Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-eks] All eks.ServiceAccount constructs Are Added to Cluster Stack

See original GitHub issue

Let’s say we have three stacks:

EKS Cluster Stack

export class EksStack extends cdk.Stack {
  public readonly cluster: eks.Cluster;
  //  all the stuff needed to build an EKS cluster goes here;
  this.cluster = new eks.Cluster(this, 'EksCluster', clusterProps);
}

K8S Namespaces Stack

export interface K8SResourcesProps extends cdk.StackProps {
  readonly cluster: eks.Cluster;
}

export class K8SResourcesStack extends cdk.Stack {
  public readonly cluster: eks.Cluster;
  constructor(scope: cdk.Construct, id: string, props: K8SResourcesProps) {
    super(scope, id, props);

    new eks.KubernetesResource(this, 'MyNamespace', {
      cluster: props.cluster,
      manifest: loadManifestFile('k8s/my-namespace.yaml'),
    });
}

Service Accounts Stack

export interface K8SServiceAccountsProps extends cdk.StackProps {
  readonly cluster: eks.Cluster;
}

export class K8SServiceAccountsStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props: K8SServiceAccountsProps) {
    super(scope, id, props);

    const account = new eks.ServiceAccount(this.cluster, accountName, {
      cluster: props.cluster,
      name: accountName,
      namespace: accountNamespace,
    });
   // add some policies to the account;
}

Now the problem is, in the generated templates, service account resources are part of the Cluster stack (i.e. K8SServiceAccountsStack template is empty). I’m surprised by this, because for the namespaces stack, this is not the case, meaning, resources defined in the namespaces stacks are indeed part of the namespaces stack.

Reproduction Steps

Create a stack containing a simple EKS cluster.
Create another stack containing service account resources for the cluster created above.
Generated the templates. (The second stack is empty.)

Environment

CLI Version : aws-cli/2.0.24 Python/3.7.4 Darwin/19.6.0 botocore/2.0.0dev28
Framework Version: 1.54.0 (build c01b9b9)
Node.js Version: v14.5.0
OS : Mac OS X 10.15.6
Language (Version): typescript ~3.7.2

Other

I think this is important, since this way we cannot share a cluster stack we other stack and make sure about the ownership of the resources.

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

iliapolocommented, Aug 11, 2020

@akefirad Now you are not doing anything wrong 😃

Unfortunately you stumbled upon this bug: https://github.com/aws/aws-cdk/issues/8884

As a workaround, define the ServiceAccount in the same stack as the cluster, we are actively working on a fix.

0reactions

iliapolocommented, Aug 23, 2020

@otterley Thanks - You’re right.

The service account resource itself will always be created in the cluster stack, regardless of the scope of the ServiceAccount construct. This is also what causes the circular dependency.

The fix is already ready and awaiting review so stay tuned.

https://github.com/aws/aws-cdk/pull/9701