-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helm chart change in dnsPolicy might be breaking for AWS Fargate users #5817
Comments
Just curious about this. Couldn't you create a Fargate profile that just selected on the core DNS application so that core DNS was up when you started Karpenter? You shouldn't need a different Fargate profile for all of the components.
We went back and forth and ultimately decided to go with the Kubernetes default
Noted. We'll open a PR to add some more verbose lingo to the TS guide
I'd agree that we may also want to callout the case where you aren't running any cluster DNS at all (though I'd imagine that this kind of setup is incredibly uncommon since you are eventually going to want to run something that is going to reach out to a Kubernetes service and is going to need cluster DNS; I'd imagine the much more common setup is the one already called out in the docs, where the DNS is just not running when Karpenter starts up). If you think that we should expand on our existing wording, there is currently a callout made here. We'd happily accept a docs PR if you had ideas around how to improve this wording.
This isn't true as far as I'm aware. Assuming that the core-dns pods are already up and running, Karpenter can run with a
Noted, the PR that updates the documentation for the TS item will also include this. |
Hi @jonathan-innis thanks for reply.
You are right that I can technically create second Fargate profile that selects core-dns. For my use case it also means going through security exception process as pods running on Fargate bypass security scanners and this is hard to sell to security team as we have commercial and FedRAMP environments. So far Karpenter is only deployment that got security approval to do this on commercial setups as benefits were too hard to ignore.
I'm fine with the change. I just pointing out that upgrade guide for 0.34.x should call this out as breaking for this setup.
Thanks for pointing out this is already done and I just haven't noticed this.
I've bumped into this when attempting to upgrade existing cluster that was in healthy state. I can try to investigate more today to check if this is related to running core-dns on EC2 and Karpenter on Fargate. |
@jonathan-innis - I've managed to test both setups today with following results:
Based on AWS steps to reconfigure coredns for Fargate it feels like there is some kind of isolation explaining why mixed setup works only with Default policy. |
Description
How can the docs be improved?
Hi I would like to ask maintainers to improve installation / upgrade guide about recent change in v0.34.0 to
dnsPolicy
in Helm chart (#4947). This change is breaking for anyone running AWS EKS cluster with Fargate profile to host only Karpenter controller. In this scenario Karpenter will end up in crash looping state with following error:I would say use of Fargate is quite common for operators who don't want to have special process for upgrading initial node pool and use of
dnsPolicy: Default
option should be really well documented as Karpenter will no longer start with current Helm chart compared to previously released versions. Issue happens in scenario when Karpenter starts on EKS cluster without nodes and should provision initial EC2 instances for kube-system socore-dns
and other controllers starts after Karpenter. This is usually the case when your kube-system contains other privileged containers (cilium, metrics-server, etc.) and it's unfeasible to create & manage individual Fargate profiles for each component.Proposed improvements:
dnsPolicy: Default
fixcore-dns
. This prevents confusion for new adopters that follow installation guide and gets crashlooping container at the end.The text was updated successfully, but these errors were encountered: