Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fails on EKS #1

Open
mhausenblas opened this issue Jan 25, 2020 · 4 comments
Open

Fails on EKS #1

mhausenblas opened this issue Jan 25, 2020 · 4 comments

Comments

@mhausenblas
Copy link

Tried to deploy on EKS and fails.

My environment:

$ k version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.2", GitCommit:"59603c6e503c87169aea6106f57b9f242f64df89", GitTreeState:"clean", BuildDate:"2020-01-23T14:21:36Z", GoVersion:"go1.13.6", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.9-eks-c0eccc", GitCommit:"c0eccca51d7500bb03b2f163dd8d534ffeb2f7a2", GitTreeState:"clean", BuildDate:"2019-12-22T23:14:11Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

No pod comes up, due to:

$  kubectl describe rs klum-799bb95cd7
...
   True    FailedCreate
Events:
  Type     Reason        Age               From                   Message
  ----     ------        ----              ----                   -------
  Warning  FailedCreate  2s (x4 over 29s)  replicaset-controller  Error creating: No API token found for service account "klum", retry after the token is automatically created and added to the service account

Great stuff, can't wait to use it. Thanks and KUTGW!
@ibuildthecloud
Copy link
Owner

Crazy.... why wouldn't there be a token automatically created? Is this just a vanilla EKS cluster or do you have some other security products/configuration applied that would prevent tokens from being issued?

@mhausenblas
Copy link
Author

Nah, it's a vanilla one. Wondering, could it be that there is an CRD missing?

@kenlavoie
Copy link

How are you doing auth? kube2iam, kiam, or aws IAM

Also, are you pulling the token? kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}') is from https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html

I'll be interested to see if it's an auth or pulling the token issue

@mhausenblas
Copy link
Author

Hi @kenlavoie thanks for chiming in!

How are you doing auth?

This is a vanilla EKS cluster so using the default aws-iam-authenticator.

kube2iam, kiam, or aws IAM

It was provisioned using eksctl and is IRSA-enabled. I don't see how this may be related since I don't see any pod-level privileges assigned, but anyways, IRSA is available in the cluster.

Also, are you pulling the token?

What exactly do you mean by "pulling the token" ?

FWIW, executing kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}') results in a long list of secrets which I will, for obvious reasons, not share here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mhausenblas @ibuildthecloud @kenlavoie