Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-eks] masterRole of aws-auth is not set username cause metrics-server not working correclty #5263

Closed
a60814billy opened this issue Nov 30, 2019 · 1 comment · Fixed by #5649
Closed

[aws-eks] masterRole of aws-auth is not set username cause metrics-server not working correclty #5263

a60814billy opened this issue Nov 30, 2019 · 1 comment · Fixed by #5649
Assignees
@eladb @iliapolo
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. p1

Comments

@a60814billy
Copy link

a60814billy commented Nov 30, 2019
edited
Loading

I deployed new EKS cluster with mastersRole, and then I connected to k8s cluster by assume masterRole, It worked perfectly fine.

Next I'm following this document to install metrics-server on my cluster. Then using kubectl top node to verify metrics-server is working correctly or not.

Unfortunately, I encountered a server error:

$ kubectl top node
error: You must be logged in to the server (Unauthorized)

In order to debug the error, I use kubectl -n kube-system logs -l k8s-app=metrics-server to print logs, the log of metrics-server is shown as below:

I1130 19:40:37.230865       1 serving.go:312] Generated self-signed cert (apiserver.local.config/certificates/apiserver.crt, apiserver.local.config/certificates/apiserver.key)
I1130 19:40:37.582772       1 secure_serving.go:116] Serving securely on [::]:443
E1130 19:41:15.309837       1 authentication.go:65] Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
E1130 19:45:23.565685       1 authentication.go:65] Unable to authenticate the request due to an error: x509: certificate signed by unknown authority

After that, I created a support ticket to AWS support, and he pointed out that the aws-auth isn't set correctly, the role in mapRoles should contain username. According to AWS documentation, the default value of username should be roleArn.

To solve this problem, a workaround is adding master role manually with username:

myCluster.awsAuth.addMastersRole(myAdminRole, 'admin');

or modify the addMastersRole function in AwsAuth class, adding default username when username is not set.

aws-cdk/packages/@aws-cdk/aws-eks/lib/aws-auth.ts

Lines 59 to 64 in 1dcba75

public addMastersRole(role: iam.IRole, username?: string) {
this.addRoleMapping(role, {
username,
groups: [ 'system:masters' ]
});
}

Because the constructor of Cluster is not sent username to addMasterRole function

aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster.ts

Line 412 in 1dcba75

this.awsAuth.addMastersRole(props.mastersRole);

Reproduction Steps

  1. Stack Source Code
import * as core from '@aws-cdk/core';
import * as eks from '@aws-cdk/aws-eks';
import * as iam from '@aws-cdk/aws-iam';

export class EksTest extends core.Stack {
    constructor(scope: core.Construct, id: string, props: core.StackProps) {
        super(scope, id, props);
        const clusterAdmin = new iam.Role(this, 'EKS-Admin-Role', {
            assumedBy: new iam.AccountRootPrincipal(),
        });

        const myEksCluster = new eks.Cluster(this, 'eks-test', {
            mastersRole: clusterAdmin,
        })
    }
}
  1. setup kubeconfig by cdk output
EKS-Stack.ekstestConfigCommand78CC8955 = aws eks update-kubeconfig --name cluster-33eb8e2e-7653-4d3b-a779-05c176085f77 --region ap-northeast-1 --role-arn arn:aws:iam::xxxxxxxxxxxx:role/EKS-Stack-EKSAdminRole08B22A7B-1HN27Q53HJVU2
  1. setup metrics-server (https://docs.aws.amazon.com/eks/latest/userguide/metrics-server.html)
$ DOWNLOAD_URL=$(curl --silent "https://api.github.com/repos/kubernetes-sigs/metrics-server/releases/latest" | jq -r .tarball_url)
$ DOWNLOAD_VERSION=$(grep -o '[^/v]*$' <<< $DOWNLOAD_URL)
$ curl -Ls $DOWNLOAD_URL -o metrics-server-$DOWNLOAD_VERSION.tar.gz
$ mkdir metrics-server-$DOWNLOAD_VERSION
$ tar -xzf metrics-server-$DOWNLOAD_VERSION.tar.gz --directory metrics-server-$DOWNLOAD_VERSION --strip-components 1
$ kubectl apply -f metrics-server-$DOWNLOAD_VERSION/deploy/1.8+/
  1. wait for metrics-server deployed, and use kubectl top node to reproduce this problem
$ kubectl top node

Error Log

  1. Error log of kubectl top node
error: You must be logged in to the server (Unauthorized)
  1. Error log of metrics-server
I1130 19:40:37.230865       1 serving.go:312] Generated self-signed cert (apiserver.local.config/certificates/apiserver.crt, apiserver.local.config/certificates/apiserver.key)
I1130 19:40:37.582772       1 secure_serving.go:116] Serving securely on [::]:443
E1130 19:41:15.309837       1 authentication.go:65] Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
E1130 19:45:23.565685       1 authentication.go:65] Unable to authenticate the request due to an error: x509: certificate signed by unknown authority

Environment

  • CLI Version : 1.8.0
  • Framework Version: 1.8.0
  • OS : macOS 10.13.6
  • Language : typescript

Other

Maybe I can contribute the fix I said above, to add default value of username in addMastersRole function

This is 🐛 Bug Report
@a60814billy a60814billy added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 30, 2019
@a60814billy a60814billy changed the title [EKS] masterRole of aws-auth not set username cause metrics-server not working correclty [EKS] masterRole of aws-auth is not set username cause metrics-server not working correclty Dec 1, 2019
@SomayaB SomayaB added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Dec 2, 2019
@eladb eladb added the p1 label Dec 11, 2019
@eladb
Copy link
Contributor

eladb commented Dec 30, 2019

Thanks for the awesome bug report!

eladb pushed a commit that referenced this issue Jan 5, 2020
fix(eks): aws-auth username not set by default
16422bb 
When mapping roles and users through the aws-auth config map, if a username is not specified, we need to default to the user/role ARN. Not specifying a default username will cause things like metrics server to fail.

Fixes #5263
@eladb eladb mentioned this issue Jan 5, 2020
Merged
@mergify mergify bot closed this as completed in #5649 Jan 6, 2020
mergify bot pushed a commit that referenced this issue Jan 6, 2020
@mergify
fix(eks): aws-auth username not set by default (#5649)
87befa6 
* fix(eks): aws-auth username not set by default

When mapping roles and users through the aws-auth config map, if a username is not specified, we need to default to the user/role ARN. Not specifying a default username will cause things like metrics server to fail.

Fixes #5263

* chore(build): foreach.sh --up

Add support for `--up` in `foreach.sh` which will execute the command for the current module and all its dependencies (instead of the entire repo).
Use this new feature in `buildup` so from now, `buildup` is resumable. Restart can be done through `./buildup --restart`.

Update CONTRIBUTING guide.

* update expectations
@iliapolo iliapolo changed the title [EKS] masterRole of aws-auth is not set username cause metrics-server not working correclty [aws-eks] masterRole of aws-auth is not set username cause metrics-server not working correclty Aug 16, 2020
@iliapolo iliapolo removed the needs-triage This issue or PR still needs to be triaged. label Aug 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eladb eladb

@iliapolo iliapolo

Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(eks): aws-auth username not set by default aws/aws-cdk
4 participants
@eladb @iliapolo @a60814billy @SomayaB