New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail to update config map in v20 #2978
Comments
does |
I presume it does, since this is the role that creates cluster using aws provider? |
not necessarily - if you create a cluster today on v20.x, the IAM identity used to create the cluster does not have any access inside the cluster by default |
Oh, that must be the missing part. How do I grant that access on creation? |
terraform-aws-eks/examples/karpenter/main.tf Lines 69 to 71 in 1627231
|
Karpenter confused me here, I will try, thanks |
in that example, the identity needs K8s permissions in order to deploy the Karpenter resources (inside the cluster) |
I moved further, but still fails:
|
I have tried to use CONFIG_MAP authentication role, but that seems conflicting with the module other logic
And this parameter is hardcoded,so I don't think CONFIG_MAP is a valid option? |
@vchepkov could you please open an AWS support ticket for this configmap permission issue and include your cluster ARN |
I am working with the support, but I think that for authentication modes API_AND_CONFIG_MAP and CONFIG_MAP we have to use bootstrapClusterCreatorAdminPermissions=true Error posted above indicates that and blog https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/ indicates that creator won't have any permissions if that's not the case, which I think is the problem that we see here Support engineer suggested me to add aws_eks_access_entry resource to add iam role to kubernetes_groups = ["system:masters"] , but resource provider refuses:
|
you cannot add an entry where the group starts with For Lines 142 to 156 in 1627231
|
Posting support recommendation here, I guess we need to add yet another sleep time, similar what is done for custom networking
|
Any (manual) workaround for this? |
I added code similar to what this module already uses. IMHO, module should add this block too before declaring module as "ready".
|
This issue has been automatically marked as stale because it has been open 30 days |
This issue was automatically closed because of stale in 10 days |
We are facing a challenge to configure config_map
We use gitlab runners running in a central AWS account to create/configure EKS clusters in a target account
aws provider looks like this and module successfully creates EKS cluster:
To update config map we configure kubernetes provider:
and use the submodule
But this results in an error
What do we miss? Thank you
The text was updated successfully, but these errors were encountered: