fix(eks): kubernetes cannot create external load balancers (#5448)

Add the tag "kubernetes.io/role/elb" to all public subnets, so Kubernetes can use these subnets when creating an external load balancer. Fixes #5443
aws · Dec 17, 2019 · 384d22d · 384d22d
1 parent 2d21600
commit 384d22d
Show file tree

Hide file tree

Showing 7 changed files with 257 additions and 19 deletions.
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts
@@ -4,7 +4,7 @@ import { Subnet } from '@aws-cdk/aws-ec2';
 import iam = require('@aws-cdk/aws-iam');
 import lambda = require('@aws-cdk/aws-lambda');
 import ssm = require('@aws-cdk/aws-ssm');
-import { CfnOutput, Construct, Duration, IResource, Resource, Stack, Tag } from '@aws-cdk/core';
+import { CfnOutput, Construct, Duration, IResource, Resource, Stack, Tag, Token } from '@aws-cdk/core';
 import path = require('path');
 import { AwsAuth } from './aws-auth';
 import { ClusterResource } from './cluster-resource';
@@ -611,15 +611,24 @@ export class Cluster extends Resource implements ICluster {
    * @see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html
    */
   private tagSubnets() {
-    for (const subnet of this.vpc.privateSubnets) {
-      if (!Subnet.isVpcSubnet(subnet)) {
-        // Just give up, all of them will be the same.
-        this.node.addWarning('Could not auto-tag private subnets with "kubernetes.io/role/internal-elb=1", please remember to do this manually');
-        return;
+    const tagAllSubnets = (type: string, subnets: ec2.ISubnet[], tag: string) => {
+      for (const subnet of subnets) {
+        // if this is not a concrete subnet, attach a construct warning
+        if (!Subnet.isVpcSubnet(subnet)) {
+          // message (if token): "could not auto-tag public/private subnet with tag..."
+          // message (if not token): "count not auto-tag public/private subnet xxxxx with tag..."
+          const subnetID = Token.isUnresolved(subnet.subnetId) ? '' : ` ${subnet.subnetId}`;
+          this.node.addWarning(`Could not auto-tag ${type} subnet${subnetID} with "${tag}=1", please remember to do this manually`);
+          continue;
+        }
+
+        subnet.node.applyAspect(new Tag(tag, "1"));
       }
+    };
 
-      subnet.node.applyAspect(new Tag("kubernetes.io/role/internal-elb", "1"));
-    }
+    // https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html
+    tagAllSubnets('private', this.vpc.privateSubnets, "kubernetes.io/role/internal-elb");
+    tagAllSubnets('public', this.vpc.publicSubnets, "kubernetes.io/role/elb");
   }
 }
 

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json
@@ -37,6 +37,10 @@
           {
             "Key": "aws-cdk:subnet-type",
             "Value": "Public"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -51,6 +55,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet1"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -89,6 +97,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet1"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -109,6 +121,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet1"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -134,6 +150,10 @@
           {
             "Key": "aws-cdk:subnet-type",
             "Value": "Public"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -148,6 +168,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet2"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -186,6 +210,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet2"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -206,6 +234,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet2"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -231,6 +263,10 @@
           {
             "Key": "aws-cdk:subnet-type",
             "Value": "Public"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -245,6 +281,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet3"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -283,6 +323,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet3"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -303,6 +347,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet3"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.kubectl-disabled.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.kubectl-disabled.expected.json
@@ -36,6 +36,10 @@
           {
             "Key": "aws-cdk:subnet-type",
             "Value": "Public"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -50,7 +54,11 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet1"
-          }
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
+          }          
         ]
       }
     },
@@ -88,7 +96,11 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet1"
-          }
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
+          }          
         ]
       }
     },
@@ -108,6 +120,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet1"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -133,7 +149,11 @@
           {
             "Key": "aws-cdk:subnet-type",
             "Value": "Public"
-          }
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
+          }          
         ]
       }
     },
@@ -147,6 +167,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet2"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -185,6 +209,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet2"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -205,6 +233,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet2"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -230,6 +262,10 @@
           {
             "Key": "aws-cdk:subnet-type",
             "Value": "Public"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -244,6 +280,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet3"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -282,6 +322,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet3"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }
@@ -302,6 +346,10 @@
           {
             "Key": "Name",
             "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet3"
+          },
+          {
+            "Key": "kubernetes.io/role/elb",
+            "Value": "1"
           }
         ]
       }