Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue in creating self-manged node when authenticationMode is set to CONFIG_MAP only [Bug] #7695

Closed
uditsidana opened this issue Apr 1, 2024 · 2 comments · Fixed by #7698
Closed

Issue in creating self-manged node when authenticationMode is set to CONFIG_MAP only [Bug] #7695

uditsidana opened this issue Apr 1, 2024 · 2 comments · Fixed by #7698
Labels
kind/bug priority/important-soon Ideally to be resolved in time for the next release

Comments

@uditsidana
Copy link

uditsidana commented Apr 1, 2024
edited
Loading

What were you trying to accomplish?

Launch Self-managed nodes with only authenticationMode set to CONFIG_MAP. For example, Outposts still does not support ACCESS ENTRIES

What happened?

When IAM Role is not specified explicitly, the CFN stack generated by eksctl (tested with 0.173.0 and later) sets NodeGroupUsesAccessEntry to true - due to which the on a cluster with only CONFIG_MAP as access method, the CFN is trying to create Access Entry and failing with error "Resource handler returned message: "The cluster's authentication mode must be set to one of [API, API_AND_CONFIG_MAP] to perform this operation."

How to reproduce it?

eksctl version 0.175.0

  1. Used below config to create a cluster

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: k8s
version: "1.27"
region: eu-central-1

accessConfig:
bootstrapClusterCreatorAdminPermissions: true
authenticationMode: CONFIG_MAP

nodeGroups:

  • name: ng-1
    instanceType: m5.large
    desiredCapacity: 1
  1. eksctl create -f <>.yaml

The cluster is created successfully, however, the nodegroup stack fails with "Resource handler returned message: "The cluster's authentication mode must be set to one of [API, API_AND_CONFIG_MAP] to perform this operation."

Anything else we need to know?

$ eksctl info

eksctl version: 0.175.0
kubectl version: v1.22.15-eks-fb459a0
OS: linux

The workarounds to fix the issue

  1. Create cluster and nodegroup with 2 different steps while creating the nodegroup by passing the parameter --update-auth-configmap :

eksctl create cluster -f .yaml

eksctl create nodegroup -f .yaml --update-auth-configmap

  1. Use a pre existing IAM Role for your Nodes.
nodeGroups:
  - name: ng-1
    instanceType: m5.large
    iam:
      instanceRoleARN: "arn:aws:iam::XXXXXXXX:role/AmazonEKSNodeRole"
  1. Using version 0.166.0 or earlier of eksctl as the breaking change comes from here -> 9f81584#diff-8c78bb87fb0d3f76268340075907de232bd48b524e26d4d693f8af64cd97805f
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 1, 2024

Hello uditsidana 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

@TiberiuGC TiberiuGC mentioned this issue Apr 2, 2024
Merged
7 tasks
@TiberiuGC TiberiuGC added the priority/important-soon Ideally to be resolved in time for the next release label Apr 2, 2024
@TiberiuGC
Copy link
Collaborator

Hi @uditsidana - I can confirm this is an issue, thanks for flagging it! We'll include a fix in the next RC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug priority/important-soon Ideally to be resolved in time for the next release
Projects
None yet
Milestone
No milestone
2 participants
@uditsidana @TiberiuGC