Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeseal does not respond #1447

Closed
druskus20 opened this issue Jan 25, 2024 · 7 comments
Closed

kubeseal does not respond #1447

druskus20 opened this issue Jan 25, 2024 · 7 comments
Assignees
@agarcia-oss
Labels
triage Issues/PRs that need to be reviewed

Comments

@druskus20
Copy link

Which component:

chart 2.14.2 (and others)
kubseal: 0.25 (and previous)

Describe the bug
Same issue as: #317 (CLOSED)
The following command does not respond:

kubeseal --controller-namespace kube-system --controller-name sealed-secrets --format yaml < a.yaml

The suggestion by this user works:
#317 (comment)

Expected behavior
Kubeseal seals my secret a.yaml and prints it to screen.

Additional context

  • Using EKS, k8s version 1.27.
  • I've tried several versions of kubeseal and the helm chart.
  • I am currently using ArgoCD but using helm results in the same.
  • Kubeseal is working fine on another, very similar, older cluster. (older sealed-secrets version). But even that older version does not work in my current cluster.

I believe the issue is not yet resolved, hence why I am opening a new one.
@druskus20 druskus20 added the triage Issues/PRs that need to be reviewed label Jan 25, 2024
@druskus20 druskus20 changed the title Kubeseal does not respond kubeseal does not respond Jan 29, 2024
@agarcia-oss agarcia-oss self-assigned this Feb 29, 2024
@agarcia-oss
Copy link
Member

agarcia-oss commented Feb 29, 2024
edited
Loading

Hi @druskus20

I just tried to verify the issue in an EKS cluster but I cannot reproduce it. Did you try the fetch-cert command to check the connectivity?

kubeseal --fetch-cert

Also, I executed your same command and it works for me:
kubeseal --controller-namespace kube-system --controller-name sealed-secrets-controller --format yaml < a.yaml

Please notice that I changed the controller name to the default sealed-secrets-controller. Are you sure the sealed secrets service in your cluster is not named like that?

Regards

@agarcia-oss
Copy link
Member

Also, could your issue be related to this one? #1450 (comment)

@druskus20
Copy link
Author

Hi @agarcia-oss

I tried to run kubeseal --fetch-cert with the same result. The CLI hangs waiting for the response of kubeseal.
The controller-namespace and controller-name flags in my cluster are correct.

Here you can see how, executing a kubeseal command with the wrong namespace or name results in an error message.
However, when set correctly, the CLI hangs.

image

I also checked the aws-auth configmap, and copied the one from my working cluster into the cluster in which kubeseal fails to respond, with no success.

@agarcia-oss
Copy link
Member

agarcia-oss commented Mar 7, 2024
edited
Loading

Can you try the same fetch-certificate command but the the verbose option in kubeseal?
kubeseal --controller-namespace kube-system --controller-name sealed-secrets --fetch-cert -v 100

This should give you a full log of the request to the cluster from kubeseal.

@metalwhale
Copy link

metalwhale commented Mar 27, 2024
edited
Loading

@druskus20 cc @agarcia-oss
I believe the cause of this issue is not from kubeseal or sealed-secrets, but from the connection between the control plane and worker nodes on EKS.

If you use eks module for creating your cluster, you can try adding this following code inside the module:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.8.3"

  # ...
  node_security_group_additional_rules = {
    # Allow ingresses from control plane to worker nodes
    ingress_from_control_plane = {
      type                          = "ingress"
      # Feel free to change these to your desired ports
      # Port `0` and protocol `-1` mean that I trust the control plane enough to allow ingresses of any ports & protocols to my worker nodes
      from_port                     = 0
      to_port                       = 0
      protocol                      = "-1"
      # `cluster_security_group` is the security group that control plane uses
      source_cluster_security_group = true
    }
  }
  # ...
}

By default eks module has enabled some ingresses that allow connections from control plane to worker nodes, but AFAIK port 8080 (as used by sealed-secrets controller) is not included.

I got the same problem and after adding the above security group kubeseal works like a charm.

@druskus20
Copy link
Author

@agarcia-oss @metalwhale
Thanks! that helped.
All is left is for me to figure out exactly which security rules I'm missing

@druskus20
Copy link
Author

druskus20 commented Apr 2, 2024
edited
Loading

I believe I figured out why:

resource "aws_security_group_rule" "sealed-secrets-access" {
  type              = "ingress"
  from_port         = 8080
  to_port           = 8080
  protocol          = "tcp"
  security_group_id = module.eks.node_security_group_id
   source_security_group_id = module.eks.cluster_security_group_id
  description = "Allow inbound traffic to sealed-secrets controller"
}

I had this rule configured on the cluster security group, instead of the node security group. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agarcia-oss agarcia-oss

Labels
triage Issues/PRs that need to be reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@agarcia-oss @druskus20 @metalwhale