Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ec2 tags collection is broken when kube2iam is used #3173

Open
arminioa opened this issue Mar 20, 2019 · 3 comments
Open

ec2 tags collection is broken when kube2iam is used #3173

arminioa opened this issue Mar 20, 2019 · 3 comments

Comments

@arminioa
Copy link
Contributor

arminioa commented Mar 20, 2019
edited
Loading

When datadog agent v6 is deployed into a k8s cluster and kube2iam is set to control the access to AWS based on IAM roles, ec2 tags collection is broken.

From the agent log I get this error:

[ AGENT ] 2019-03-19 13:30:37 UTC | DEBUG | (host_tags.go:58 in getHostTags) | No EC2 host tags unable to fetch EC2 API, status code 403 trying to fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/kubernetes-datadog_role/

There is no need to add a "/" after the role name here

datadog-agent/pkg/util/ec2/ec2_tags.go

Line 108 in c031d0e

res, err := getResponse(metadataURL + "/iam/security-credentials/" + iamRole + "/")

Because of that trailing "/" kube2iam is not able to identify the correct role name and it raise this error which means that kube2iam expects the role kubernetes-datadog_role/ which is wrong:

time="2019-03-18T15:01:27Z" level=error msg="Invalid role: does not match annotated role" ns.name=monitoring params.iam.role=kubernetes-datadog_role/ pod.iam.role="arn:aws:iam::XXXXXX:role/kubernetes-datadog_role" req.method=GET req.path=/latest/meta-data/iam/security-credentials/kubernetes-datadog_role/ req.remote=10.100.128.7

My kubernetes cluster is v1.11.6, kube2iam is v0.10.4 and I'v tried with datadog-agent v6.4.2-jmx and v6.10.1-jmx but anyway the datadog agent affected code is 2 years old.
@arminioa arminioa mentioned this issue Mar 20, 2019
Merged
@Simwar
Copy link
Contributor

Simwar commented Mar 25, 2019
edited
Loading

Hi,

As I said in the support ticket, thanks for the opened issue.
I see that you opened also this one: jtblin/kube2iam#204
Maybe their parsing needs to be better handled as our URL is perfectly correct.
I also had another customer using this tool, kube2IAM, without any issues to reach this URL.

Did you try to upgrade kube2IAM to 0.10.6?

Thanks

@arminioa
Copy link
Contributor Author

Hi

I'm using kube2iam with other apps and they are working fine just because they are not using an useless trailing slash when they are requesting security credentials.

Just be kind and take a look here at AWS doc at one example about how to retrieve the security credentials for an IAM role named s3access:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

There is no need to upgrade kube2iam since that code with the validate part wasn't changed.

Thanks for your time,
Arminio A.

@Simwar
Copy link
Contributor

Simwar commented Mar 29, 2019

PR merged, should be available in the 6.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Simwar @arminioa