Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-eks: albController and FargateCluster compatibility with AuthenticationMode.API mode #30888

Closed
Hazzard17h opened this issue Jul 18, 2024 · 5 comments · Fixed by #31267
Closed
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Comments

@Hazzard17h
Copy link

Describe the bug

Setting EKS Cluster authenticationMode: AuthenticationMode.API cause "Error: ConfigMap not supported in the AuthenticationMode" if using albController or fargate profiles (for FargateCluster).

Expected Behavior

Use the new AccessEntry mechanism when authenticationMode: AuthenticationMode.API, for all resources managed by Cluster that need EKS API access.

Current Behavior

Error: ConfigMap not supported in the AuthenticationMode

Reproduction Steps

new Cluster(this, 'cluster', {
  version: KubernetesVersion.V1_27,
  authenticationMode: AuthenticationMode.API,
  albController: { version: AlbControllerVersion.V2_6_2 }
});

or

new FargateCluster(this, 'cluster', {
  version: KubernetesVersion.V1_27,
  authenticationMode: AuthenticationMode.API
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.148.0 (build e5740c0)

Framework Version

2.148.0

Node.js Version

v20.15.1

OS

Ubuntu 20.04

Language

TypeScript

Language Version

TypeScript 5.5.3

Other information

No response

@Hazzard17h Hazzard17h added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 18, 2024
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Jul 18, 2024
@pahud
Copy link
Contributor

pahud commented Jul 18, 2024

Yes, that is how AuthenticationMode is designed.

When you switch to AuthenticationMode.API, your cluster would support auth API only, ConfigMap would not be supported.

I am not sure if albController does require ConfigMap, if it does, you probably should use AuthenticationMode.API_AND_CONFIG_MAP

@pahud pahud added p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Jul 18, 2024
@Hazzard17h
Copy link
Author

@pahud I know that this is the intended behavior for AuthenticationMode.API, but as this is implemented in CDK I expect that other managed resources are configured to be able to use this new mode.

Currently it's not possibile to use Fargate in a Cluster with AuthenticationMode.API (and FargateCluster construct at all, as per the example code), probably there should be an if here checking the AuthenticationMode, and if it's API should use cluster.grantAccess instead of cluster.awsAuth.addRoleMapping:

// map the fargate pod execution role to the relevant groups in rbac
// see https://github.com/aws/aws-cdk/issues/7981
props.cluster.awsAuth.addRoleMapping(this.podExecutionRole, {
username: 'system:node:{{SessionName}}',
groups: [
'system:bootstrappers',
'system:nodes',
'system:node-proxier',
],
});

Or maybe could be removed at all, as per EKS documentation:

It's unnecessary to create an access entry for an IAM role that's used for a managed node group or a Fargate profile, because Amazon EKS adds entries for these roles to the aws-auth ConfigMap, regardless of which platform version your cluster is at.

And I can also see that just switching to AuthenticationMode.API_AND_CONFIG_MAP, EKS created an AccessEntry for the Fargate podExecutionRole automatically.
But I'm not expert of EKS, so maybe we should ask to the team.

About ALB Controller, I don't know why here there is a dependency to awsAuth:

// the controller relies on permissions deployed using these resources.
chart.node.addDependency(serviceAccount);
chart.node.addDependency(props.cluster.openIdConnectProvider);
chart.node.addDependency(props.cluster.awsAuth);

As far as I know ALB Controller needs permissions to access AWS API with a ServiceAccount, not to grant access to K8S API to an IAM entity.
Also here should be checked with EKS and ALB Controller teams.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 19, 2024
@pahud
Copy link
Contributor

pahud commented Jul 19, 2024

Yes we will need to improve the compatibility with AuthenticationMode.API as some legacy code probably still assume ConfigMap only.

probably there should be an if here checking the AuthenticationMode, and if it's API should use cluster.grantAccess instead of cluster.awsAuth.addRoleMapping

Yes I agree. This might be required.

About ALB Controller, I don't know why here there is a dependency to awsAuth

We probably need a similar check here as well.

We welcome PRs to help us improve the compatibility with AuthenticationMode.API mode. Please help us prioritize with 👍 .

@pahud pahud added p2 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort and removed p3 bug This issue is a bug. labels Jul 19, 2024
@pahud pahud changed the title aws-eks: ConfigMap not supported in the AuthenticationMode aws-eks: albController and FargateCluster compatibility with AuthenticationMode.API mode Jul 19, 2024
@pahud pahud added p1 and removed p2 labels Aug 9, 2024
@paulhcsun paulhcsun self-assigned this Aug 14, 2024
@paulhcsun paulhcsun removed their assignment Aug 27, 2024
mergify bot pushed a commit that referenced this issue Sep 4, 2024
…ode (#31258)

### Issue # (if applicable)

This PR improve the compatibility for `albController` with `authenticationMode.API`

related to #30888

We will address Fargate compatibility in #31267

### Reason for this change

- When `authenticationMode.API` is specified, no aws-auth configMap should be created
- albController should not depend on `cluster.awsAuth` because that would create aws-auth configmap, which is not required in `API` mode.



### Description of changes



### Description of how you validated changes

**unit tests**
- validate the behavior in all conditions of the `authenticationMode`

**integ test**
- add a new integ test with API mode to ensure successful deployment


## debugger

```js
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Jest",
      "program": "${workspaceFolder}/node_modules/jest/bin/jest.js",
      "cwd": "${workspaceFolder}/packages/aws-cdk-lib",
      "args": [
        "--verbose",
        "-i",
        "--no-cache",
        "test/alb-controller.test.ts",
      ],
      "console": "integratedTerminal",
      "internalConsoleOptions": "neverOpen",
      "skipFiles": [
        "<node_internals>/**"
      ],
      "outFiles": [
        "${workspaceFolder}/**/*.(m|c|)js",
        "!**/node_modules/**"
      ],
    }
  ]
}
```



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
pahud added a commit to pahud/aws-cdk that referenced this issue Sep 9, 2024
…ode (aws#31258)

### Issue # (if applicable)

This PR improve the compatibility for `albController` with `authenticationMode.API`

related to aws#30888

We will address Fargate compatibility in aws#31267

### Reason for this change

- When `authenticationMode.API` is specified, no aws-auth configMap should be created
- albController should not depend on `cluster.awsAuth` because that would create aws-auth configmap, which is not required in `API` mode.



### Description of changes



### Description of how you validated changes

**unit tests**
- validate the behavior in all conditions of the `authenticationMode`

**integ test**
- add a new integ test with API mode to ensure successful deployment


## debugger

```js
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Jest",
      "program": "${workspaceFolder}/node_modules/jest/bin/jest.js",
      "cwd": "${workspaceFolder}/packages/aws-cdk-lib",
      "args": [
        "--verbose",
        "-i",
        "--no-cache",
        "test/alb-controller.test.ts",
      ],
      "console": "integratedTerminal",
      "internalConsoleOptions": "neverOpen",
      "skipFiles": [
        "<node_internals>/**"
      ],
      "outFiles": [
        "${workspaceFolder}/**/*.(m|c|)js",
        "!**/node_modules/**"
      ],
    }
  ]
}
```



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mergify mergify bot closed this as completed in #31267 Sep 11, 2024
@mergify mergify bot closed this as completed in 4d12833 Sep 11, 2024
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 11, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants