Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix shared SG issue for an existing cluster #444

Merged
merged 10 commits into from Jan 17, 2019
Merged

Fix shared SG issue for an existing cluster #444

merged 10 commits into from Jan 17, 2019

Conversation

errordeveloper
Copy link
Contributor

@errordeveloper errordeveloper commented Jan 17, 2019
edited

Description

This is a follow-up to #438, it adds new eksctl update-cluster-stack command that updates an existing cluster stack with new resources that are missing (append-only).

Closes #419.

A cluster was created using an old version (0.1.18):

 [0] >> eksctl create cluster --name=test-missing-node-sg
[ℹ]  using region us-west-2
[ℹ]  setting availability zones to [us-west-2c us-west-2a us-west-2b]
[ℹ]  subnets for us-west-2c - public:192.168.0.0/19 private:192.168.96.0/19
[ℹ]  subnets for us-west-2a - public:192.168.32.0/19 private:192.168.128.0/19
[ℹ]  subnets for us-west-2b - public:192.168.64.0/19 private:192.168.160.0/19
[ℹ]  nodegroup "ng-fba6638e" will use "ami-0a2abab4107669c1b" [AmazonLinux2/1.11]
[ℹ]  creating EKS cluster "test-missing-node-sg" in "us-west-2" region
[ℹ]  will create 2 separate CloudFormation stacks for cluster itself and the initial nodegroup
[ℹ]  if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=us-west-2 --name=test-missing-node-sg'
[ℹ]  creating cluster stack "eksctl-test-missing-node-sg-cluster"
[ℹ]  creating nodegroup stack "eksctl-test-missing-node-sg-nodegroup-ng-fba6638e"
[✔]  all EKS cluster resource for "test-missing-node-sg" had been created
[✔]  saved kubeconfig as "/Users/ilya/.kube/config"
[ℹ]  nodegroup "ng-fba6638e" has 1 node(s)
[ℹ]  node "ip-192-168-36-245.us-west-2.compute.internal" is not ready
[ℹ]  waiting for at least 2 node(s) to become ready in "ng-fba6638e"
[ℹ]  nodegroup "ng-fba6638e" has 2 node(s)
[ℹ]  node "ip-192-168-36-245.us-west-2.compute.internal" is ready
[ℹ]  node "ip-192-168-90-139.us-west-2.compute.internal" is ready
[ℹ]  kubectl command should work with "/Users/ilya/.kube/config", try 'kubectl get nodes'
[✔]  EKS cluster "test-missing-node-sg" in "us-west-2" region is ready

Trying to add a nodegroup with the new version fails:

 [0] >> ./eksctl create nodegroup --cluster=test-missing-node-sg      
[ℹ]  using region us-west-2
[ℹ]  nodegroup "ng-318da8b7" will use "ami-0a2abab4107669c1b" [AmazonLinux2/1.11]
[✖]  cluster compatibility check failed: shared node security group missing, to fix this run 'eksctl utils update-cluster-stack --name=test-missing-node-sg --region=us-west-2'
 [1] >>

Fix the problem:

 [0] >> ./eksctl utils update-cluster-stack --name=test-missing-node-sg --region=us-west-2
[ℹ]  creating cluster stack "eksctl-test-missing-node-sg-cluster"
[ℹ]  (dry-run) updating stack to add new resources [ClusterSharedNodeSecurityGroup IngressInterNodeGroupSG] and ouputs [SharedNodeSecurityGroup]
[ℹ]  checking security group configuration for all nodegroups
[✖]  found 1 nodegroup(s) (ng-fba6638e) without shared security group, cluster networking maybe be broken
[✖]  it's recommended to create new nodegroups, then delete old ones
[!]  no changes were applied, run again with '--dry-run=false' to apply the changes
 [0] >> ./eksctl utils update-cluster-stack --name=test-missing-node-sg --region=us-west-2 --dry-run=false
[ℹ]  creating cluster stack "eksctl-test-missing-node-sg-cluster"
[ℹ]  updating stack to add new resources [ClusterSharedNodeSecurityGroup IngressInterNodeGroupSG] and ouputs [SharedNodeSecurityGroup]
[ℹ]  checking security group configuration for all nodegroups
[✖]  found 1 nodegroup(s) (ng-fba6638e) without shared security group, cluster networking maybe be broken
[✖]  it's recommended to create new nodegroups, then delete old ones
 [0] >> ./eksctl utils update-cluster-stack --name=test-missing-node-sg --region=us-west-2 --dry-run=false
[ℹ]  creating cluster stack "eksctl-test-missing-node-sg-cluster"
[✔]  all resources in cluster stack "eksctl-test-missing-node-sg-cluster" are up-to-date
[ℹ]  checking security group configuration for all nodegroups
[✖]  found 1 nodegroup(s) (ng-fba6638e) without shared security group, cluster networking maybe be broken
[✖]  it's recommended to create new nodegroups, then delete old ones
[✖]  as a temporary fix, you can patch the configuration and add each of these nodegroup(s) to "sg-034c1a4f4b0bbea77"
 [0] >>

