Closed robszumski closed 1 year ago
robszumski
commented
1 year ago I included 129c4aa in here because I believe that some AWS accounts can benefit from the IAM role used for EKS. Basically, it allows the requester to have access to fetch the objects that are either already public (encrypted S3 object) or protected by a PCR policy.
russellhaering
commented
1 year ago I still don't really get 129c4aa, but if it fixes the problem lets ship it now and sort it out later.
robszumski
commented
1 year ago @russellhaering I am not an expert, and the error messages are so generic, but I think it's this:
When you make a cross-account request, AWS performs two evaluations. AWS evaluates the request in the trusting account and the trusted account. For more information about how a request is evaluated within a single account, see Determining whether a request is allowed or denied within an account. The request is allowed only if both evaluations return a decision of Allow.
The CloudFormation sets up all of the required infrastructure to add a set of Nodes with Nitro Enclaves enabled and ready for Kubernetes.
It allows IAM access to the S3 bucket and KMS key that is used by the example No-Fly List app.
This PR also removes the proposed scheduler and device management. I don't think this is needed because the anti-affinity by node hostname + label query to select nitro nodes works really well. Cluster autoscalers should react to the pending nodes just fine.