-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"does not contain acceptable node role" error when starting a k8s 1.19 cluster specifying custom iam roles #10719
Comments
Hi @alanbover thanks for the report and the detailed investigation! You're right it seems the code assumes that the IAM instance profile name matches the IAM role name which is not necessarily true. We should call iam.GetInstanceProfile to get the instance profile's list of roles and append their names to this list. |
I got the same error. |
Probably I can fix it, so I will take this issue. /assign |
Thanks @h3poteto |
I have confirmed that this issue has already been resolved in 1.19.1. So I will close. /close |
@h3poteto: You can't close an active issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thanks :) |
@olemarkus: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
**1. What
kops
version are you running? The commandkops version
, will display1.19.0
**2. What Kubernetes version are you running?
1.19.7
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
kops create -f ${BUILD_PATH}/cluster.yaml --state ${ASSETS_S3_PATH} -v9
5. What happened after the commands executed?
The cluster master instances boots correctly. But the nodes are not able to start. Seems that they are failing with the error
6. What did you expect to happen?
The nodes starts correctly, as they do for previous versions of kubernetes (< 1.19)
**7. Please provide your cluster manifest. Execute
8. Please run the commands with most verbose logging by adding the
-v 10
flag.Paste the logs into this report, or in a gist and provide the gist link here.
9. Anything else do we need to know?
I'm new on kops code, so I might just got something wrong. I've tried to trace this problem, and seems that its probably triggered by #9653.
The problem seems to be happening on this piece of the code
kops/upup/pkg/fi/cloudup/awsup/aws_verifier.go
Lines 179 to 210 in d5d08a4
Aparently (according to the error log) the received arn for the comparison is arn:aws:sts:::assumed-role/eu-west-1-dev-k8sWorker/i-0a508b0db9c93ce33 (the assigned instance role)
Then it's trying to check if the role name (eu-west-1-dev-k8sWorker) is inside a list of roles (which I understand its populated by calling the bootstrap endpoint from kops controller https://kops-controller.internal.loko2.kops.mydomain.com:3988/bootstrap).
As I understand, this would be the content of the bootstrapped call:
cat /var/lib/kubelet/pods/99ef619e-037b-47de-9f1b-c31e6ad12622/volumes/kubernetes.io~configmap/kops-controller-config/config.yaml
As we can see, the nodesRole contains instanceProfiles instead of roleNames (something is seems to be generated here https://github.com/kubernetes/kops/blob/master/upup/pkg/fi/cloudup/template_functions.go#L446-L450).
If I haven't missed any intermediate step, I believe the problem seems to be happening because it's comparing iam roles with instance profiles.
The same configuration with 1.18 clusters works fine. Also checked that starting a basic 1.19 cluster (without configuration, not specifying a pre-existing instance profile) also works fine.
The text was updated successfully, but these errors were encountered: