Hi,
I have created eks cluster on version 1.29 using terraform.
Now to manage the cluster, have deployed the ec2 instance in same vpc/subnet as of eks cluster , install kubectl utility on ec2 instance
now when i am doing
aws eks --region us-east-1 update-kubeconfig --name <eks_cluster_name>
i am not able to get the kubeconfig and not able to fetch the cluster as well.
Looks like some aws_auth config map need to fix
can some1 guide me how to fix this issue and what extra configuration need to be done ?
Regards
Nitish Patni
You probably have to give IAM premission to the instance which can access the cluster.
I worked on something similar in the past
so after making this changes if I do
aws eks --region us-east-1 update-kubeconfig --name <eks_cluster_name>
will it work ?
do I don;t need to update aws-auth config map in mapusers about my aws account id ?
please note that all my cluster is on private non routable subnet without nat and igw.
Hi…I tried but it’s not working
Getting forbidden user system:anonymous cannot get path when trying to curl api endpoint…
i still feel something to be done from aws-auth config file but that I am not able to understood how to fix it.
Hi,
The auth config map you’re referring to is for node authentication of unmanaged node groups. Even if you did have it, you can’t apply it without kubectl working in the first place.
The aws eks update-kubeconfig
command should be all that’s required to get a working kubeconfig.
You may like to compare and contrast how I prepared the EKS build for KodeKloud playground with your own. It is here.
Thanks Alistair but can you explain me the need of this
user_data = base64encode(<<EOF
#!/bin/bash
set -o xtrace
/etc/eks/bootstrap.sh ${var.cluster_name}
/opt/aws/bin/cfn-signal --exit-code $?
–stack ${var.cluster_name}-stack
–resource NodeGroup
–region us-east-1
EOF
)
}
??
when I am trying to curl api endpoint from my ec2 node
curl https://xxxxxxxxxxxxxxxxxxx.y14.eu-west-1.eks.amazonaws.com
getting error as below
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
how to fix this any idea ?
Strangly I never faced such issue before this is the first time getting all such errors.
Please note : my eks cluster is on private without nat and igw. all worker nodes also don;t have internet
Regards
Nitish Patni
Because this cluster is using unmanaged node groups as is required in KK playground, this userdata invokes a script to join the node to the cluster.
You cannot curl the API server directly without authentication. Either certificates or a bearer token must be provided - neither of which you will have unless you have successfully generated a kubeconfig
1 Like
few points for my cluster deployment :
- 3 node eks cluster on version 1.29
- deployment done using terraform
- there is no internet(no nat gateway no igw)
- endpoints were created
- cluster_private_endpoint_access enabled
- To access the cluster deployed ec2 instance (as this instance also don;t have internet pulled the kubectl and helm utility from s3 bucket)
now as per the other project within the same kind of infrastructure they have used aws-auth config map
so I deployed the same
but now getting below error :
post https://endpoint/api/v1/namespaces/kube-system/configmaps service unavailable
can you guide how to fix this ?
eventhough have configured the aws-auth and configmap
uploading snip of my config one by one
NOTE : screenshot 1 is not commented so ignore the hash.
I would really need to see the whole terraform and build the cluster myself to work out what is wrong with it.
If it is on a public gihthub somewhere, I can do that, but it won’t be immediate as I have a lot on this weekend.
Hi ,
Thanks somehow I managed to fix the issue of ec2 node not able to execute kubectl command and get kubeconfig. Issue was with eks endpoint.
but https://endpoint/api/v1/namespaces/kube-system/configmaps service unavailable this issue still persist.
scripts are not available on public hub else would have share it with you.
But I am sure 10-20 mins of call with you will fix this issue.
I guess just an small issue and I am missing something very small.
can you spare sometime today please ?
Regards
Nitish Patni
If the scripts are not your own personal work, then this suggests they belong to your employer or to some third party who has employed you to do a job for them.
We cannot involve ourselves in issues related to peoples’ employment because
- That’s not what we are really here for. Our primary function is to assist with issues related to KodeKloud labs and courses. We help with unrelated queries where we can and there is not a risk of conflict with…
- There are potential legal issues if advice given causes an incident in your place of employment.
Either way, the owner of the AWS account you are working in should have a support agreement, and you can get AWS support on a call to sort it out.
Hi @Alistair_KodeKloud ,
I completely understand your point and I dont want you to look into the scripts but I was hopping to get some troubleshooting ideas and places to check on over a call of 10-20 mins if that is allowed
I fixed ec2 access issue along with service-unavailable on k8s version 1.29
wanted to know following things :
- Is access mode configmap is going to depreciate and best to use API_AND_CONFIGMAP ?
- for k8s 1.29 what best is the provider version (aws,kubernetes,helm) ?
- using tf can I override the configmap and give permission to user arn showing in aws sts get-caller-identity
I’m afraid we don’t do calls. We’re not a helpdesk.
- The current guidance would appear to favor API_AND_CONFIGMAP.
- Not sure what you mean. Helm is not a provider, it is a package installer.
- No reason why you can’t express the current version of the configmap as a terraform resource, plug variables into it and push it using the terraform kubernetes provider. I have not tried this myself.
Thanks @Alistair_KodeKloud , the info helps. will fix confimap via tf.