Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(eks): AwsAuth not updated, kubectl commands failing in CustomResources

See original GitHub issue

Our cdk cluster recently started experiencing failures where our CustomResources are not authorized to call kubectl All kubectl commands result in the error error: You must be logged in to the server (Unauthorized).

Reproduction Steps

Create an AdminRole

const clusterAdmin = new Role(this, 'AdminRole', {
  roleName: 'EKSClusterAdmin',
  assumedBy: new AccountRootPrincipal(),
});

Create cluster, pass AdminRole to mastersRole parameter

const cluster = new Cluster(this, 'EKSCluster', {
  version: KubernetesVersion.V1_18,
  vpc: props.vpc,
  clusterName: 'EKSCluster',
  mastersRole: clusterAdmin,
  secretsEncryptionKey: secretsKey,
  defaultCapacity: 0,
  endpointAccess: EndpointAccess.PUBLIC_AND_PRIVATE,
});

Create a lambda with a kubectl layer

const lambda = new lambda.Function(this, id, {
  code: props.lambdaCode,
  functionName: props.lambdaFunctionName,
  handler: props.handler,
  runtime: lambda.Runtime.PYTHON_3_7,
  layers: [props.layerVersion],
  timeout: Duration.minutes(15),
  memorySize: 256,
  vpc: props.vpc,
  securityGroups: props.securityGroups,
});

Give lambda permission to assume the AdminRole

lambda.role.addToPolicy(
      PolicyStatement.fromJson({
        Effect: 'Allow',
        Action: ['sts:AssumeRole'],
        Resource: props.mastersRole.roleArn,
      })
    );

In a custom resource in this lambda, login using the admin role

aws eks update-kubeconfig --name EKSCluster --role-arn <AdminRoleArn> --kubeconfig /tmp/kubeconfig

Outputs Added new context arn:aws:eks:us-west-2:XXXXXXXXXXXX:cluster/EKSCluster to /tmp/kubeconfig

Make a kubectl call e.g. kubectl get psp --kubeconfig /tmp/kubeconfig

What did you expect to happen?

kubectl command succeeds

What actually happened?

error: You must be logged in to the server (Unauthorized)

Environment

CDK CLI Version : 1.68.0

Issue Analytics

State:
Created 3 years ago
Comments:10 (4 by maintainers)

Top GitHub Comments

1reaction

robbierolincommented, Jan 6, 2021

I think the built in provider didn’t exist when we first built our cluster or we just didn’t know about it. Seems like it would be a good option to switch to using it.

0reactions

github-actions[bot]commented, Jan 14, 2021

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Top Results From Across the Web

Troubleshoot kubectl commands for Amazon EKS

The aws-auth ConfigMap has the correct AWS Identity and Access Management (IAM) role with the Kubernetes user name associated with your node.

Create CRDs - Amazon EKS Workshop

As next step, we will add custom resources to ENIConfig custom resource definition (CRD). CRDs are extensions of Kubernetes API that stores collection...

Extend the Kubernetes API with CustomResourceDefinitions

When you create a new CustomResourceDefinition (CRD), the Kubernetes API Server creates a new RESTful resource path for each version you specify ...

User cannot log into EKS Cluster using kubectl - Stack Overflow

If you don't already have a config map on your machine: Download the config map curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2 ...

Identity and Access Management - EKS Best Practices Guides

If you need to grant an IAM user access to an EKS cluster, create an entry in the aws-auth ConfigMap for that user...