around this issue?
aws-auth
ConfigMap must be edited to "correct" the IAM role ARNAdditional context
Related to:
Attachments
The text was updated successfully, but these errors were encountered: