Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate ssh.enableSsm and disallow enabling it #3989

Merged
merged 9 commits into from Aug 16, 2021
Merged

Deprecate ssh.enableSsm and disallow enabling it #3989

merged 9 commits into from Aug 16, 2021

Conversation

cPu1
Copy link
Collaborator

@cPu1 cPu1 commented Jul 19, 2021
edited

Description

SSM is now enabled by default and cannot be disabled.

Closes #3882

TODO:

  • Add tests
  • Fix tests
  • Update documentation

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the userdocs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes
  • (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 馃く

  • Backfilled missing tests for code in same general area 馃帀
  • Refactored something and made the world a better place 馃専

@cPu1 cPu1 force-pushed the ssm-update branch 4 times, most recently from a0aefae to 06005bb Compare July 22, 2021 09:24
@cPu1 cPu1 marked this pull request as draft July 22, 2021 10:03
@cPu1 cPu1 marked this pull request as ready for review August 16, 2021 12:16
@cPu1
Copy link
Collaborator Author

cPu1 commented Aug 16, 2021

The link checker check is failing because gopherize.me is returning a 500.

aclevername
aclevername reviewed Aug 16, 2021
View reviewed changes
pkg/apis/eksctl.io/v1alpha5/validation.go
if ng.SSH != nil {
if enableSSM := ng.SSH.EnableSSM; enableSSM != nil {
if !*enableSSM {
return errors.New("SSM agent is now built into EKS AMIs and cannot be disabled")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it can be disabled by using a custom AMI right?

Copy link
Collaborator Author

@cPu1 cPu1 Aug 16, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. The SSM policy will always be added to the node role now, including for custom AMIs, just like we add certain default policies like the CNI plugin policy (if withOIDC is not set), but it can be disabled/overridden by providing attachPolicyARNs.

@cPu1 cPu1 merged commit 95c4f62 into eksctl-io:main Aug 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aclevername aclevername aclevername approved these changes

Assignees
No one assigned
Labels
kind/improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SSM agent built into AL2 AMIs
2 participants
@cPu1 @aclevername