Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create cluster fails when VPC CNI is configured to use both iam.withOIDC and useDefaultPodIdentityAssociations #7925

Open
cPu1 opened this issue Aug 2, 2024 · 1 comment
Open

create cluster fails when VPC CNI is configured to use both iam.withOIDC and useDefaultPodIdentityAssociations #7925

cPu1 opened this issue Aug 2, 2024 · 1 comment
Assignees
@cPu1
Labels
area/add-ons area/podidentity kind/bug

Comments

@cPu1
Copy link
Collaborator

cPu1 commented Aug 2, 2024

The following config results in a panic:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: test-cluster-3
  region: us-east-1
  version: '1.28'

addons:
- name: eks-pod-identity-agent
  version: v1.3.0
- name: vpc-cni
  version: v1.18.2
  useDefaultPodIdentityAssociations: true

iam:
  withOIDC: true

secretsEncryption:
  keyARN: arn:aws:kms:us-east-1:123456789:alias/test-kms
Stack trace -
2024-08-02 14:56:26 [ℹ]  creating addon
2024-08-02 14:56:27 [ℹ]  successfully created addon
2024-08-02 14:56:28 [ℹ]  "addonsConfig.autoApplyPodIdentityAssociations" is set to true; will lookup recommended pod identity configuration for "vpc-cni" addon
2024-08-02 14:56:30 [ℹ]  deploying stack "eksctl-test-cluster-3-addon-vpc-cni-podidentityrole-aws-node"
2024-08-02 14:56:30 [ℹ]  waiting for CloudFormation stack "eksctl-test-cluster-3-addon-vpc-cni-podidentityrole-aws-node"
2024-08-02 14:57:01 [ℹ]  waiting for CloudFormation stack "eksctl-test-cluster-3-addon-vpc-cni-podidentityrole-aws-node"
2024-08-02 14:57:02 [ℹ]  creating addon
2024-08-02 14:57:03 [ℹ]  successfully created addon
2024-08-02 14:57:04 [ℹ]  creating addon
2024-08-02 14:57:04 [ℹ]  successfully created addon
2024-08-02 14:57:05 [ℹ]  creating addon
2024-08-02 14:57:06 [ℹ]  successfully created addon
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x20 pc=0x1055303f8]

goroutine 187 [running]:
github.com/weaveworks/eksctl/pkg/actions/addon.(*Manager).Update(0x1400073f4a0, {0x107bc4e68, 0x10a3332e0}, 0x140005c2b40, {0x0, 0x0}, 0x15d3ef79800)
        github.com/weaveworks/eksctl/pkg/actions/addon/update.go:121 +0xeb8
github.com/weaveworks/eksctl/pkg/actions/addon.CreateAddonTasks.func3()
        github.com/weaveworks/eksctl/pkg/actions/addon/tasks.go:110 +0x90
github.com/weaveworks/eksctl/pkg/utils/tasks.(*GenericTask).Do(0x14000a2bd58, 0x0?)
        github.com/weaveworks/eksctl/pkg/utils/tasks/tasks.go:31 +0x34
github.com/weaveworks/eksctl/pkg/utils/tasks.doSingleTask(0x0?, {0x107b74ac0, 0x14000a2bd58})
        github.com/weaveworks/eksctl/pkg/utils/tasks/tasks.go:202 +0xc8
github.com/weaveworks/eksctl/pkg/utils/tasks.doSequentialTasks(0x1400061b4e0?, {0x1400061e980, 0x5, 0x1400022c160?})
        github.com/weaveworks/eksctl/pkg/utils/tasks/tasks.go:250 +0x6c
created by github.com/weaveworks/eksctl/pkg/utils/tasks.(*TaskTree).Do in goroutine 185
        github.com/weaveworks/eksctl/pkg/utils/tasks/tasks.go:158 +0x258
@cPu1 cPu1 self-assigned this Aug 2, 2024
@artem-nefedov
Copy link

artem-nefedov commented Aug 15, 2024
edited
Loading

Not sure if related, but I found that ekctl 0.187.0 falsely complains in logs during create cluster when vpc-cni addon is specified without pod identity, but with attachPolicyARNs:

IRSA config is set for "vpc-cni" addon, but since OIDC is disabled on the cluster, eksctl cannot configure the requested permissions; the recommended way to provide IAM permissions for "vpc-cni" addon is via pod identity associations; after addon creation is completed, add all recommended policies to the config file, under addon.PodIdentityAssociations, and run eksctl update addon

The cluster config does have iam.withOIDC: true, and OIDC works without issues when cluster is created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cPu1 cPu1

Labels
area/add-ons area/podidentity kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cPu1 @artem-nefedov