Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with configMap generation during EKS Managed Node Group implementation #293

Closed
casey-robertson opened this issue Dec 17, 2019 · 3 comments · Fixed by #302
Closed

Issue with configMap generation during EKS Managed Node Group implementation #293

casey-robertson opened this issue Dec 17, 2019 · 3 comments · Fixed by #302
Assignees
@metral
Labels
customer/feedback Feedback from customers kind/bug Some behavior is incorrect or out of spec
Milestone
0.32

Comments

@casey-robertson
Copy link

casey-robertson commented Dec 17, 2019
edited
Loading

Problem description

Deployed EKS Managed Node Groups to existing EKS cluster leveraing the new support in 0.18.18 of the eks library. As a result of this, the aws-auth configmap was updated with an auto-generated, managed node role. Custom node roles created in another stack and passed to the nodeGroup constructor APPEARED to not be added to the aws-auth configMap. End result was all nodes going into a 'NotReady' state. The configMap appeared to contain only the auto-generated role (based on the diff), however, the custom role must have been still been present somehow and the nodes began using the AWS-generated role (rather than the custom roles passed to the constructor).

Mitigation - Manually edited the configMap to add the custom roles and the nodes immediately went back to 'Ready' status.

Errors & Logs

Condensed version of change log

Changes:
 
    Type                           Name                                            Operation
>   pulumi:pulumi:StackReference   networkStack                                    read
>   aws:iam:Role                   OrganizationPulumiService                       read
>   pulumi:pulumi:StackReference   iamstack                                        read
>   aws:iam:Role                   mbArcusK8snodeIamRole                           read
>   aws:iam:Role                   mbArcusK8sMonitoringNodeIamRole                 read
>   aws:iam:Role                   mb-arcus-platform-team                          read
>   aws:iam:Role                   OrganizationADOService                          read
+   aws:iam:Role                   arcus-alpha-aws-instanceRole-role               created
+   aws:iam:RolePolicyAttachment   arcus-alpha-aws-instanceRole-3eb088f2           created
+   aws:iam:RolePolicyAttachment   arcus-alpha-aws-instanceRole-e1b295bd           created
+   aws:iam:RolePolicyAttachment   arcus-alpha-aws-instanceRole-03516f97           created
+   eks:index:ServiceRole          arcus-alpha-aws-instanceRole                    created
++  kubernetes:core:ConfigMap      arcus-alpha-aws-nodeAccess                      replaced
+   aws:eks:NodeGroup              default                                         created
+   aws:eks:NodeGroup              monitoring                                      created
-   aws:cloudformation:Stack       monitoring-nodes                                deleted
-   aws:cloudformation:Stack       default-nodes                                   deleted
-   aws:ec2:LaunchConfiguration    default-nodeLaunchConfiguration                 deleted
-   aws:ec2:LaunchConfiguration    monitoring-nodeLaunchConfiguration              deleted
-   pulumi-nodejs:dynamic:Resource monitoring-cfnStackName                         deleted
-   pulumi-nodejs:dynamic:Resource default-cfnStackName                            deleted
-   aws:iam:InstanceProfile        mbArcusK8snodeIamRole-instanceProfile           deleted
-   aws:iam:InstanceProfile        mbArcusK8sMonitoringNodeIamRole-instanceProfile deleted
 
Resources:
    + created 7
    - deleted 10
    +-replaced 1
    38 unchanged
 
Duration: 8m11s

Key snippet showing the configmap change

  data               : {
        mapRoles: "- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'
  username: OrganizationADOService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'
  username: OrganizationPulumiService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'
  username: platformeng-usr
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8sMonitoringNodeIamRole'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8snodeIamRole'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
" => "- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'
  username: OrganizationADOService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'
  username: OrganizationPulumiService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'
  username: platformeng-usr
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/arcus-alpha-aws-instanceRole-role-0986326'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
"

Update #205 • Merged PR 28789: EKS Managed Nodes
warning
Update succeeded in 8 minutes
+7-10~138
CHANGES

networkStack (pulumi:pulumi:StackReference)
>  pulumi:pulumi:StackReference (read)
    [id=MINDBODY-Platform/aws-networking/arcus-alpha]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::pulumi:pulumi:StackReference::networkStack]
 
OrganizationPulumiService (aws:iam:Role)
>  aws:iam/role:Role (read)
    [id=OrganizationPulumiService]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/role:Role::OrganizationPulumiService]
 
iamstack (pulumi:pulumi:StackReference)
>  pulumi:pulumi:StackReference (read)
    [id=MINDBODY-Platform/aws-iam/arcus-alpha]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::pulumi:pulumi:StackReference::iamstack]
 
mbArcusK8snodeIamRole (aws:iam:Role)
>  aws:iam/role:Role (read)
    [id=mbArcusK8snodeIamRole]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/role:Role::mbArcusK8snodeIamRole]
 
mbArcusK8sMonitoringNodeIamRole (aws:iam:Role)
>  aws:iam/role:Role (read)
    [id=mbArcusK8sMonitoringNodeIamRole]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/role:Role::mbArcusK8sMonitoringNodeIamRole]
 
mb-arcus-platform-team (aws:iam:Role)
>  aws:iam/role:Role (read)
    [id=mb-arcus-platform-team]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/role:Role::mb-arcus-platform-team]
 
OrganizationADOService (aws:iam:Role)
>  aws:iam/role:Role (read)
    [id=OrganizationADOService]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/role:Role::OrganizationADOService]
 
arcus-alpha-aws-instanceRole-role (arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/role:Role)
+  aws:iam/role:Role (create)
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/role:Role::arcus-alpha-aws-instanceRole-role]
    __defaults         : [
        [0]: "forceDetachPolicies"
        [1]: "maxSessionDuration"
        [2]: "name"
        [3]: "path"
    ]
    assumeRolePolicy   : "{"Version":"2012-10-17","Statement":[{"Action":["sts:AssumeRole"],"Effect":"Allow","Principal":{"Service":["ec2.amazonaws.com"]}}]}"
    forceDetachPolicies: false
    maxSessionDuration : 3600
    name               : "arcus-alpha-aws-instanceRole-role-0986326"
    path               : "/"
 
arcus-alpha-aws-instanceRole-3eb088f2 (arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment)
+  aws:iam/rolePolicyAttachment:RolePolicyAttachment (create)
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::arcus-alpha-aws-instanceRole-3eb088f2]
    __defaults: []
    policyArn : "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
    role      : "arcus-alpha-aws-instanceRole-role-0986326"
 
arcus-alpha-aws-instanceRole-e1b295bd (arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment)
+  aws:iam/rolePolicyAttachment:RolePolicyAttachment (create)
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::arcus-alpha-aws-instanceRole-e1b295bd]
    __defaults: []
    policyArn : "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
    role      : "arcus-alpha-aws-instanceRole-role-0986326"
 
arcus-alpha-aws-instanceRole-03516f97 (arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment)
+  aws:iam/rolePolicyAttachment:RolePolicyAttachment (create)
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::arcus-alpha-aws-instanceRole-03516f97]
    __defaults: []
    policyArn : "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
    role      : "arcus-alpha-aws-instanceRole-role-0986326"
 
arcus-alpha-aws-instanceRole (arcus:cluster$eks:index:Cluster$eks:index:ServiceRole)
+  eks:index:ServiceRole (create)
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:ServiceRole::arcus-alpha-aws-instanceRole]
 
arcus-alpha-aws-nodeAccess (arcus:cluster$eks:index:Cluster$kubernetes:core/v1:ConfigMap)
++ kubernetes:core/v1:ConfigMap (create-replacement)
    [id=kube-system/aws-auth]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$kubernetes:core/v1:ConfigMap::arcus-alpha-aws-nodeAccess]
    __inputs           : {
        data      : {
            mapRoles: "- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'
  username: OrganizationADOService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'
  username: OrganizationPulumiService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'
  username: platformeng-usr
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8sMonitoringNodeIamRole'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8snodeIamRole'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
" => "- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'
  username: OrganizationADOService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'
  username: OrganizationPulumiService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'
  username: platformeng-usr
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/arcus-alpha-aws-instanceRole-role-0986326'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
"
        }
    }
    data               : {
        mapRoles: "- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'
  username: OrganizationADOService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'
  username: OrganizationPulumiService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'
  username: platformeng-usr
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8sMonitoringNodeIamRole'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8snodeIamRole'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
" => "- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'
  username: OrganizationADOService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'
  username: OrganizationPulumiService
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'
  username: platformeng-usr
  groups:
    - 'system:masters'
- rolearn: 'arn:aws:iam::12345678910:role/arcus-alpha-aws-instanceRole-role-0986326'
  username: 'system:node:{{EC2PrivateDNSName}}'
  groups:
    - 'system:bootstrappers'
    - 'system:nodes'
"
    }
    metadata           : {
        annotations      : {
            kubectl.kubernetes.io/last-applied-configuration: "{"apiVersion":"v1","data":{"mapRoles":"- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'\n  username: OrganizationADOService\n  groups:\n    - 'system:masters'\n- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'\n  username: OrganizationPulumiService\n  groups:\n    - 'system:masters'\n- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'\n  username: platformeng-usr\n  groups:\n    - 'system:masters'\n- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8sMonitoringNodeIamRole'\n  username: 'system:node:{{EC2PrivateDNSName}}'\n  groups:\n    - 'system:bootstrappers'\n    - 'system:nodes'\n- rolearn: 'arn:aws:iam::12345678910:role/mbArcusK8snodeIamRole'\n  username: 'system:node:{{EC2PrivateDNSName}}'\n  groups:\n    - 'system:bootstrappers'\n    - 'system:nodes'\n"},"kind":"ConfigMap","metadata":{"labels":{"app.kubernetes.io/managed-by":"pulumi"},"name":"aws-auth","namespace":"kube-system"}}
" => "{"apiVersion":"v1","data":{"mapRoles":"- rolearn: 'arn:aws:iam::12345678910:role/OrganizationADOService'\n  username: OrganizationADOService\n  groups:\n    - 'system:masters'\n- rolearn: 'arn:aws:iam::12345678910:role/OrganizationPulumiService'\n  username: OrganizationPulumiService\n  groups:\n    - 'system:masters'\n- rolearn: 'arn:aws:iam::12345678910:role/mb-arcus-platform-team'\n  username: platformeng-usr\n  groups:\n    - 'system:masters'\n- rolearn: 'arn:aws:iam::12345678910:role/arcus-alpha-aws-instanceRole-role-0986326'\n  username: 'system:node:{{EC2PrivateDNSName}}'\n  groups:\n    - 'system:bootstrappers'\n    - 'system:nodes'\n"},"kind":"ConfigMap","metadata":{"labels":{"app.kubernetes.io/managed-by":"pulumi"},"name":"aws-auth","namespace":"kube-system"}}
"
        }
        creationTimestamp: "2019-11-15T21:05:54Z" => "2019-12-10T19:24:06Z"
        resourceVersion  : "12572843" => "17353243"
        uid              : "b6058d91-07eb-11ea-8f4e-02f493ddc2ac" => "a1c0cf2f-1b82-11ea-8a88-02db11ef2100"
    }
Diagnostics:
 
default (arcus:cluster$eks:index:Cluster$aws:eks/nodeGroup:NodeGroup)
+  aws:eks/nodeGroup:NodeGroup (create)
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$aws:eks/nodeGroup:NodeGroup::default]
    __defaults   : []
    clusterName  : "arcus-alpha-aws-eksCluster-ea89bd5"
    instanceTypes: "m5.xlarge"
    labels       : {
        __defaults: []
        dedicated : "default"
    }
    nodeGroupName: "default"
    nodeRoleArn  : "arn:aws:iam::12345678910:role/mbArcusK8snodeIamRole"
    scalingConfig: {
        __defaults : []
        desiredSize: 3
        maxSize    : 20
        minSize    : 3
    }
    subnetIds    : [
        [0]: "subnet-05ec7dc0e6e851eb5"
        [1]: "subnet-087f8b25a52c87c11"
        [2]: "subnet-0137ec7974cf025e4"
        [3]: "subnet-032c5bbeb3a7c81ab"
        [4]: "subnet-07211269220b7d287"
        [5]: "subnet-0ec8e4b78ddd7533e"
    ]
 
monitoring (arcus:cluster$eks:index:Cluster$aws:eks/nodeGroup:NodeGroup)
+  aws:eks/nodeGroup:NodeGroup (create)
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$aws:eks/nodeGroup:NodeGroup::monitoring]
    __defaults   : []
    clusterName  : "arcus-alpha-aws-eksCluster-ea89bd5"
    instanceTypes: "m5.xlarge"
    labels       : {
        __defaults: []
        dedicated : "monitoring"
    }
    nodeGroupName: "monitoring"
    nodeRoleArn  : "arn:aws:iam::12345678910:role/mbArcusK8sMonitoringNodeIamRole"
    scalingConfig: {
        __defaults : []
        desiredSize: 3
        maxSize    : 20
        minSize    : 3
    }
    subnetIds    : [
        [0]: "subnet-05ec7dc0e6e851eb5"
        [1]: "subnet-087f8b25a52c87c11"
        [2]: "subnet-0137ec7974cf025e4"
        [3]: "subnet-032c5bbeb3a7c81ab"
        [4]: "subnet-07211269220b7d287"
        [5]: "subnet-0ec8e4b78ddd7533e"
    ]
 
monitoring-nodes (arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:cloudformation/stack:Stack)
-  aws:cloudformation/stack:Stack (delete)
    [id=arn:aws:cloudformation:us-west-2:12345678910:stack/monitoring-a464f9d4/b9855c20-cf57-11e9-9d49-06c01b62978e]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:cloudformation/stack:Stack::monitoring-nodes]
    __defaults      : []
    capabilities    : []
    disableRollback : false
    iamRoleArn      : ""
    name            : "monitoring-a464f9d4"
    notificationArns: []
    parameters      : {}
    tags            : {
        Name      : "monitoring-nodes"
        __defaults: []
    }
    templateBody    : "
                AWSTemplateFormatVersion: '2010-09-09'
                Outputs:
                    NodeGroup:
                        Value: !Ref NodeGroup
                Resources:
                    NodeGroup:
                        Type: AWS::AutoScaling::AutoScalingGroup
                        Properties:
                          DesiredCapacity: 2
                          LaunchConfigurationName: monitoring-nodeLaunchConfiguration-295c09a
                          MinSize: 1
                          MaxSize: 2
                          VPCZoneIdentifier: ["subnet-05ec7dc0e6e851eb5","subnet-087f8b25a52c87c11","subnet-0137ec7974cf025e4"]
                          Tags:
                          
                          - Key: Name
                            Value: arcus-alpha-aws-eksCluster-ea89bd5-worker
                            PropagateAtLaunch: 'true'
                          - Key: kubernetes.io/cluster/arcus-alpha-aws-eksCluster-ea89bd5
                            Value: owned
                            PropagateAtLaunch: 'true'
                        UpdatePolicy:
                          AutoScalingRollingUpdate:
                            MinInstancesInService: '1'
                            MaxBatchSize: '1'
                "
 
default-nodes (arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:cloudformation/stack:Stack)
-  aws:cloudformation/stack:Stack (delete)
    [id=arn:aws:cloudformation:us-west-2:12345678910:stack/default-4be00ea7/b9d59f00-cf57-11e9-8493-06558479a1c6]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:cloudformation/stack:Stack::default-nodes]
    __defaults      : []
    capabilities    : []
    disableRollback : false
    iamRoleArn      : ""
    name            : "default-4be00ea7"
    notificationArns: []
    parameters      : {}
    tags            : {
        Name      : "default-nodes"
        __defaults: []
    }
    templateBody    : "
                AWSTemplateFormatVersion: '2010-09-09'
                Outputs:
                    NodeGroup:
                        Value: !Ref NodeGroup
                Resources:
                    NodeGroup:
                        Type: AWS::AutoScaling::AutoScalingGroup
                        Properties:
                          DesiredCapacity: 6
                          LaunchConfigurationName: default-nodeLaunchConfiguration-acecd06
                          MinSize: 6
                          MaxSize: 10
                          VPCZoneIdentifier: ["subnet-05ec7dc0e6e851eb5","subnet-087f8b25a52c87c11","subnet-0137ec7974cf025e4"]
                          Tags:
                          
                          - Key: Name
                            Value: arcus-alpha-aws-eksCluster-ea89bd5-worker
                            PropagateAtLaunch: 'true'
                          - Key: kubernetes.io/cluster/arcus-alpha-aws-eksCluster-ea89bd5
                            Value: owned
                            PropagateAtLaunch: 'true'
                        UpdatePolicy:
                          AutoScalingRollingUpdate:
                            MinInstancesInService: '1'
                            MaxBatchSize: '1'
                "
 
default-nodeLaunchConfiguration (arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:ec2/launchConfiguration:LaunchConfiguration)
-  aws:ec2/launchConfiguration:LaunchConfiguration (delete)
    [id=default-nodeLaunchConfiguration-acecd06]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:ec2/launchConfiguration:LaunchConfiguration::default-nodeLaunchConfiguration]
    __defaults                  : [
        [0]: "enableMonitoring"
        [1]: "name"
    ]
    associatePublicIpAddress    : false
    ebsBlockDevices             : []
    ebsOptimized                : false
    enableMonitoring            : true
    ephemeralBlockDevices       : []
    iamInstanceProfile          : "mbArcusK8snodeIamRole-instanceProfile-491240b"
    imageId                     : "ami-0dc5bf48daa40eb35"
    instanceType                : "m5.xlarge"
    keyName                     : ""
    name                        : "default-nodeLaunchConfiguration-acecd06"
    rootBlockDevice             : {
        __defaults         : []
        deleteOnTermination: true
        encrypted          : false
        iops               : 0
        volumeSize         : 20
        volumeType         : "gp2"
    }
    securityGroups              : [
        [0]: "sg-0d91c0184d9b80a91"
    ]
    spotPrice                   : ""
    userData                    : "#!/bin/bash

/etc/eks/bootstrap.sh --apiserver-endpoint "https://4FCD18686BE68901EB820B33D4505897.yl4.us-west-2.eks.amazonaws.com" --b64-cluster-ca "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1Ea3dOREl4TURFME9Wb1hEVEk1TURrd01USXhNREUwT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVMxCnpqekVSK1hmT0R0R0Y5ZHV2YXo2VndoNlpxM1dibG9pNEdVVVQ0NDk5ZFdHNis1cXBKcXc0VTZsb01tZ1Y0YXQKVitNK1ZOdktreTNDSU14V1ViNjE3eGdzR3pVYTNIcmtyTFF1UGJRTWgrOXBOOHZKWGFIRFZWNTlZd3E3QUJRYQpmZC9UNVlhcmkrQ3o4YlJQRmtad2hEc1dMUURuSVlPRGR5QzIrc2JBOHgzRkFxdldoMXliMU82V0d1V2s2bFJTCnozbk9JUktKaGp4eVdad2lWdDB0TEF0bitHay9lVW5melljZkpsaWFON1dtN2xhbmpYNFhuOVJaSHdIMnUva1cKUkYyalVFbGdYT2J5NERGaFFVRjIzdEtrbG1TOHM1VkZ4N0J5Z3dxODBTa2pHNW9WbmF4ZTlOTVQxbExRcXVCZwpyeUx0QnMvSzJwUHlydGV3V0VVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIc3J3K3I0Z0xSK1kydVhBQ2NzcktTYjVFTVgKZXNBR3F3SEw0VXY3QTE1eGhoTGcwTFZ2N2ZHTGo5SnZGcFZKZHkyZXRRcGU5YWdLYXJ2WEtwS1l5TDdXRkpBawo4TmZlYVZJdUtLb3NyVFViMEtaQVlXY0ZaM2lLRm9WNHFveVFvYmJPM2ppaXd1M21nUmRYNEJBTHQxMjV5Wk9WCkR4Um96WHdyZWhqYUhwNHNxVmtSRXdqQTlxVzZWQ1luN3llcEdqc0dNR1k5OUo5amR3aTU4OTVFREczV3ErWXcKSCtxNXRyTFlhYlgzTC80blBXaGkzcEE3azBYWnFCMUc4aE5RNjA3Lzk5Y0hyWS9lSHAzQmM4S2tJeDhKc0dmVgorN2Fwa01KRVBndXVHQU0yYTMrRG9Yay9OYy9UWXpnbHlqa2xzUThKZy80THlLVVJlM29yMmNKelp0VT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" "arcus-alpha-aws-eksCluster-ea89bd5" --kubelet-extra-args --node-labels=dedicated=default
cat >/opt/user-data <<default-4be00ea7-user-data
#!/usr/bin/env bash


// Restrict pod access to instance metadata server
yum install -y iptables-services
iptables --insert FORWARD 1 --in-interface eni+ --destination 169.254.169.254/32 --jump DROP
iptables-save | tee /etc/sysconfig/iptables 
systemctl enable --now iptables

# Remediation for Kubebench 2.1.7:
# Ensure that the --protect-kernel-defaults argument is set to true
# kubelet won't start unless the following kernel settings are set
# See https://github.com/kubernetes/kubernetes/issues/66241

# Set kernel settings
cat << EOF | sudo tee /etc/sysctl.d/90-kubelet.conf
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
EOF
sudo sysctl -p /etc/sysctl.d/90-kubelet.conf

# Update kubelet-config.json
cat /etc/kubernetes/kubelet/kubelet-config.json |     jq '.protectKernelDefaults=true' |     jq '.eventRecordQPS=0'     > /tmp/kubelet-config.json

sudo mv /tmp/kubelet-config.json /etc/kubernetes/kubelet/kubelet-config.json

sudo systemctl restart kubelet
default-4be00ea7-user-data
chmod +x /opt/user-data
/opt/user-data

/opt/aws/bin/cfn-signal --exit-code $? --stack default-4be00ea7 --resource NodeGroup --region us-west-2
"
    vpcClassicLinkId            : ""
    vpcClassicLinkSecurityGroups: []
 
monitoring-nodeLaunchConfiguration (arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:ec2/launchConfiguration:LaunchConfiguration)
-  aws:ec2/launchConfiguration:LaunchConfiguration (delete)
    [id=monitoring-nodeLaunchConfiguration-295c09a]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$aws:ec2/launchConfiguration:LaunchConfiguration::monitoring-nodeLaunchConfiguration]
    __defaults                  : [
        [0]: "enableMonitoring"
        [1]: "name"
    ]
    associatePublicIpAddress    : false
    ebsBlockDevices             : []
    ebsOptimized                : false
    enableMonitoring            : true
    ephemeralBlockDevices       : []
    iamInstanceProfile          : "mbArcusK8sMonitoringNodeIamRole-instanceProfile-3a3647c"
    imageId                     : "ami-0dc5bf48daa40eb35"
    instanceType                : "m5.xlarge"
    keyName                     : ""
    name                        : "monitoring-nodeLaunchConfiguration-295c09a"
    rootBlockDevice             : {
        __defaults         : []
        deleteOnTermination: true
        encrypted          : false
        iops               : 0
        volumeSize         : 20
        volumeType         : "gp2"
    }
    securityGroups              : [
        [0]: "sg-0d91c0184d9b80a91"
    ]
    spotPrice                   : ""
    userData                    : "#!/bin/bash

/etc/eks/bootstrap.sh --apiserver-endpoint "https://4FCD18686BE68901EB820B33D4505897.yl4.us-west-2.eks.amazonaws.com" --b64-cluster-ca "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1Ea3dOREl4TURFME9Wb1hEVEk1TURrd01USXhNREUwT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVMxCnpqekVSK1hmT0R0R0Y5ZHV2YXo2VndoNlpxM1dibG9pNEdVVVQ0NDk5ZFdHNis1cXBKcXc0VTZsb01tZ1Y0YXQKVitNK1ZOdktreTNDSU14V1ViNjE3eGdzR3pVYTNIcmtyTFF1UGJRTWgrOXBOOHZKWGFIRFZWNTlZd3E3QUJRYQpmZC9UNVlhcmkrQ3o4YlJQRmtad2hEc1dMUURuSVlPRGR5QzIrc2JBOHgzRkFxdldoMXliMU82V0d1V2s2bFJTCnozbk9JUktKaGp4eVdad2lWdDB0TEF0bitHay9lVW5melljZkpsaWFON1dtN2xhbmpYNFhuOVJaSHdIMnUva1cKUkYyalVFbGdYT2J5NERGaFFVRjIzdEtrbG1TOHM1VkZ4N0J5Z3dxODBTa2pHNW9WbmF4ZTlOTVQxbExRcXVCZwpyeUx0QnMvSzJwUHlydGV3V0VVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIc3J3K3I0Z0xSK1kydVhBQ2NzcktTYjVFTVgKZXNBR3F3SEw0VXY3QTE1eGhoTGcwTFZ2N2ZHTGo5SnZGcFZKZHkyZXRRcGU5YWdLYXJ2WEtwS1l5TDdXRkpBawo4TmZlYVZJdUtLb3NyVFViMEtaQVlXY0ZaM2lLRm9WNHFveVFvYmJPM2ppaXd1M21nUmRYNEJBTHQxMjV5Wk9WCkR4Um96WHdyZWhqYUhwNHNxVmtSRXdqQTlxVzZWQ1luN3llcEdqc0dNR1k5OUo5amR3aTU4OTVFREczV3ErWXcKSCtxNXRyTFlhYlgzTC80blBXaGkzcEE3azBYWnFCMUc4aE5RNjA3Lzk5Y0hyWS9lSHAzQmM4S2tJeDhKc0dmVgorN2Fwa01KRVBndXVHQU0yYTMrRG9Yay9OYy9UWXpnbHlqa2xzUThKZy80THlLVVJlM29yMmNKelp0VT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" "arcus-alpha-aws-eksCluster-ea89bd5" --kubelet-extra-args '--node-labels=dedicated=monitoring --register-with-taints=dedicated=monitoring:NoSchedule'
cat >/opt/user-data <<monitoring-a464f9d4-user-data
#!/usr/bin/env bash


// Restrict pod access to instance metadata server
yum install -y iptables-services
iptables --insert FORWARD 1 --in-interface eni+ --destination 169.254.169.254/32 --jump DROP
iptables-save | tee /etc/sysconfig/iptables 
systemctl enable --now iptables

# Remediation for Kubebench 2.1.7:
# Ensure that the --protect-kernel-defaults argument is set to true
# kubelet won't start unless the following kernel settings are set
# See https://github.com/kubernetes/kubernetes/issues/66241

# Set kernel settings
cat << EOF | sudo tee /etc/sysctl.d/90-kubelet.conf
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
EOF
sudo sysctl -p /etc/sysctl.d/90-kubelet.conf

# Update kubelet-config.json
cat /etc/kubernetes/kubelet/kubelet-config.json |     jq '.protectKernelDefaults=true' |     jq '.eventRecordQPS=0'     > /tmp/kubelet-config.json

sudo mv /tmp/kubelet-config.json /etc/kubernetes/kubelet/kubelet-config.json

sudo systemctl restart kubelet
monitoring-a464f9d4-user-data
chmod +x /opt/user-data
/opt/user-data

/opt/aws/bin/cfn-signal --exit-code $? --stack monitoring-a464f9d4 --resource NodeGroup --region us-west-2
"
    vpcClassicLinkId            : ""
    vpcClassicLinkSecurityGroups: []
 
monitoring-cfnStackName (arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$pulumi-nodejs:dynamic:Resource)
-  pulumi-nodejs:dynamic:Resource (delete)
    [id=monitoring-cfnStackName]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$pulumi-nodejs:dynamic:Resource::monitoring-cfnStackName]
    __provider: "exports.handler = __f0;

var __provider = {check: __f1, diff: __f2, create: __f3, update: __f5, read: __f6, delete: __f7};

function __f1(__0, __1) {
  return (function() {
    with({  }) {

return (olds, news) => Promise.resolve({ inputs: news, failedChecks: [] });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f2(__0, __1, __2) {
  return (function() {
    with({  }) {

return (id, olds, news) => Promise.resolve({});

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f4(__0) {
  return (function() {
    with({ crypto: require("crypto") }) {

return n => `${n}-${crypto.randomBytes(4).toString("hex")}`;

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f3(__0) {
  return (function() {
    with({ name: "monitoring-cfnStackName", func: __f4 }) {

return (inputs) => Promise.resolve({
                id: name,
                outs: { output: func(inputs.input) },
            });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f5(__0, __1, __2) {
  return (function() {
    with({ func: __f4 }) {

return (id, olds, news) => Promise.resolve({
                outs: { output: func(news.input) },
            });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f6(__0, __1) {
  return (function() {
    with({  }) {

return (id, state) => Promise.resolve({ id: id, props: state });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f7(__0, __1) {
  return (function() {
    with({  }) {

return (id, props) => Promise.resolve();

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f0() {
  return (function() {
    with({ provider: __provider }) {

return () => provider;

    }
  }).apply(undefined, undefined).apply(this, arguments);
}
"
    input     : "monitoring"
 
default-cfnStackName (arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$pulumi-nodejs:dynamic:Resource)
-  pulumi-nodejs:dynamic:Resource (delete)
    [id=default-cfnStackName]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$eks:index:NodeGroup$pulumi-nodejs:dynamic:Resource::default-cfnStackName]
    __provider: "exports.handler = __f0;

var __provider = {check: __f1, diff: __f2, create: __f3, update: __f5, read: __f6, delete: __f7};

function __f1(__0, __1) {
  return (function() {
    with({  }) {

return (olds, news) => Promise.resolve({ inputs: news, failedChecks: [] });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f2(__0, __1, __2) {
  return (function() {
    with({  }) {

return (id, olds, news) => Promise.resolve({});

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f4(__0) {
  return (function() {
    with({ crypto: require("crypto") }) {

return n => `${n}-${crypto.randomBytes(4).toString("hex")}`;

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f3(__0) {
  return (function() {
    with({ name: "default-cfnStackName", func: __f4 }) {

return (inputs) => Promise.resolve({
                id: name,
                outs: { output: func(inputs.input) },
            });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f5(__0, __1, __2) {
  return (function() {
    with({ func: __f4 }) {

return (id, olds, news) => Promise.resolve({
                outs: { output: func(news.input) },
            });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f6(__0, __1) {
  return (function() {
    with({  }) {

return (id, state) => Promise.resolve({ id: id, props: state });

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f7(__0, __1) {
  return (function() {
    with({  }) {

return (id, props) => Promise.resolve();

    }
  }).apply(undefined, undefined).apply(this, arguments);
}

function __f0() {
  return (function() {
    with({ provider: __provider }) {

return () => provider;

    }
  }).apply(undefined, undefined).apply(this, arguments);
}
"
    input     : "default"
 
mbArcusK8snodeIamRole-instanceProfile (aws:iam:InstanceProfile)
-  aws:iam/instanceProfile:InstanceProfile (delete)
    [id=mbArcusK8snodeIamRole-instanceProfile-491240b]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/instanceProfile:InstanceProfile::mbArcusK8snodeIamRole-instanceProfile]
    __defaults: [
        [0]: "name"
        [1]: "path"
    ]
    name      : "mbArcusK8snodeIamRole-instanceProfile-491240b"
    path      : "/"
    role      : "mbArcusK8snodeIamRole"
    roles     : [
        [0]: "mbArcusK8snodeIamRole"
    ]
 
mbArcusK8sMonitoringNodeIamRole-instanceProfile (aws:iam:InstanceProfile)
-  aws:iam/instanceProfile:InstanceProfile (delete)
    [id=mbArcusK8sMonitoringNodeIamRole-instanceProfile-3a3647c]
    [urn=urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/instanceProfile:InstanceProfile::mbArcusK8sMonitoringNodeIamRole-instanceProfile]
    __defaults: [
        [0]: "name"
        [1]: "path"
    ]
    name      : "mbArcusK8sMonitoringNodeIamRole-instanceProfile-3a3647c"
    path      : "/"
    role      : "mbArcusK8sMonitoringNodeIamRole"
    roles     : [
        [0]: "mbArcusK8sMonitoringNodeIamRole"
    ]
 
Stack Outputs:
    ClusterName     : "arcus-alpha-aws-eksCluster-ea89bd5"
    eksSecurityGroup: {
        arn                : "arn:aws:ec2:us-west-2:12345678910:security-group/sg-0286b3d0cb2054105"
        description        : "Managed by Pulumi"
        egress             : [
            [0]: {
                cidrBlocks    : [
                    [0]: "0.0.0.0/0"
                ]
                description   : "Allow internet access."
                fromPort      : 0
                ipv6CidrBlocks: []
                prefixListIds : []
                protocol      : "-1"
                securityGroups: []
                self          : false
                toPort        : 0
            }
        ]
        id                 : "sg-0286b3d0cb2054105"
        ingress            : [
            [0]: {
                cidrBlocks    : []
                description   : "Allow pods to communicate with the cluster API Server"
                fromPort      : 443
                ipv6CidrBlocks: []
                prefixListIds : []
                protocol      : "tcp"
                securityGroups: [
                    [0]: "sg-0d91c0184d9b80a91"
                ]
                self          : false
                toPort        : 443
            }
        ]
        name               : "arcus-alpha-aws-eksClusterSecurityGroup-6e13ec6"
        ownerId            : "12345678910"
        revokeRulesOnDelete: true
        tags               : {
            Name: "arcus-alpha-aws-eksClusterSecurityGroup"
        }
        urn                : "urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::arcus-alpha-aws-eksClusterSecurityGroup"
        vpcId              : "vpc-06d60c2448bd0f1eb"
    }
    keyArns         : {
        ebsvolume: "arn:aws:kms:us-west-2:12345678910:key/2cdacf59-0f30-4a0e-a7d1-bde4f700e4e0"
        sops     : "arn:aws:kms:us-west-2:12345678910:key/7cd1a365-ac7c-4e24-9ca3-596cddd56ce4"
    }
    kubeconfig      : {
        apiVersion     : "v1"
        clusters       : [
            [0]: {
                cluster: {
                    certificate-authority-data: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1Ea3dOREl4TURFME9Wb1hEVEk1TURrd01USXhNREUwT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVMxCnpqekVSK1hmT0R0R0Y5ZHV2YXo2VndoNlpxM1dibG9pNEdVVVQ0NDk5ZFdHNis1cXBKcXc0VTZsb01tZ1Y0YXQKVitNK1ZOdktreTNDSU14V1ViNjE3eGdzR3pVYTNIcmtyTFF1UGJRTWgrOXBOOHZKWGFIRFZWNTlZd3E3QUJRYQpmZC9UNVlhcmkrQ3o4YlJQRmtad2hEc1dMUURuSVlPRGR5QzIrc2JBOHgzRkFxdldoMXliMU82V0d1V2s2bFJTCnozbk9JUktKaGp4eVdad2lWdDB0TEF0bitHay9lVW5melljZkpsaWFON1dtN2xhbmpYNFhuOVJaSHdIMnUva1cKUkYyalVFbGdYT2J5NERGaFFVRjIzdEtrbG1TOHM1VkZ4N0J5Z3dxODBTa2pHNW9WbmF4ZTlOTVQxbExRcXVCZwpyeUx0QnMvSzJwUHlydGV3V0VVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIc3J3K3I0Z0xSK1kydVhBQ2NzcktTYjVFTVgKZXNBR3F3SEw0VXY3QTE1eGhoTGcwTFZ2N2ZHTGo5SnZGcFZKZHkyZXRRcGU5YWdLYXJ2WEtwS1l5TDdXRkpBawo4TmZlYVZJdUtLb3NyVFViMEtaQVlXY0ZaM2lLRm9WNHFveVFvYmJPM2ppaXd1M21nUmRYNEJBTHQxMjV5Wk9WCkR4Um96WHdyZWhqYUhwNHNxVmtSRXdqQTlxVzZWQ1luN3llcEdqc0dNR1k5OUo5amR3aTU4OTVFREczV3ErWXcKSCtxNXRyTFlhYlgzTC80blBXaGkzcEE3azBYWnFCMUc4aE5RNjA3Lzk5Y0hyWS9lSHAzQmM4S2tJeDhKc0dmVgorN2Fwa01KRVBndXVHQU0yYTMrRG9Yay9OYy9UWXpnbHlqa2xzUThKZy80THlLVVJlM29yMmNKelp0VT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
                    server                    : "https://4FCD18686BE68901EB820B33D4505897.yl4.us-west-2.eks.amazonaws.com"
                }
                name   : "kubernetes"
            }
        ]
        contexts       : [
            [0]: {
                context: {
                    cluster: "kubernetes"
                    user   : "aws"
                }
                name   : "aws"
            }
        ]
        current-context: "aws"
        kind           : "Config"
        users          : [
            [0]: {
                name: "aws"
                user: {
                    exec: {
                        apiVersion: "client.authentication.k8s.io/v1alpha1"
                        args      : [
                            [0]: "token"
                            [1]: "-i"
                            [2]: "arcus-alpha-aws-eksCluster-ea89bd5"
                        ]
                        command   : "aws-iam-authenticator"
                    }
                }
            }
        ]
    }
    nodeGroups      : [
        [0]: {
            amiType       : "AL2_x86_64"
            arn           : "arn:aws:eks:us-west-2:12345678910:nodegroup/arcus-alpha-aws-eksCluster-ea89bd5/monitoring/a2b778a2-63c8-cc90-5898-7fb6bdfb9dfb"
            clusterName   : "arcus-alpha-aws-eksCluster-ea89bd5"
            diskSize      : 20
            id            : "arcus-alpha-aws-eksCluster-ea89bd5:monitoring"
            instanceTypes : "m5.xlarge"
            labels        : {
                dedicated: "monitoring"
            }
            nodeGroupName : "monitoring"
            nodeRoleArn   : "arn:aws:iam::12345678910:role/mbArcusK8sMonitoringNodeIamRole"
            releaseVersion: "1.14.7-20190927"
            remoteAccess  : null
            resources     : [
                [0]: {
                    autoscalingGroups          : [
                        [0]: {
                            name: "eks-a2b778a2-63c8-cc90-5898-7fb6bdfb9dfb"
                        }
                    ]
                    remoteAccessSecurityGroupId: ""
                }
            ]
            scalingConfig : {
                desiredSize: 3
                maxSize    : 20
                minSize    : 3
            }
            status        : "ACTIVE"
            subnetIds     : [
                [0]: "subnet-0ec8e4b78ddd7533e"
                [1]: "subnet-032c5bbeb3a7c81ab"
                [2]: "subnet-07211269220b7d287"
                [3]: "subnet-087f8b25a52c87c11"
                [4]: "subnet-05ec7dc0e6e851eb5"
                [5]: "subnet-0137ec7974cf025e4"
            ]
            tags          : {}
            urn           : "urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$aws:eks/nodeGroup:NodeGroup::monitoring"
            version       : "1.14"
        }
        [1]: {
            amiType       : "AL2_x86_64"
            arn           : "arn:aws:eks:us-west-2:12345678910:nodegroup/arcus-alpha-aws-eksCluster-ea89bd5/default/7eb778a2-6372-8dd8-d03b-f23502185f72"
            clusterName   : "arcus-alpha-aws-eksCluster-ea89bd5"
            diskSize      : 20
            id            : "arcus-alpha-aws-eksCluster-ea89bd5:default"
            instanceTypes : "m5.xlarge"
            labels        : {
                dedicated: "default"
            }
            nodeGroupName : "default"
            nodeRoleArn   : "arn:aws:iam::12345678910:role/mbArcusK8snodeIamRole"
            releaseVersion: "1.14.7-20190927"
            remoteAccess  : null
            resources     : [
                [0]: {
                    autoscalingGroups          : [
                        [0]: {
                            name: "eks-7eb778a2-6372-8dd8-d03b-f23502185f72"
                        }
                    ]
                    remoteAccessSecurityGroupId: ""
                }
            ]
            scalingConfig : {
                desiredSize: 3
                maxSize    : 20
                minSize    : 3
            }
            status        : "ACTIVE"
            subnetIds     : [
                [0]: "subnet-0ec8e4b78ddd7533e"
                [1]: "subnet-032c5bbeb3a7c81ab"
                [2]: "subnet-07211269220b7d287"
                [3]: "subnet-087f8b25a52c87c11"
                [4]: "subnet-05ec7dc0e6e851eb5"
                [5]: "subnet-0137ec7974cf025e4"
            ]
            tags          : {}
            urn           : "urn:pulumi:alpha::aws-arcus-kitchensink::arcus:cluster$eks:index:Cluster$aws:eks/nodeGroup:NodeGroup::default"
            version       : "1.14"
        }
    ]
    serviceInfra    : {
        createdBuckets: [
            [0]: {
                bucket: {
                    accelerationStatus               : ""
                    acl                              : "private"
                    arn                              : "arn:aws:s3:::mb-arcus-app-identity-sandbox-bucket-da95465"
                    bucket                           : "mb-arcus-app-identity-sandbox-bucket-da95465"
                    bucketDomainName                 : "mb-arcus-app-identity-sandbox-bucket-da95465.s3.amazonaws.com"
                    bucketRegionalDomainName         : "mb-arcus-app-identity-sandbox-bucket-da95465.s3.us-west-2.amazonaws.com"
                    corsRules                        : []
                    forceDestroy                     : false
                    hostedZoneId                     : "Z3BJ6K6RIION7M"
                    id                               : "mb-arcus-app-identity-sandbox-bucket-da95465"
                    lifecycleRules                   : []
                    loggings                         : []
                    objectLockConfiguration          : null
                    region                           : "us-west-2"
                    replicationConfiguration         : null
                    requestPayer                     : "BucketOwner"
                    serverSideEncryptionConfiguration: {
                        rule: {
                            applyServerSideEncryptionByDefault: {
                                kmsMasterKeyId: ""
                                sseAlgorithm  : "AES256"
                            }
                        }
                    }
                    tags                             : {}
                    urn                              : "urn:pulumi:alpha::aws-arcus-kitchensink::arcus:Bucket$aws:s3/bucket:Bucket::mb-arcus-app-identity-sandbox-bucket"
                    versioning                       : {
                        enabled  : false
                        mfaDelete: false
                    }
                    website                          : null
                }
                urn   : "urn:pulumi:alpha::aws-arcus-kitchensink::arcus:Bucket::mb-arcus-app-identity-sandbox-bucket"
            }
            [1]: {
                bucket: {
                    accelerationStatus               : ""
                    acl                              : "private"
                    arn                              : "arn:aws:s3:::mb-arcus-app-sample-cf00694"
                    bucket                           : "mb-arcus-app-sample-cf00694"
                    bucketDomainName                 : "mb-arcus-app-sample-cf00694.s3.amazonaws.com"
                    bucketRegionalDomainName         : "mb-arcus-app-sample-cf00694.s3.us-west-2.amazonaws.com"
                    corsRules                        : []
                    forceDestroy                     : false
                    hostedZoneId                     : "Z3BJ6K6RIION7M"
                    id                               : "mb-arcus-app-sample-cf00694"
                    lifecycleRules                   : []
                    loggings                         : []
                    objectLockConfiguration          : null
                    region                           : "us-west-2"
                    replicationConfiguration         : null
                    requestPayer                     : "BucketOwner"
                    serverSideEncryptionConfiguration: {
                        rule: {
                            applyServerSideEncryptionByDefault: {
                                kmsMasterKeyId: ""
                                sseAlgorithm  : "AES256"
                            }
                        }
                    }
                    tags                             : {}
                    urn                              : "urn:pulumi:alpha::aws-arcus-kitchensink::arcus:Bucket$aws:s3/bucket:Bucket::mb-arcus-app-sample"
                    versioning                       : {
                        enabled  : false
                        mfaDelete: false
                    }
                    website                          : null
                }
                urn   : "urn:pulumi:alpha::aws-arcus-kitchensink::arcus:Bucket::mb-arcus-app-sample"
            }
        ]
        createdRoles  : [
            [0]: {
                arn                : "arn:aws:iam::12345678910:role/mb-arcus-app-identity-sandbox-role"
                assumeRolePolicy   : "{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::12345678910:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/4FCD18686BE68901EB820B33D4505897"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"oidc.eks.us-west-2.amazonaws.com/id/4FCD18686BE68901EB820B33D4505897:sub":"system:serviceaccount:identity-sandbox:identity-sandbox-serviceaccount"}}}]}"
                createDate         : "2019-12-03T15:17:52Z"
                description        : "Managed by Pulumi. Allows K8s service to IAM"
                forceDetachPolicies: false
                id                 : "mb-arcus-app-identity-sandbox-role"
                maxSessionDuration : 3600
                name               : "mb-arcus-app-identity-sandbox-role"
                path               : "/"
                tags               : {}
                uniqueId           : "AROAS35WIARUNFHA3B3LX"
                urn                : "urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/role:Role::mb-arcus-app-identity-sandbox-role"
            }
            [1]: {
                arn                : "arn:aws:iam::12345678910:role/mb-arcus-app-sample-apigateway-role"
                assumeRolePolicy   : "{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::12345678910:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/4FCD18686BE68901EB820B33D4505897"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"oidc.eks.us-west-2.amazonaws.com/id/4FCD18686BE68901EB820B33D4505897:sub":"system:serviceaccount:sample:sample-serviceaccount"}}}]}"
                createDate         : "2019-12-03T15:17:52Z"
                description        : "Managed by Pulumi. Allows K8s service to IAM"
                forceDetachPolicies: false
                id                 : "mb-arcus-app-sample-apigateway-role"
                maxSessionDuration : 3600
                name               : "mb-arcus-app-sample-apigateway-role"
                path               : "/"
                tags               : {}
                uniqueId           : "AROAS35WIARUPD6O5FLUN"
                urn                : "urn:pulumi:alpha::aws-arcus-kitchensink::aws:iam/role:Role::mb-arcus-app-sample-apigateway-role"
            }
        ]
    }

Affected product version(s)

pulumi/eks 0.18.18

Reproducing the issue

Have not attempted repro yet. However, this same issue happened in all 4 environments updated with the same code in the same manner.

Cluster code

import * as eks from '@pulumi/eks';
import { ClusterOpts } from '../config/types/ClusterOpts';
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';

/**
 * KubernetesCluster is a custom component that wraps an EKS cluster and managed
 * node groups.
 *
 * @export
 * @class KubernetesCluster
 * @extends {pulumi.ComponentResource}
 */
export class KubernetesCluster extends pulumi.ComponentResource {
  public readonly eksCluster: eks.Cluster;
  public readonly nodeGroups: aws.eks.NodeGroup[];

  public readonly ClusterName: pulumi.Output<string>;

  /**
   * Create a new EKS cluster with managed worker nodes.
   *
   * @param clusterOpts Options for creating the cluster.
   * @param networkStack Stack output containing target VPC configuration.
   *
   */
  constructor(clusterOpts: ClusterOpts, networkStack: pulumi.StackReference) {
    const vpcId = networkStack
      .getOutput('vpcID')
      .apply(vpc => vpc) as pulumi.Output<string>;

    const subnetIds = networkStack
      .getOutput('clusterSubnets')
      .apply(subnets => subnets) as pulumi.Input<pulumi.Input<string>[]>;

    super('arcus:cluster', clusterOpts.name);

    const clusterRoleMappings = clusterOpts.roleMappings.map(role => {
      const k8sRole: eks.RoleMapping = {
        roleArn: GetARN(role.role),
        username: role.k8sUsername,
        groups: role.k8sGroups
      };
      return k8sRole;
    });

    // Create the EKS cluster
    this.eksCluster = new eks.Cluster(
      // Name
      clusterOpts.name,
      // ClusterArgs
      {
        subnetIds,
        vpcId,
        roleMappings: clusterRoleMappings,
        ...clusterOpts.options
      },
      // Pulumi compontent options
      {
        parent: this
      }
    );

    // Grab the cluster name
    this.ClusterName = this.eksCluster.eksCluster.name;

    // Create managed node groups
    this.nodeGroups = clusterOpts.nodeGroups.map(ng => {
      return eks.createManagedNodeGroup(
        // Name
        ng.nodeGroupName.toString(),
        // ManagedNodeGroupOptions
        {
          nodeRoleArn: GetARN(ng.role),
          cluster: this.eksCluster,
          ...ng
        },
        // Pulumi parent
        this.eksCluster
      );
    });
  }
}

/**
 * Fetch the ARN from an AWS role name
 *
 * @param {string} role The name of the role
 * @returns {pulumi.Output<string>} The role's ARN
 */
function GetARN(role: string): pulumi.Output<string> {
  return aws.iam.Role.get(role, role).arn;
}