Create new nodegroup, delete old one:

 [0] >> ./eksctl create nodegroup --cluster=test-missing-node-sg 
[ℹ]  using region us-west-2
[ℹ]  nodegroup "ng-d6ae625f" will use "ami-0a2abab4107669c1b" [AmazonLinux2/1.11]
[ℹ]  will create a Cloudformation stack for nodegroup ng-d6ae625f in cluster test-missing-node-sg
[ℹ]  creating nodegroup stack "eksctl-test-missing-node-sg-nodegroup-ng-d6ae625f"
[ℹ]  nodegroup "ng-d6ae625f" has 0 node(s)
[ℹ]  waiting for at least 2 node(s) to become ready in "ng-d6ae625f"
[ℹ]  nodegroup "ng-d6ae625f" has 2 node(s)
[ℹ]  node "ip-192-168-28-8.us-west-2.compute.internal" is ready
[ℹ]  node "ip-192-168-70-86.us-west-2.compute.internal" is ready
[✔]  created nodegroup "ng-d6ae625f" in cluster "test-missing-node-sg"
[ℹ]  checking security group configuration for all nodegroups
[✖]  found 1 nodegroup(s) (ng-fba6638e) without shared security group, cluster networking maybe be broken
[✖]  it's recommended to create new nodegroups, then delete old ones
[✖]  as a temporary fix, you can patch the configuration and add each of these nodegroup(s) to "sg-034c1a4f4b0bbea77"
 [0] >> ./eksctl delete nodegroup --cluster=test-missing-node-sg ng-fba6638e
[ℹ]  deleting nodegroup "ng-fba6638e" in cluster "test-missing-node-sg"
[ℹ]  will delete stack "eksctl-test-missing-node-sg-nodegroup-ng-fba6638e"
[✔]  nodegroup "ng-fba6638e" will be deleted
 [0] >>

Checklist

  • Code compiles correctly (i.e make build)
  • All tests passing (i.e. make test)

@errordeveloper
Fix troubleshooter error on stack updates
7d425a5 
Also remove redundant & misplaced code
@errordeveloper
Add withSecurityGroups flag in ctl.GetClusterVPC
7d8765f
@errordeveloper
Add method for pathching cluster stack to add new resources
c4fb2b2
@errordeveloper
Improve logging in nodegroup compatibility checker
9287fc9
@errordeveloper
Simplify cluster stack updates
8d05318 
- import VPC and subnets, as at the point of stack update imported
  VPC descriptor will be the same as the one already in use, whether
  it was originally imported or created as part of the cluster stack
- generalise updates to only append any new resources
@errordeveloper
Handle optional keys in ctl.GetClusterVPC
ed2e2fa
@errordeveloper
Ensure new outputs are also appended on cluster stack update
897ad96
@errordeveloper
Improve command description, add --dry-run
2b52096
@errordeveloper
Add message suggesting how to fix the shared SG issue
f4d5e24
@errordeveloper
Improve nodegroup validation error message
5ee3237
dlespiau
dlespiau approved these changes Jan 17, 2019
View reviewed changes
Copy link
Contributor

@dlespiau dlespiau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\o/

@errordeveloper errordeveloper merged commit 8be5fe4 into master Jan 17, 2019
@errordeveloper errordeveloper deleted the shared-nodegroup-sg branch January 17, 2019 14:04
@aclevername aclevername mentioned this pull request Jan 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlespiau dlespiau dlespiau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

review cross-nodegroup ingress rules
2 participants
@errordeveloper @dlespiau