You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The service account IAM roles created by the PublicJWKS feature flag can exceed the IAM role name length limit. See the failing job logs here.
W1206 04:58:15.902425 1067 executor.go:131] error running task "IAMRole/dns-controller.kube-system.sa.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io" (5m52s remaining to succeed): error getting role: ValidationError: 1 validation error detected: Value 'dns-controller.kube-system.sa.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io' at 'roleName' failed to satisfy constraint: Member must have length less than or equal to 64
A reasonable solution would be to hash a portion of the name:
but I'm wondering if others have opinions about which portion(s) to hash. We still don't tag IAM roles even though they support tagging, so to maintain discoverability to users we could add the service account name and namespace as tags in addition to the usual cloud tags.
The text was updated successfully, but these errors were encountered:
I implemented a workaround for the failing test in #10437.
I really like the idea of tagging these roles now that they support tagging - it would make cleanup easier, and we could detect collisions (unlikely as they are)
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
The service account IAM roles created by the PublicJWKS feature flag can exceed the IAM role name length limit. See the failing job logs here.
W1206 04:58:15.902425 1067 executor.go:131] error running task "IAMRole/dns-controller.kube-system.sa.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io" (5m52s remaining to succeed): error getting role: ValidationError: 1 validation error detected: Value 'dns-controller.kube-system.sa.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io' at 'roleName' failed to satisfy constraint: Member must have length less than or equal to 64
A reasonable solution would be to hash a portion of the name:
kops/pkg/model/iam/types.go
Line 51 in 2f6c67e
but I'm wondering if others have opinions about which portion(s) to hash. We still don't tag IAM roles even though they support tagging, so to maintain discoverability to users we could add the service account name and namespace as tags in addition to the usual cloud tags.
The text was updated successfully, but these errors were encountered: