From 99aa098b722f6a643f36ec5ab447d7592a763a85 Mon Sep 17 00:00:00 2001 From: Daniel Morales <54182283+Daniel-Designs@users.noreply.github.com> Date: Wed, 22 Jan 2025 20:59:41 -0600 Subject: [PATCH 1/2] Update eks-outposts-troubleshooting.adoc This commit explain information added. Add new troubleshooting section for KMS key accessibility issues when creating EKS clusters on Outposts. This is a common issue when using customer managed KMS keys for EBS volume encryption --- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 5df0da23..0572e8da 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -217,6 +217,7 @@ The most common issues are the following: * Your cluster can't connect to the control plane instance from the {aws} Region that Systems Manager is in. You can verify this by calling `aws ssm start-session --target [.replaceable]``instance-id``` from an in-Region bastion host. If that command doesn't work, check if Systems Manager is running on the control plane instance. Or, another work around is to delete the cluster and then recreate it. +* The control plane instances fail to create due to KMS key permissions for EBS volumes. When using customer managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an AWS managed KMS key or ensure your customer managed key policy grants the necessary permissions to the cluster role. * Systems Manager control plane instances might not have internet access. Check if the subnet that you provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. * The role ARN that you provided is missing policies. Check if the <> was removed from the role. This can also occur if an {aws} CloudFormation stack is misconfigured. From 4352f5845c44af94313264baf2c9c22e611c6463 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 23 Jan 2025 14:11:26 -0600 Subject: [PATCH 2/2] Revert "Update eks-outposts-troubleshooting.adoc" Reverting changes from previous commits --- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 0572e8da..5df0da23 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -217,7 +217,6 @@ The most common issues are the following: * Your cluster can't connect to the control plane instance from the {aws} Region that Systems Manager is in. You can verify this by calling `aws ssm start-session --target [.replaceable]``instance-id``` from an in-Region bastion host. If that command doesn't work, check if Systems Manager is running on the control plane instance. Or, another work around is to delete the cluster and then recreate it. -* The control plane instances fail to create due to KMS key permissions for EBS volumes. When using customer managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an AWS managed KMS key or ensure your customer managed key policy grants the necessary permissions to the cluster role. * Systems Manager control plane instances might not have internet access. Check if the subnet that you provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. * The role ARN that you provided is missing policies. Check if the <> was removed from the role. This can also occur if an {aws} CloudFormation stack is misconfigured.