Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New EKS cluster may not have aws_auth config map breaking resource detection #31300

Open
ryanfaircloth opened this issue Feb 16, 2024 · 8 comments
Labels
bug Something isn't working processor/resourcedetection Resource detection processor

Comments

@ryanfaircloth
Copy link

Component(s)

No response

What happened?

Description

AWS is moving from config_map managed auth to a new feature called access entries, when access entries is enabled the aws_auth is removed this break the current resourcedetection/eks
https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html

awsAuth, err := utils.getConfigMap(ctx, authConfigmapNS, authConfigmapName)

Steps to Reproduce

Deploy a collector on a EKS cluster with API only access entries (no aws_auth config map)

Expected Result

EKS should still be the resource type

Actual Result

Collector version

v0.93.0

Environment information

AWS
EKS 1.28
Access Entries enabled aws_auth configmap removed

OpenTelemetry Collector configuration

resourcedetection:
                detectors:
                - env
                - eks

Log output

2024-02-16T16:56:02.022Z        warn    internal/resourcedetection.go:130       failed to detect resource       {"kind": "processor", "name": "resourcedetection", "pipeline": "logs", "error": "isEks() error retrieving auth configmap: failed to retrieve ConfigMap kube-system/aws-auth: configmaps \"aws-auth\" is forbidden: User \"system:serviceaccount:otel-system:otel-collector-cluster\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"kube-system\""}
2024-02-16T16:56:02.023Z        info    internal/resourcedetection.go:139       detected resource information   {"kind": "processor", "name": "resourcedetection", "pipeline": "logs", "resource": {}}

Additional context

No response

@ryanfaircloth ryanfaircloth added bug Something isn't working needs triage New item requiring triage labels Feb 16, 2024
@crobert-1 crobert-1 added the processor/resourcedetection Resource detection processor label Feb 26, 2024
Copy link
Contributor

Pinging code owners for processor/resourcedetection: @Aneurysm9 @dashpole. See Adding Labels via Comments if you do not have permissions to add labels yourself.

@crobert-1
Copy link
Member

Thanks for posting @ryanfaircloth, I was able to read the links provided and agree this is an issue that needs resolved.

Removing needs triage

@crobert-1 crobert-1 removed the needs triage New item requiring triage label Mar 5, 2024
Copy link
Contributor

github-actions bot commented May 6, 2024

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label May 6, 2024
@crobert-1 crobert-1 removed the Stale label May 6, 2024
Copy link
Contributor

github-actions bot commented Jul 8, 2024

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label Jul 8, 2024
@SoerenHenning
Copy link

I ran into this issue today. My cluster does not have the ConfigMap kube-system/aws-auth. Is there any workaround for that? I thought whether maybe the alpha.eksctl.io/cluster-name node label can be used for EKS clusters that are created with eksctl.

@crobert-1 crobert-1 removed the Stale label Aug 8, 2024
Copy link
Contributor

github-actions bot commented Oct 8, 2024

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label Oct 8, 2024
Copy link
Contributor

github-actions bot commented Dec 7, 2024

This issue has been closed as inactive because it has been stale for 120 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 7, 2024
@r-asiebert
Copy link

Requesting re-opening this; this is still broken, just ran into it.

internal/resourcedetection.go:130 failed to detect resource {"kind": "processor", "name": "resourcedetection", "pipeline": "metrics", "error": "isEks() error retrieving auth configmap: failed to retrieve ConfigMap kube-system/aws-auth: configmaps "aws-auth" is forbidden: User "system:serviceaccount:otel:otelcol-custom-service-account" cannot get resource "configmaps" in API group "" in the namespace "kube-system""}

Not only this configmap is obsolete, it's odd to give permissions to otelcol to get (not list) a somewhat sensitive object for that check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working processor/resourcedetection Resource detection processor
Projects
None yet
Development

No branches or pull requests

4 participants