Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EKS] [request]: Managed Node Groups using role with extra path do not join cluster #926

Closed
dpiddockcmp opened this issue May 30, 2020 · 5 comments
Closed

[EKS] [request]: Managed Node Groups using role with extra path do not join cluster #926

dpiddockcmp opened this issue May 30, 2020 · 5 comments
Labels
EKS Managed Nodes EKS Managed Nodes EKS Amazon Elastic Kubernetes Service Proposed Community submitted issue
Projects
containers-roadmap

Comments

@dpiddockcmp
Copy link

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Bug report - Managed Node Group nodes are unable to join a cluster when using an IAM role with extra path.

Which service(s) is this request for?
EKS, Managed Node Groups

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard
The MNG service adds a section to aws-auth's mapRoles with the full ARN for the role. But when joining the cluster aws-iam-authenticator does not receive the full ARN as GetCallerIdentity lacks the extra path element.

Adding a section to the ConfigMap with the "correct" ARN before creating the MNG results in a duplicate block. Also nicely demonstrates the two cases:

  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::111111111111:role/test-eks
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::111111111111:role/extra/test-eks
      username: system:node:{{EC2PrivateDNSName}}

Are you currently working around this issue?
aws-auth ConfigMap must be edited to "correct" the IAM role ARN

Additional context
Related to:

Attachments
@dpiddockcmp dpiddockcmp added the Proposed Community submitted issue label May 30, 2020
@dpiddockcmp dpiddockcmp mentioned this issue May 30, 2020
Closed
4 tasks
dpiddockcmp pushed a commit to terraform-aws-modules/terraform-aws-eks that referenced this issue May 30, 2020
@DWSR
fix: Work around path bug in aws-iam-authenticator (#894)
7ffe5fa 
* fix: Work around path bug in aws-iam-authenticator

`aws-iam-authenticator` has an open issue where it will not recognize
IAM roles that include paths. This change causes the path supplied to
`var.iam_path` to be stripped when generating the `aws-auth` ConfigMap
in order to work around this.

kubernetes-sigs/aws-iam-authenticator#153
aws/containers-roadmap#926
@mikestef9 mikestef9 added EKS Amazon Elastic Kubernetes Service EKS Managed Nodes EKS Managed Nodes labels Jun 11, 2020
@anarsen
Copy link

anarsen commented Jun 28, 2020

This behavior is documented here:

@dpiddockcmp
Copy link
Author

It would be good if the aws-auth inserts generated by AWS when using Managed Node Groups followed their own documentation 馃槅

@mikestef9 mikestef9 added this to Researching in containers-roadmap via automation Jun 29, 2020
@bflad bflad mentioned this issue Jul 7, 2020
Closed
@barryib barryib mentioned this issue Oct 25, 2020
Closed
@tsndqst
Copy link

tsndqst commented Mar 21, 2022

@mikestef9 Any updates on this? It's been almost two years and this is still an issue.

@masih masih mentioned this issue Apr 8, 2022
Merged
baibailiha added a commit to baibailiha/terraform-aws-eks that referenced this issue Sep 13, 2022
@baibailiha
fix: Work around path bug in aws-iam-authenticator (#894)
40d8ad0 
* fix: Work around path bug in aws-iam-authenticator

`aws-iam-authenticator` has an open issue where it will not recognize
IAM roles that include paths. This change causes the path supplied to
`var.iam_path` to be stripped when generating the `aws-auth` ConfigMap
in order to work around this.

kubernetes-sigs/aws-iam-authenticator#153
aws/containers-roadmap#926
@portswigger-tim
Copy link

Anyone using CDK that ends up here, I did this as a "workaround": #573 (comment)

@mikestef9 mikestef9 mentioned this issue Feb 22, 2023
Closed
@mikestef9 mikestef9 mentioned this issue May 30, 2023
Closed
@mikestef9
Copy link
Contributor

Addressed with #185

containers-roadmap automation moved this from Researching to Just Shipped Dec 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
EKS Managed Nodes EKS Managed Nodes EKS Amazon Elastic Kubernetes Service Proposed Community submitted issue
Projects
containers-roadmap
  
Shipped
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mikestef9 @anarsen @tsndqst @dpiddockcmp @portswigger-tim