[EKS] [request]: Incorrect Access Policy created for AWS-managed windows node group with custom AMI

[iancward]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request AWS-managed Windows node group with custom AMI/launch template doesn't get correct permissions when Access Policies are enabled in cluster.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We're trying to adopt Access Entries for EKS and we've found that, when creating an AWS-managed Windows node group, the Access Policy is created as "EC2 Linux" rather than "EC2 Windows." The result is that the node doesn't get appropriate cluster permissions and kube-proxy throws errors.

Are you currently working around this issue? We're working around this by creating the Access Policy entry prior to creating the node group.

[mikestef9]

This is a known limitation, and the workaround you are doing is correct. It's impossible for EKS to know if a custom AMI is going to be used in a Linux or Windows node group. We guess Linux since it's by the far the most commonly used OS type. This problem exists whether you are using aws-auth config map, or access entry, it's not a new problem introduced with access entry.