Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect AWS region for S3 inside containers #9857

Merged
merged 1 commit into from
Sep 10, 2020
Merged

Detect AWS region for S3 inside containers #9857

merged 1 commit into from
Sep 10, 2020

Conversation

hakman
Copy link
Member

@hakman hakman commented Sep 2, 2020
edited
Loading

AWS detection assumes that /sys/devices/virtual/dmi/id/product_uuid is readable. This is not the case inside containers like kops-controller. If there is an error reading the file, AWS api should be queried anyway as a fallback.

Fixes: #9856

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 2, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 2, 2020
@hakman hakman mentioned this pull request Sep 2, 2020
Merged
@johngmyers
Copy link
Member

Another possibility would be to set AWS_REGION in the manifest.

@hakman
Copy link
Member Author

hakman commented Sep 2, 2020

Another possibility would be to set AWS_REGION in the manifest.

This is a more generic fix that will work in any container and I don't think it has any downside.

@johngmyers
Copy link
Member

Some security systems block access to AWS metadata from pods in order to deny them use of the node's IAM roles.

@hakman
Copy link
Member Author

hakman commented Sep 2, 2020

Some security systems block access to AWS metadata from pods in order to deny them use of the node's IAM roles.

Ok, I would still leave this as is and create a new PR that adds AWS_REGION to env vars. Sounds reasonable?

@w3irdrobot
Copy link

Can confirm this works.

➜ k -n kube-system logs $(k -n kube-system get po -l k8s-app=kops-controller -o name)
...
I0904 14:23:11.412699       1 s3context.go:328] unable to read /sys/devices/virtual/dmi/id/product_uuid, assuming not running on EC2: open /sys/devices/virtual/dmi/id/product_uuid: permission denied
I0904 14:23:11.415665       1 s3context.go:166] got region from metadata: "us-west-1"
I0904 14:23:11.478280       1 s3context.go:213] found bucket in region "us-west-1"
...

Slack convo link

@hakman
Copy link
Member Author

hakman commented Sep 5, 2020

@johngmyers any thoughts on merging this?

@johngmyers
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 10, 2020
@k8s-ci-robot k8s-ci-robot merged commit a5fc889 into kubernetes:master Sep 10, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.19 milestone Sep 10, 2020
k8s-ci-robot added a commit that referenced this pull request Sep 11, 2020
@k8s-ci-robot
Merge pull request #9858 from hakman/automated-cherry-pick-of-#9857-u…
54edde5 
…pstream-release-1.18

Automated cherry pick of #9857: Detect AWS region for S3 inside containers
@ryan-dyer-sp
Copy link
Contributor

ryan-dyer-sp commented Sep 11, 2020
edited
Loading

@hakman @johngmyers Can we get this back ported to 1.18? without this change the ability to use kops to deploy to aws govcloud regions is broken; at least without needing to manually update the kops-controller DS to include the AWS_REGION env.

@hakman hakman deleted the detect-aws-region branch September 12, 2020 02:42
@hakman
Copy link
Member Author

hakman commented Sep 12, 2020

@ryan-dyer-sp already cherry-picked into 1.18, will take another 2-4 for a new release. I hope this is ok for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gjtempleton gjtempleton Awaiting requested review from gjtempleton

@zetaab zetaab Awaiting requested review from zetaab

Assignees

@johngmyers johngmyers

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.

kops-controller can't determine AWS region
5 participants
@hakman @k8s-ci-robot @johngmyers @w3irdrobot @ryan-dyer-sp