Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-eks: KubectlProvider fails to create/update in govcloud #24808

Closed
wongma7 opened this issue Mar 27, 2023 · 3 comments
Closed

aws-eks: KubectlProvider fails to create/update in govcloud #24808

wongma7 opened this issue Mar 27, 2023 · 3 comments
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@wongma7
Copy link
Member

wongma7 commented Mar 27, 2023
edited
Loading

Describe the bug

In govcloud (aws-us-gov partition), "Amazon ECR public registries aren't supported." https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ecr.html

The managed policy "AmazonElasticContainerRegistryPublicReadOnly" does not exist there.

#24104 added this managed policy "AmazonElasticContainerRegistryPublicReadOnly" and now KubectlProvider HandlerServiceRole fails to create/update.

Expected Behavior

KubectlProvider HandlerServiceRole successfully creates/updates in govcloud same as in other AWS partitions

Current Behavior

KubectlProvider HandlerServiceRole fails to create/update in govcloud

Reproduction Steps

Create a 1.25 EKS cluster in govcloud*

const cluster = new eks.Cluster(this, 'hello-eks', {
  version: eks.KubernetesVersion.V1_25,
});

Possible Solution

Wrap this:

    // For OCI helm chart public ECR authorization.
    this.handlerRole.addManagedPolicy(
      iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonElasticContainerRegistryPublicReadOnly'),
    );

in a partition check

Additional Information/Context

No response

CDK CLI Version

2.27.0 (build 8e89048)

"aws-cdk": "^2.69.0",

Framework Version

"aws-cdk": "^2.69.0",

Node.js Version

v18.14.0

OS

linux

Language

Typescript

Language Version

No response

Other information

No response
@wongma7 wongma7 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 27, 2023
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Mar 27, 2023
@wongma7 wongma7 mentioned this issue Mar 28, 2023
Closed
@pahud
Copy link
Contributor

pahud commented Mar 28, 2023
edited
Loading

Thank you. I am working on this issue at #25215. Will add gov cloud in the exclusion list.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Mar 28, 2023
@pahud pahud mentioned this issue Mar 29, 2023
Closed
This was referenced Apr 18, 2023
Closed
Merged
mergify bot pushed a commit that referenced this issue Apr 21, 2023
@pahud
fix(eks): policy does not exist or is not attachable in China and Gov…
ea65415 
…Cloud regions (#25215)

Reopening this PR because #25170 was closed by accident.

As ECR Public is not available in China regions and GovCloud, `AmazonElasticContainerRegistryPublicReadOnly` IAM managed policy would not be available in those affected regions and should not be attached to the role. This PR implements a CfnCondition to determine if ECR public is available based on `Aws.Partition` of the deploying region and conditionally attach `AmazonElasticContainerRegistryPublicReadOnly` to the kubectl-provider handler role. 

This PR has been tested in the following regions:

- [x] *cn-north-1
- [x] *cn-northwest-1
- [x] us-east-1

* I can confirm the role is created correctly in cn regions but due to 
   - #24358 
   - #24696  
The cluster and nodegroup are still failing to create in CN.

Closes #24743 #24808 #25178
@pahud
Copy link
Contributor

pahud commented Apr 21, 2023

closed by #25215

@pahud pahud closed this as completed Apr 21, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @wongma7