Fix assigning IPs to Windows pods #3067
Conversation
cPu1
force-pushed
the
windows-ip-2721
branch
3 times, most recently
from
0e6a131
to
a291d39
Compare
| type serviceAccountCreator interface { | ||
| NewTasksToCreateIAMServiceAccounts(serviceAccounts []*api.ClusterIAMServiceAccount, oidc *iamoidc.OpenIDConnectManager, clientSetGetter kubernetes.ClientSetGetter, replaceExistingRole bool) *tasks.TaskTree | ||
| } |
There was a problem hiding this comment.
Can I ask why we have this little interface here?
It took me fractionally longer to parse the composition than if stackcollection (or stackmanager, whatever it is) were simply called from the helper struct on line 51, and I have a preference for code which lets me be lazy 馃槈
There was a problem hiding this comment.
Because irsaHelper only needs this method and not the entire StackCollection. This makes testing the VPCController and IRSAHelper easier. It's somewhat similar to saying why, e.g, ioutil.ReadAll takes an io.Reader and not an os.File or a net.TCPConn.
There was a problem hiding this comment.
Oh I couldn't find tests in this PR (I did assume that to start), are they still coming?
There was a problem hiding this comment.
I meant that as a general comment. I haven't added tests as the bulk of the logic is making Kubernetes and AWS calls.
cPu1
force-pushed
the
windows-ip-2721
branch
2 times, most recently
from
aa6ab08
to
dee47f0
Compare
| logger.Debug("CFN stack for IRSA already exists, replacing it with a new stack") | ||
| if err := c.DeleteStackByNameSync(name); err != nil { | ||
| close(errs) | ||
| return errors.Wrap(err, "error deleting stack") | ||
| } | ||
| return c.createIAMServiceAccountTask(errs, spec, oidc, false) |
There was a problem hiding this comment.
Am I right in thinking that VPC controller installation only occurs during cluster creation? If so then when will the scenario occur where the SA already exists occur?
There was a problem hiding this comment.
If so then when will the scenario occur where the SA already exists occur?
The VPC controller can be installed on an existing cluster using eksctl utils install-vpc-controllers.
There was a problem hiding this comment.
So is the scenario here when a user runs eksctl utils install-vpc-controllers after a cluster installation that already installed the VPC controller? If so why do we need to delete & recreate, can't just check for its existence and exit early if it does?
There was a problem hiding this comment.
It is to allow applying any changes to the policy document. If we just check for existence, any changes made to the policy document in code will not be applied.
There was a problem hiding this comment.
but is it needed for this PR? I'm just trying to understand when this codepath is used in relation to vpc-controller 馃槃
It might be that this isn't needed as we will add the ability to update IAM policies without deleting here #3064
There was a problem hiding this comment.
I'm just trying to understand when this codepath is used in relation to vpc-controller
This codepath is invoked when utils install-vpc-controllers is run on a cluster that already has the VPC controller installed (either as part of create cluster or with utils install-vpc-controllers itself). The ServiceAccount created for the role needs the role ARN, so if we skip creation of this stack if it already exists, we'll have to fetch it and get the role ARN, and any changes to the policy document will be ignored, causing the VPC controller to misbehave.
There was a problem hiding this comment.
Ah I see, so is this just for the scenario in which: I have an already created eksctl cluster with oidc enabled and the VPC controller installed, but its missing the policies because I created it with an older version of eksctl? If so that makes sense 馃槃
Apart from that scenario you'd never need to run utils install-vpc-controllers if its already installed correct?
There was a problem hiding this comment.
Ah I see, so is this just for the scenario in which: I have an already created eksctl cluster with oidc enabled and the VPC controller installed, but its missing the policies because I created it with an older version of eksctl?
That's right.
Apart from that scenario you'd never need to run utils install-vpc-controllers if its already installed correct?
Users may also run it to upgrade to a newer version of the VPC controller.
There was a problem hiding this comment.
Thanks! Makes sense. Does this add more downtime for users when they update the VPC controller as we will always delete and recreate the policies even if they are unchanged? Very minor, but it could be removed by using the update functionality #3064
There was a problem hiding this comment.
Does this add more downtime for users when they update the VPC controller as we will always delete and recreate the policies even if they are unchanged?
Yes.
Very minor, but it could be removed by using the update functionality #3064
Yeah, the ideal way would be to update the policies in the existing stack, but since we didn't already have code that updates the policies for IRSA, I went with recreating it. I was aware of your PR but it wasn't in master when I was working on this PR. After your PR is merged, I can change this code to use the update feature (or it can be done as an improvement later).
is there a way we could make it more explicit in the code that the VPC Controller also uses/needs this policy when OIDC is disabled? It feels almost accidental that the VPC Controller worked |
There's little value in attaching the VPC controller-specific policies to the node role because they're a subset of the policies required by the VPC CNI plugin. Although I agree that a comment documenting this behaviour would be useful. |
cPu1
force-pushed
the
windows-ip-2721
branch
4 times, most recently
from
4af15e4
to
1b0e72e
Compare
cPu1
force-pushed
the
windows-ip-2721
branch
2 times, most recently
from
a43e624
to
fab451f
Compare
Description
The VPC controller requires a subset of the IAM policies of the VPC CNI plugin to work. In a cluster with no OIDC provider, the policies required by the CNI plugin are attached to the node role, so the VPC resource controller ends up using it. When a cluster has an OIDC provider (
iam.withOIDC), however, eksctl uses IRSA for the VPC CNI plugin, causing the VPC controller to be unable to access AWS APIs.This PR makes the VPC controller use IRSA if an OIDC provider is associated with the cluster, attaching only the policies required by the VPC controller instead of using the more permissive
AmazonEKS_CNI_Policymanaged policy.Fixes #2721
Checklist
README.md, or theuserdocsdirectory)area/nodegroup), target version (e.g.version/0.12.0) and kind (e.g.kind/improvement)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 馃く