Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insufficient permissions when using karpenter irsa without discovery tags #295

Closed
apamildner opened this issue Oct 26, 2022 · 3 comments · Fixed by #294
Closed

Insufficient permissions when using karpenter irsa without discovery tags #295

apamildner opened this issue Oct 26, 2022 · 3 comments · Fixed by #294

Comments

@apamildner
Copy link
Contributor

apamildner commented Oct 26, 2022
edited
Loading

Description

The issue is described in the PR

Versions

  • Module version [Required]: v5.5.0

Reproduction Code [Required]

Steps to reproduce the behavior:

  1. Create AWSNodeTemplate like this
apiVersion: karpenter.k8s.aws/v1alpha1
kind: AWSNodeTemplate
metadata:
  name: default
spec:
  subnetSelector:
    aws-ids: subnet-abc,subnet-xyz
  securityGroupSelector:
    aws-ids: sg-abc,sg-xyz
  tags:
    karpenter.sh/discovery/foo-cluster: foo-cluster
  1. Make karpenter try to create a new node with a provisioner pointing to the above mentioned template
  2. Make sure the security groups you try to use doesn't have the tag karpenter.sh/discovery/foo-cluster: foo-cluster instead refer to them with their ID's

Expected behavior

The node comes up without a problem

Actual behavior

The karpenter controller fails to run the instance, and instead gives me an UnAuthorizedError which it prints in the logs.
The message indicates that I miss the correct privilege to run ec2:RunInstances since the security group I try to use is missing the ec2:ResourceTag/karpenter.sh/discovery/foo-cluster.
@egeturgay
Copy link

I have come across the same issue today. This is due to the conditional on the runInstances policy.

The use case for this is, the EKS cluster and the its worker security group is provisioned by using the public terraform module. In the event that the same worker SG is being used for Karpenter managed instances, the policy linked below prevents it to run instances.
Removing the conditional on RunInstances addresses the problem and It would be good to get the module reflect this.

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/v5.5.2/modules/iam-role-for-service-accounts-eks/policies.tf#L555

@bryantbiggs bryantbiggs mentioned this issue Oct 26, 2022
Merged
3 tasks
@antonbabenko
Copy link
Member

This issue has been resolved in version 5.5.4 🎉

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@antonbabenko @apamildner @egeturgay