-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS EKS infra: transition to k8s 1.24 and add required storage addon #2056
AWS EKS infra: transition to k8s 1.24 and add required storage addon #2056
Conversation
5480f8f
to
8b43192
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NAICE!
Thanks for reviewing @yuvipanda! I just updated inline comments and force-pushed, and updated the PR description to include a question:
|
@consideRatio the question to me is - where does the actual controller run? does it run just on the core nodes (as does the autoscaler, for example?) - in which case just letting it be there for the core nodes is the way to go. Or, is it a daemonset that needs to run on every node? In which case we should still probably just set it up for the core nodes (least principle and all that) but document that it needs to be explicitly enabled. My intuition is that the actual controller is a deployment / statefulset that just runs on the core nodes and so having the permissions be just on the core nodes is fine. |
However this intuition has no evidence :D Should be easy enough to figure out though. |
Hmmm hmmm. Observations...
I don't understand the coupling with AWS credentials to k8s SecurityAccounts so well, hmm.... What test do you suggest? To make the controller schedule on a user node, and then see if it functions to provision and bind a PV to a PVC? |
@consideRatio I think the controller creates PVs, but the ds is what 'binds' them. I would suggest trying to launch a pod that has a PVC that will run on a non-core-nodepool to test this. I think the controller will always run in the core nodepool, the question is, what permissions does the daemonset need to do the attach? So we want to test 'will EBS volumes mount on arbitrary nodes even if they don't have this permission explicitly defined?' |
Thanks for your help thinking about this @yuvipanda!!! Test: to add a new PVC, and a new Pod to mount it, and force the pod to run on the user node without considered iam ebs stuff. Both worked out. Due to this, I figure we go with removing the nodeGroup's addition of In 8fe4009 I remove the nodeGroup's iam ebs stuff and this is ready to merge. In case things won't work, lets add it back to the core node pool. |
@consideRatio sounds good to me. |
@GeorgianaElena when deploying the NASA VEDA hub, be on the lookout for a failure to schedule the prometheus pod of the support chart for example and an associated PVC resource that is stuck pending. That would indicate that I didn't get everything right in this PR - write to me on slack happens and we'll resolve it. |
Will do! Thanks @consideRatio! |
This adds the required changes to the eksctl cluster configuration files, as generated from a template.jsonnet file (depending on a libsonnet/nodegroup.jsonnet file).
It will influence newly created clusters only as that is when template.jsonnet is used.
Closes #2054, but work to migrate existing hubs remain, this is covered by #2057.