(eks): AwsAuth not updated, kubectl commands failing in CustomResources
See original GitHub issueOur cdk cluster recently started experiencing failures where our CustomResources are not authorized to call kubectl
All kubectl commands result in the error error: You must be logged in to the server (Unauthorized).
Reproduction Steps
Create an AdminRole
const clusterAdmin = new Role(this, 'AdminRole', {
roleName: 'EKSClusterAdmin',
assumedBy: new AccountRootPrincipal(),
});
Create cluster, pass AdminRole to mastersRole parameter
const cluster = new Cluster(this, 'EKSCluster', {
version: KubernetesVersion.V1_18,
vpc: props.vpc,
clusterName: 'EKSCluster',
mastersRole: clusterAdmin,
secretsEncryptionKey: secretsKey,
defaultCapacity: 0,
endpointAccess: EndpointAccess.PUBLIC_AND_PRIVATE,
});
Create a lambda with a kubectl layer
const lambda = new lambda.Function(this, id, {
code: props.lambdaCode,
functionName: props.lambdaFunctionName,
handler: props.handler,
runtime: lambda.Runtime.PYTHON_3_7,
layers: [props.layerVersion],
timeout: Duration.minutes(15),
memorySize: 256,
vpc: props.vpc,
securityGroups: props.securityGroups,
});
- Give lambda permission to assume the AdminRole
lambda.role.addToPolicy(
PolicyStatement.fromJson({
Effect: 'Allow',
Action: ['sts:AssumeRole'],
Resource: props.mastersRole.roleArn,
})
);
- In a custom resource in this lambda, login using the admin role
aws eks update-kubeconfig --name EKSCluster --role-arn <AdminRoleArn> --kubeconfig /tmp/kubeconfig
Outputs Added new context arn:aws:eks:us-west-2:XXXXXXXXXXXX:cluster/EKSCluster to /tmp/kubeconfig
- Make a kubectl call
e.g.
kubectl get psp --kubeconfig /tmp/kubeconfig
What did you expect to happen?
kubectl command succeeds
What actually happened?
error: You must be logged in to the server (Unauthorized)
Environment
- CDK CLI Version : 1.68.0
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (4 by maintainers)
Top Results From Across the Web
Troubleshoot kubectl commands for Amazon EKS
The aws-auth ConfigMap has the correct AWS Identity and Access Management (IAM) role with the Kubernetes user name associated with your node.
Read more >Create CRDs - Amazon EKS Workshop
As next step, we will add custom resources to ENIConfig custom resource definition (CRD). CRDs are extensions of Kubernetes API that stores collection...
Read more >Extend the Kubernetes API with CustomResourceDefinitions
When you create a new CustomResourceDefinition (CRD), the Kubernetes API Server creates a new RESTful resource path for each version you specify ...
Read more >User cannot log into EKS Cluster using kubectl - Stack Overflow
If you don't already have a config map on your machine: Download the config map curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2 ...
Read more >Identity and Access Management - EKS Best Practices Guides
If you need to grant an IAM user access to an EKS cluster, create an entry in the aws-auth ConfigMap for that user...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I think the built in provider didn’t exist when we first built our cluster or we just didn’t know about it. Seems like it would be a good option to switch to using it.
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.