Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Karpenter Sub-Module Incorrectly Assigns IPv6 CNI Role #2794

Closed
1 task done
ptwohig opened this issue Oct 27, 2023 · 3 comments · Fixed by #2804
Closed
1 task done

Karpenter Sub-Module Incorrectly Assigns IPv6 CNI Role #2794

ptwohig opened this issue Oct 27, 2023 · 3 comments · Fixed by #2804

Comments

@ptwohig
Copy link

ptwohig commented Oct 27, 2023
edited
Loading

Description

The Karpenter Sub-Module appears to incorrectly generate the ARN for the AmazonEKS_CNI_IPv6_Policy. Specifically, it seems that it doesn't consider the AWS account ID when generating the ARN.

  • ✋ I have searched the open/closed issues and my issue is not listed.

The Karpenter Submodule uses the following line to calculate the IAM policy:

local {
  iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
  cni_policy = var.cluster_ip_family == "ipv6" ? "${local.iam_role_policy_prefix}/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
}

The eks-managed-node-group module calculates the ARN as follows:

locals {
  cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
}

This should be a simple one-liner fix by having the Karpenter module calculate the ARN the same way. Or, wait for AWS to add this as a managed policy.

Versions

  • Module version [Required]:

  • Terraform version: v1.5.0

  • Provider version(s):

    • aws: 5.21.0

Reproduction Code [Required]

module "karpenter" {

  source  = "terraform-aws-modules/eks/aws//modules/karpenter"
  version = "19.17.2"

  cluster_name = module.eks.cluster_name
  cluster_ip_family = local.cluster_ipv6 ? "ipv6" : "ipv4"
  irsa_oidc_provider_arn = module.eks.oidc_provider_arn

  irsa_tag_key = "karpenter.sh/discovery/${var.eks_cluster_name}"
  irsa_tag_values = [random_uuid.karpenter_discovery_id.id]

  iam_role_attach_cni_policy = !local.cluster_ipv6 // This is the offending line
  iam_role_additional_policies = { AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" }

}

Expected behavior

The module applies without errors.

Actual behavior

The module fails while looking for the IAM policy which does not exist. Specifically:

arn:aws:iam::aws:policy/AmazonEKS_CNI_IPv6_Policy

It should be looking for the following:

arn:aws:iam::XXXXXXXXXXXXX:policy/AmazonEKS_CNI_IPv6_Policy
@FrederikNJS
Copy link

I'm seeing the same problem

@bryantbiggs bryantbiggs mentioned this issue Nov 3, 2023
Merged
3 tasks
@antonbabenko
Copy link
Member

This issue has been resolved in version 19.19.0 🎉

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 5, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@FrederikNJS @antonbabenko @ptwohig