-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect AWS region for S3 inside containers #9857
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
3cb9d16
to
32e6da7
Compare
Another possibility would be to set |
This is a more generic fix that will work in any container and I don't think it has any downside. |
Some security systems block access to AWS metadata from pods in order to deny them use of the node's IAM roles. |
Ok, I would still leave this as is and create a new PR that adds AWS_REGION to env vars. Sounds reasonable? |
Can confirm this works.
|
@johngmyers any thoughts on merging this? |
/lgtm |
…pstream-release-1.18 Automated cherry pick of #9857: Detect AWS region for S3 inside containers
@hakman @johngmyers Can we get this back ported to 1.18? without this change the ability to use kops to deploy to aws govcloud regions is broken; at least without needing to manually update the kops-controller DS to include the AWS_REGION env. |
@ryan-dyer-sp already cherry-picked into 1.18, will take another 2-4 for a new release. I hope this is ok for you. |
AWS detection assumes that
/sys/devices/virtual/dmi/id/product_uuid
is readable. This is not the case inside containers likekops-controller
. If there is an error reading the file, AWS api should be queried anyway as a fallback.Fixes: #9856