Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-eks] Can we remove the use of {cluster resource,kubectl} provider completely if the situation is changed?

See original GitHub issue

❓ General Issue

This is a summary of my understandings and questions about why we don’t use CfnCluster directly, and whether it’ll be forever like this. Correct me if I’m wrong. Thanks.

If I understand correctly, the following issues are major reasons why we have {cluster resource,kubectl} providers.

EKS RBAC is tied to who created the cluster: https://github.com/aws/containers-roadmap/issues/554
- Related? EKS API to manage cluster auth: https://github.com/aws/containers-roadmap/issues/185#issuecomment-706636321
CF doesn’t support some features that REST supports(?)
- https://github.com/aws/containers-roadmap/issues/242

So we use a cluster resource provider to delegate the creation/management of a EKS cluster. We have 2 roles so far:

adminRole( == kubectlRole): Creates and manage EKS cluster, and issues kubectl command. For CF to automation. Cannot be changed.
mastersRole: For users. Users assume this. Can be chagned.

Quickstart Amazon EKS takes similar approach for this, but with custom AWSQS::EKS::Cluster type: https://github.com/aws-quickstart/quickstart-amazon-eks/ (I feel like re:inventing wheels around the limitations, not fixing the core problem. It looks like it would support import since it implements update handler, but more complex. Why it isn’t public/upstream?)

The Question

Would it be possible if situations changed? What if we have AdminRole option? What if we have EKS API to manage IAM permissions to a cluster? Even if without the fix, what if new eks.Cluster() spawns a nested stack that has a cloudFormationExecutionRoleArn: adminRole? Or can we put AWS::EKS::Cluster directly on our stack, and delegate only unsupported options such as endpointPrivateAccess?
If all the restrictions are gone, so all the providers become obsolete, how do we migrate after that? Would it be simply setting the deletion policy to Retain and importing them to the main stack?

Environment

Other information

Issue Analytics

State:
Created 3 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

foriequal0commented, Dec 14, 2020

I understand that. Thank you for replying the question 😃

0reactions

github-actions[bot]commented, Dec 14, 2020

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.