Suggestions for a fix

Manually fixed by truing up the configMap. Appears there is a conflict between defining roles and AWS generating a node role.
@casey-robertson
Copy link
Author

@lukehoban tagging you per slack conversation

@lukehoban lukehoban self-assigned this Dec 19, 2019
@lukehoban lukehoban added this to the 0.30 milestone Dec 19, 2019
@lukehoban
Copy link
Member

lukehoban commented Dec 20, 2019
edited
Loading

We got a more complete isolated repro for this offline:

// Bug repro showing that changing roleMappings on a cluster will remove the managed node group's role
// from the aws-config.yaml and cause the nodes to go offline.
// Run pulumi up (works), switch the comment from line 31 to 32 and run pulumi up again (nodes will go offline after a few minutes).
import * as aws from '@pulumi/aws';
import * as eks from '@pulumi/eks';
// IAM role for the node group.
const ngRole = createRole('example-ng-role1');
// IAM roles for role mapping
const role1 = createRole('example-role2');
const role2 = createRole('example-role3');
const roleMapping1: eks.RoleMapping = {
  roleArn: role1.arn,
  username: 'roleMapping1',
  groups: ['system:masters']
};
const roleMapping2: eks.RoleMapping = {
  roleArn: role2.arn,
  username: 'roleMapping2',
  groups: ['system:masters']
};
// Create an EKS cluster.
const cluster = new eks.Cluster('example-managed-nodegroups', {
  skipDefaultNodeGroup: true,
  deployDashboard: false,
  // roleMappings: [roleMapping1, roleMapping2]
  roleMappings: [roleMapping1]
});
// Export the cluster's kubeconfig.
export const kubeconfig = cluster.kubeconfig;
// Create a simple AWS managed node group using a cluster as input.
eks.createManagedNodeGroup(
  'example-managed-ng1',
  {
    cluster: cluster,
    nodeGroupName: 'aws-managed-ng1',
    nodeRoleArn: ngRole.arn,
    scalingConfig: {
      desiredSize: 1,
      minSize: 1,
      maxSize: 1
    }
  },
  cluster
);
// Creates a role and attches the EKS worker node IAM managed policies
function createRole(name: string): aws.iam.Role {
  const managedPolicyArns: string[] = [
    'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy',
    'arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy',
    'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly'
  ];
  const role = new aws.iam.Role(name, {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
      Service: 'ec2.amazonaws.com'
    })
  });
  let counter = 0;
  managedPolicyArns.forEach(policy => {
    new aws.iam.RolePolicyAttachment(`${name}-policy-${counter++}`, {
      policyArn: policy,
      role: role
    });
  });
  return role;
}

This it the config map after the first run:

❯ k get configmap -n kube-system aws-auth -o yaml
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:masters
      rolearn: arn:aws:iam::048653383995:role/example-role2-c6ab086
      username: roleMapping1
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::048653383995:role/example-managed-nodegroups-instanceRole-role-c91c53b
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::048653383995:role/example-ng-role1-902ed97
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"mapRoles":"- rolearn: 'arn:aws:iam::048653383995:role/example-role2-c6ab086'\n  username: roleMapping1\n  groups:\n    - 'system:masters'\n- rolearn: \u003e-\n    arn:aws:iam::048653383995:role/example-managed-nodegroups-instanceRole-role-c91c53b\n  username: 'system:node:{{EC2PrivateDNSName}}'\n  groups:\n    - 'system:bootstrappers'\n    - 'system:nodes'\n"},"kind":"ConfigMap","metadata":{"labels":{"app.kubernetes.io/managed-by":"pulumi"},"name":"aws-auth","namespace":"kube-system"}}
  creationTimestamp: "2019-12-20T18:02:37Z"
  labels:
    app.kubernetes.io/managed-by: pulumi
  name: aws-auth
  namespace: kube-system
  resourceVersion: "624"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: e7d4f132-2352-11ea-aa22-067d9e0381be

This is the configmap after the second run:

❯ k get configmap -n kube-system aws-auth -o yaml
apiVersion: v1
data:
  mapRoles: |
    - rolearn: 'arn:aws:iam::048653383995:role/example-role2-c6ab086'
      username: roleMapping1
      groups:
        - 'system:masters'
    - rolearn: 'arn:aws:iam::048653383995:role/example-role3-ed1a8c5'
      username: roleMapping2
      groups:
        - 'system:masters'
    - rolearn: >-
        arn:aws:iam::048653383995:role/example-managed-nodegroups-instanceRole-role-c91c53b
      username: 'system:node:{{EC2PrivateDNSName}}'
      groups:
        - 'system:bootstrappers'
        - 'system:nodes'
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"mapRoles":"- rolearn: 'arn:aws:iam::048653383995:role/example-role2-c6ab086'\n  username: roleMapping1\n  groups:\n    - 'system:masters'\n- rolearn: 'arn:aws:iam::048653383995:role/example-role3-ed1a8c5'\n  username: roleMapping2\n  groups:\n    - 'system:masters'\n- rolearn: \u003e-\n    arn:aws:iam::048653383995:role/example-managed-nodegroups-instanceRole-role-c91c53b\n  username: 'system:node:{{EC2PrivateDNSName}}'\n  groups:\n    - 'system:bootstrappers'\n    - 'system:nodes'\n"},"kind":"ConfigMap","metadata":{"labels":{"app.kubernetes.io/managed-by":"pulumi"},"name":"aws-auth","namespace":"kube-system"}}
  creationTimestamp: "2019-12-20T18:06:41Z"
  labels:
    app.kubernetes.io/managed-by: pulumi
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1000"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 794ecea4-2353-11ea-84a9-0242430d5ecc

You can see that this role map disappeared:

    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::048653383995:role/example-ng-role1-902ed97
      username: system:node:{{EC2PrivateDNSName}}

@lukehoban
Copy link
Member

A couple more notes from offline discussion:

FYI, setting instanceRoles on the cluster did fix the issue.
Long story short:

  1. Bug is real (example repro code above).
  2. We have a workaround (setting instanceRoles on the cluster).

And

I don't like the inconsistency in what is passed to the two classes but that's not our problem to solve right now. One takes an ARN, the other takes a role.

@lukehoban lukehoban assigned metral and unassigned lukehoban Dec 20, 2019
@lukehoban lukehoban modified the milestones: 0.30, 0.31 Dec 20, 2019
@metral metral added bug customer/feedback Feedback from customers and removed customer/feedback Feedback from customers labels Jan 6, 2020
@metral metral mentioned this issue Jan 9, 2020
Merged
@lukehoban lukehoban modified the milestones: 0.31, 0.32 Feb 10, 2020
@infin8x infin8x added the kind/bug Some behavior is incorrect or out of spec label Jul 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@metral metral

Labels
customer/feedback Feedback from customers kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
0.32
Development

Successfully merging a pull request may close this issue.

Refactor managed nodegroup API and require its role be provided to the cluster pulumi/pulumi-eks
4 participants
@lukehoban @infin8x @metral @casey-robertson