eks: Changing securityGroup deletes entire cluster #28584
Labels
@aws-cdk/aws-eks
Related to Amazon Elastic Kubernetes Service
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p1
Comments
gricey432
added
bug
github-actions
bot
added
the
@aws-cdk/aws-eks
pahud
added
investigating
|
Yes I think it's possible to just update the cluster security groups without replacing the cluster. At this moment the cluster construct from aws-eks is using customer resource to create the cluster but if we look at SecurityGroupsIds, it's update with no Interruption. Agree we should fix replaceVpc. |
pahud
removed
the
investigating
2 tasks
1 task
mergify bot
pushed a commit
that referenced
this issue
May 10, 2024
### Issue # (if applicable) Closes #28584 ### Reason for this change To have in place updates for EKS clusters when subnets or SG values are changed. ### Description of changes Removed `replaceVpc` logic and introduced `updateVpc` to track changes and errors to handle multiple updates in one go ### Description of how you validated changes Have tested the changes by first deploying a cluster with below config: ```ts const vpc = ec2.Vpc.fromLookup(stack, 'Vpc', { isDefault: true }); new eks.Cluster(stack, 'Cluster', { vpc, ...getClusterVersionConfig(stack, eks.KubernetesVersion.V1_24), defaultCapacity: 0, }); ``` TestCase - 1 Update both subnets and Access at the same time ```ts new eks.Cluster(stack, 'Cluster', { vpc, ...getClusterVersionConfig(stack, eks.KubernetesVersion.V1_29), defaultCapacity: 0, tags: { foo: 'bar', }, endpointAccess: eks.EndpointAccess.PUBLIC, vpcSubnets: [{ subnetType: ec2.SubnetType.PUBLIC }], }); ``` Error below is thrown for Cluster custom resource - ``` { "errorType": "Error", "errorMessage": "Only one type of update - VpcConfigUpdate, LoggingUpdate or EndpointAccessUpdate can be allowed", "stack": [ "Error: Only one type of update - VpcConfigUpdate, LoggingUpdate or EndpointAccessUpdate can be allowed", " at Pi.onUpdate (/var/task/index.js:55:651127)", " at Pi.onEvent (/var/task/index.js:55:647590)", " at Runtime.yR [as handler] (/var/task/index.js:55:657995)", " at Runtime.handleOnceNonStreaming (file:///var/runtime/index.mjs:1173:29)" ] } ``` TestCase - 2 Update subnets to public ```ts new eks.Cluster(stack, 'Cluster', { vpc, ...getClusterVersionConfig(stack, eks.KubernetesVersion.V1_29), defaultCapacity: 0, vpcSubnets: [{ subnetType: ec2.SubnetType.PUBLIC }], }); ``` ``` { "updates": { "replaceName": false, "updateVpc": true, "updateAccess": false, "replaceRole": false, "updateVersion": false, "updateEncryption": false, "updateLogging": false } } ``` ``` { clientName: 'EKSClient', commandName: 'UpdateClusterConfigCommand', input: { name: 'Cluster9EE0221C-0b6f58b0698348aea43866b93a62b2c9', resourcesVpcConfig: { subnetIds: [Array], securityGroupIds: [Array] } }, output: { update: { createdAt: 2024-05-08T20:55:00.013Z, errors: [], id: '7d5cd243-5536-3f52-b5ca-4c6e6c044529', params: [Array], status: 'InProgress', type: 'VpcConfigUpdate' } }, metadata: {} } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This was referenced Jun 22, 2024
This was referenced Jul 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Adding a custom
securityGrouptoeks.Clustercauses a full replacement of the stateful k8s cluster and data loss.Expected Behavior
securityGroupwould be updated in place as it is through the console, SDK, and as indicated incdk diff.Current Behavior
The custom resource quietly created a new, empty EKS cluster and then deleted the existing cluster.
Reproduction Steps
Should be reproducible by
eks.Clusterwith nosecurityGroupsecurityGroupto the clusterPossible Solution
Looking at the
onEventHandlerlogs for the custom resource, it looks like the issue is that changing the SG caused this update setLooks like the check for
replaceVpcis very rough and way too trigger happyhttps://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts#L330
In fact it looks like the API can replace subnets and security groups in place https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateClusterConfig.html
The
eks.Clusterresource takes avpcprop, I think the changing of that prop should be the only reason thatreplaceVpcneeds to be true...Additional Information/Context
No response
CDK CLI Version
2.113.0 (build ccd534a)
Framework Version
No response
Node.js Version
v18.17.1
OS
Windows 11
Language
TypeScript
Language Version
4.9.3
Other information
#25544 may have aided disaster recovery here
I would like to have a Stack Policy on this stack but since it's implemented as a custom resource, cloudformation can only tell me that the CR itself isn't going to be replaced, but can't stop / inform me that the CR is going to be destructive.
The text was updated successfully, but these errors were encountered: