Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: KubectlHandler - insecure kubeconfig warning #16063

Merged
merged 4 commits into from
Aug 20, 2021
Merged

fix: KubectlHandler - insecure kubeconfig warning #16063

merged 4 commits into from
Aug 20, 2021

Conversation

mrsiejas
Copy link
Contributor

@mrsiejas mrsiejas commented Aug 16, 2021
edited
Loading

KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20

2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'

Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others.

Fixes #14560

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Aug 16, 2021

@mergify
Copy link
Contributor

mergify bot commented Aug 16, 2021

Title does not follow the guidelines of Conventional Commits. Please adjust title before merge.

@mrsiejas mrsiejas changed the title KubectlHandler - fix insecure kubeconfig warning fix: KubectlHandler - fix insecure kubeconfig warning Aug 16, 2021
@mrsiejas mrsiejas changed the title fix: KubectlHandler - fix insecure kubeconfig warning fix: KubectlHandler - insecure kubeconfig warning Aug 16, 2021
@peterwoodworth peterwoodworth added @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/small Small work item – less than a day of effort p2 labels Aug 19, 2021
otaviomacedo
otaviomacedo reviewed Aug 20, 2021
View reviewed changes
Copy link
Contributor

@otaviomacedo otaviomacedo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but the tests are failing. Can you please take a look?

@mrsiejas
Copy link
Contributor Author

mrsiejas commented Aug 20, 2021
edited
Loading

Looks like error is being thrown by the legacy handler

@aws-cdk/aws-eks-legacy: Resources
@aws-cdk/aws-eks-legacy: [~] AWS::Lambda::Function myClusterResourceHandler19D131C9 
@aws-cdk/aws-eks-legacy:  └─ [~] Code
@aws-cdk/aws-eks-legacy:      ├─ [~] .S3Bucket:
@aws-cdk/aws-eks-legacy:      │   └─ [~] .Ref:
@aws-cdk/aws-eks-legacy:      │       ├─ [-] AssetParametersea4957b16062595851e7d293ee45835db05c5693669a729cc02944b6ad19a204S3Bucket371D99F8
@aws-cdk/aws-eks-legacy:      │       └─ [+] AssetParameters1eec89d987dc6420031e92f6d15199c2d8f34a844ef745b60c09b0afd32f5070S3BucketA540BC94
@aws-cdk/aws-eks-legacy:      └─ [~] .S3Key:
@aws-cdk/aws-eks-legacy:          └─ [~] .Fn::Join:
@aws-cdk/aws-eks-legacy:              └─ @@ -8,7 +8,7 @@
@aws-cdk/aws-eks-legacy:                 [ ]   "Fn::Split": [
@aws-cdk/aws-eks-legacy:                 [ ]     "||",
@aws-cdk/aws-eks-legacy:                 [ ]     {
@aws-cdk/aws-eks-legacy:                 [-]       "Ref": "AssetParametersea4957b16062595851e7d293ee45835db05c5693669a729cc02944b6ad19a204S3VersionKeyFDCB25DD"
@aws-cdk/aws-eks-legacy:                 [+]       "Ref": "AssetParameters1eec89d987dc6420031e92f6d15199c2d8f34a844ef745b60c09b0afd32f5070S3VersionKey2FE96A49"
@aws-cdk/aws-eks-legacy:                 [ ]     }
@aws-cdk/aws-eks-legacy:                 [ ]   ]
@aws-cdk/aws-eks-legacy:                 [ ] }
@aws-cdk/aws-eks-legacy:                 @@ -21,7 +21,7 @@
@aws-cdk/aws-eks-legacy:                 [ ]   "Fn::Split": [
@aws-cdk/aws-eks-legacy:                 [ ]     "||",
@aws-cdk/aws-eks-legacy:                 [ ]     {
@aws-cdk/aws-eks-legacy:                 [-]       "Ref": "AssetParametersea4957b16062595851e7d293ee45835db05c5693669a729cc02944b6ad19a204S3VersionKeyFDCB25DD"
@aws-cdk/aws-eks-legacy:                 [+]       "Ref": "AssetParameters1eec89d987dc6420031e92f6d15199c2d8f34a844ef745b60c09b0afd32f5070S3VersionKey2FE96A49"
@aws-cdk/aws-eks-legacy:                 [ ]     }
@aws-cdk/aws-eks-legacy:                 [ ]   ]
@aws-cdk/aws-eks-legacy:                 [ ] }
@aws-cdk/aws-eks-legacy: [~] AWS::Lambda::Function myClusterKubernetesResourceHandler50297E32 
@aws-cdk/aws-eks-legacy:  └─ [~] Code
@aws-cdk/aws-eks-legacy:      ├─ [~] .S3Bucket:
@aws-cdk/aws-eks-legacy:      │   └─ [~] .Ref:
@aws-cdk/aws-eks-legacy:      │       ├─ [-] AssetParameters640847533c8a00b3133aeb128edcac41fb7b60349c9e18764fcf7ea4af14d444S3Bucket919126CB
@aws-cdk/aws-eks-legacy:      │       └─ [+] AssetParametersd40ac2278fbe4accc92f2ef7677a13a067d9ed479ec3e84d89a49042f89c6dc8S3Bucket8D6F7A44
@aws-cdk/aws-eks-legacy:      └─ [~] .S3Key:
@aws-cdk/aws-eks-legacy:          └─ [~] .Fn::Join:
@aws-cdk/aws-eks-legacy:              └─ @@ -8,7 +8,7 @@
@aws-cdk/aws-eks-legacy:                 [ ]   "Fn::Split": [
@aws-cdk/aws-eks-legacy:                 [ ]     "||",
@aws-cdk/aws-eks-legacy:                 [ ]     {
@aws-cdk/aws-eks-legacy:                 [-]       "Ref": "AssetParameters640847533c8a00b3133aeb128edcac41fb7b60349c9e18764fcf7ea4af14d444S3VersionKey529BEF54"
@aws-cdk/aws-eks-legacy:                 [+]       "Ref": "AssetParametersd40ac2278fbe4accc92f2ef7677a13a067d9ed479ec3e84d89a49042f89c6dc8S3VersionKeyAA64BD77"
@aws-cdk/aws-eks-legacy:                 [ ]     }
@aws-cdk/aws-eks-legacy:                 [ ]   ]
@aws-cdk/aws-eks-legacy:                 [ ] }
@aws-cdk/aws-eks-legacy:                 @@ -21,7 +21,7 @@
@aws-cdk/aws-eks-legacy:                 [ ]   "Fn::Split": [
@aws-cdk/aws-eks-legacy:                 [ ]     "||",
@aws-cdk/aws-eks-legacy:                 [ ]     {
@aws-cdk/aws-eks-legacy:                 [-]       "Ref": "AssetParameters640847533c8a00b3133aeb128edcac41fb7b60349c9e18764fcf7ea4af14d444S3VersionKey529BEF54"
@aws-cdk/aws-eks-legacy:                 [+]       "Ref": "AssetParametersd40ac2278fbe4accc92f2ef7677a13a067d9ed479ec3e84d89a49042f89c6dc8S3VersionKeyAA64BD77"
@aws-cdk/aws-eks-legacy:                 [ ]     }
@aws-cdk/aws-eks-legacy:                 [ ]   ]
@aws-cdk/aws-eks-legacy:                 [ ] }
@aws-cdk/aws-eks-legacy: Error: Some stacks have changed. To verify that they still deploy successfully, run: 'yarn integ integ.eks-cluster.defaults.js integ.eks-cluster.lit.js integ.eks-helm.lit.js integ.eks-kubectl.lit.js integ.eks-spot.js'
@aws-cdk/aws-eks-legacy:     at main (/codebuild/output/src704439715/src/github.com/aws/aws-cdk/tools/cdk-integ-tools/bin/cdk-integ-assert.js:36:15)
@aws-cdk/aws-eks-legacy: Error: cdk-integ-assert exited with error code 1
@aws-cdk/aws-eks-legacy: Tests failed. Total time (9.0s) | /codebuild/output/src704439715/src/github.com/aws/aws-cdk/node_modules/nyc/bin/nyc.js (5.1s) | cdk-integ-assert (3.9s)
@aws-cdk/aws-eks-legacy: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@aws-cdk/aws-eks-legacy: error Command failed with exit code 1.
@aws-cdk/aws-eks-legacy: info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
@aws-cdk/aws-eks-legacy: error Command failed with exit code 1.
@aws-cdk/aws-eks-legacy: info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
@aws-cdk/aws-eks-legacy: error Command failed with exit code 1.
@aws-cdk/aws-eks-legacy: info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
lerna ERR! yarn run build+test+extract exited 1 in '@aws-cdk/aws-eks-legacy'
lerna WARN complete Waiting for 7 child processes to exit. CTRL-C to exit immediately.

real	14m45.261s
user	281m29.814s
sys	21m52.770s
�  Last command failed. Scroll up to see errors in log (search for '!!!!!!!!').

[Container] 2021/08/16 08:26:34 Command did not exit successfully /bin/bash ./build.sh --extract && git diff-index --exit-code --ignore-space-at-eol --stat HEAD exit status 1
[Container] 2021/08/16 08:26:34 Phase complete: BUILD State: FAILED

Not sure what it does without reading all code. Will try removing changes from file within aws-eks-legacy folder as test assertion seems to be checking the stack diff.

@otaviomacedo
Copy link
Contributor

This should be enough for you to solve it:

@aws-cdk/aws-eks-legacy: Error: Some stacks have changed. To verify that they still deploy successfully, run: 'yarn integ integ.eks-cluster.defaults.js integ.eks-cluster.lit.js integ.eks-helm.lit.js integ.eks-kubectl.lit.js integ.eks-spot.js'

@otaviomacedo otaviomacedo added the pr-linter/exempt-test The PR linter will not require test changes label Aug 20, 2021
@mergify
Copy link
Contributor

mergify bot commented Aug 20, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 746c00a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 82dd282 into aws:master Aug 20, 2021
@mergify
Copy link
Contributor

mergify bot commented Aug 20, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

smguggen pushed a commit to smguggen/aws-cdk that referenced this pull request Aug 24, 2021
@mrsiejas @smguggen
fix: KubectlHandler - insecure kubeconfig warning (aws#16063)
31ffe1f 
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20
```
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
```

Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. 


Fixes aws#14560

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this pull request Aug 26, 2021
@mrsiejas @hollanddd
fix: KubectlHandler - insecure kubeconfig warning (aws#16063)
8f1e33b 
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20
```
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
```

Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. 


Fixes aws#14560

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this pull request Sep 6, 2021
@mrsiejas @TikiTDO
fix: KubectlHandler - insecure kubeconfig warning (aws#16063)
35d5fff 
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20
```
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
```

Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. 


Fixes aws#14560

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
david-doyle-as24 pushed a commit to david-doyle-as24/aws-cdk that referenced this pull request Sep 7, 2021
@mrsiejas @david-doyle-as24
fix: KubectlHandler - insecure kubeconfig warning (aws#16063)
6918312 
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20
```
2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default
Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an
other operation (install/upgrade/rollback) is in progress\n'
```

Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. 


Fixes aws#14560

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@otaviomacedo otaviomacedo otaviomacedo approved these changes

Assignees

@otaviomacedo otaviomacedo

Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/small Small work item – less than a day of effort p2 pr-linter/exempt-test The PR linter will not require test changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(eks): Warnings about insecure kubeconfig file when running helm
4 participants
@mrsiejas @otaviomacedo @aws-cdk-automation @peterwoodworth