Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
aws-auth configmap does not get re-created after a cluster replacement, preventing nodes from joining the cluster
See original GitHub issueDuring a replacement of an EKS cluster, though the replacement succeeds, the aws-auth configmap used for user / role mappings does not get recreated. This in turn prevents the new worker nodes from joining the cluster.
The aws-auth configmap gets created here. Because none of the IAM resources it depends on get replaced or updated during the cluster replacement, the aws-auth does not need to be replaced or updated either. However, during the tear down of the old cluster, the configMap goes away with the cluster, and the pulumi/kube provider does not seem to notice the need to recreate the aws-auth configMap for the new cluster.
Per discussions offline w/ Luke, the thought was that the kube provider kx-eks-cluster-eks-k8s should have been replaced instead of updated. Since the provider is the only dependency of aws-auth, if the provider were replaced, it would have created aws-auth.
Changes:
Type Name Operation
-+ aws:eks:Cluster kx-eks-cluster-eksCluster replaced
~ pulumi:providers:kubernetes kx-eks-cluster-eks-k8s updated
~ aws:ec2:SecurityGroup kx-eks-cluster-nodeSecurityGroup updated
~ pulumi-nodejs:dynamic:Resource kx-eks-cluster-vpc-cni updated
-+ aws:ec2:LaunchConfiguration kx-eks-cluster-nodeLaunchConfiguration replaced
~ aws:cloudformation:Stack kx-eks-cluster-nodes updated
~ pulumi:providers:kubernetes kx-eks-cluster-provider updated
Resources:
+-replaced 2
~ updated 5
18 unchanged
To repro this, we’ll use the same code from https://github.com/pulumi/pulumi-eks/issues/69#issuecomment-485060221.
Steps:
- Download pulumi-full-aws-eks.zip
- Run
pulumi upin the unzipped dir - After initial deployment is complete, comment out line #74
subnetIds.pop(), and run another update.- This simulates having a VPC with existing subnets, and increasing up from using 2 subnets in the cluster to 3 subnets(https://github.com/pulumi/pulumi-eks/issues/69#issuecomment-466909499).
- After about ~20 min the EKS replacement onto 3 subnets will complete
kubectl cluster-inforeturns successkubectl get pods --all-namespacesreturnscore-dnsPods inPending, as there aren’t any workers to deploy onto.kubectl get cm aws-auth -n kube-system -o yamlreturns nothingkubectl get nodes -o wide --show-labelsreturns nothing
/cc @lukehoban @hausdorff
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
https://github.com/pulumi/pulumi/pull/2766 is now merged, So you should be able to pick up a dev build and run with it, @lblackstone. Let me know if you need help.
Thanks to the fixes in
@pulumi/pulumiv0.17.16 and@pulumi/kubernetesv0.24.0, this bug & scenario is now being added to the set of tests.