Reputation: 947
Cannot update EKS NodeGroup because of aws-auth ConfigMap issues
We're running several clusters with AWS's EKS.
Currently all the clusters are already on 1.19 but the NodeGroups are still running on 1.18. The last update of the NodeGroups was in December and there everything works well. The aws-auth ConfigMap wasn't modified since this moment of time.
Now we want to update them. If we either click in the Console on Update or using the following command:
aws eks --region <clusterRegion> update-nodegroup-version --cluster-name=<clusterName> --nodegroup-name=<nodeGroupName>
...it fails with:
An error occurred (InvalidRequestException) when calling the UpdateNodegroupVersion operation: Nodegroup health has issues other than [ AsgInstanceLaunchFailures, InstanceLimitExceeded, InsufficientFreeAddresses, ClusterUnreachable ]
A look in the details of the nodegroup shows the following message:
AccessDenied: The aws-auth ConfigMap in your cluster is invalid.
The related ConfigMap (which works fine for all of us to access it) has the following content (stripped from sensitive information):
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::<accountId>:role/<ourEksClusterNodeRole>
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::<accountId>:role/AWSReservedSSO_SystemAdministrator_<someRandomString>
username: {{SessionName}}
Upvotes: 4
Views: 5367
Answers (1)
Reputation: 947
It turns out that the proposed way by the AWS documentation to integrate SSO users into the clusters is not compatible with the latest version of EKS.
The placeholder {{SessionName}} cannot be evaluated. So I've had to change it like this:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::<accountId>:role/<ourEksClusterNodeRole>
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::<accountId>:role/AWSReservedSSO_SystemAdministrator_<someRandomString>
username: awssso-system-administrator
The downside of this approach that we lost audit information in the logs.
To get around this (although it is really weird):
- Adjust the
aws-authConfigMap like this. - Wait for some minutes.
- Trigger the AMI release version upgrade
- Wait until it is done.
- Change the
aws-authConfigMap back.
Upvotes: 2
Related Questions
- kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
- AWS EKS NodeGroup "Create failed": Instances failed to join the kubernetes cluster
- AWS EKS - NodeGroup Update Instance Types
- Messed up with configmap aws-auth
- AWS eks user gets error: You must be logged in to the server (Unauthorized)
- AWS EKS "is not authorized to perform: iam:CreateServiceLinkedRole"
- kubectl error You must be logged in to the server (Unauthorized) - EKS cluster
- Taint eks node-group
- EKS not able to authenticate to Kubernetes with Kubectl - "User: is not authorized to perform: sts:AssumeRole"
- KUBECTL ERROR: the server has asked for the client to provide credentials