search

eksctl-io / eksctl

The official CLI for Amazon EKS
https://eksctl.io
Other
4.93k stars 1.41k forks source link

Cannot delete an iamserviceaccount without using a config file #1466

Closed dlespiau closed 4 years ago

dlespiau commented 5 years ago

What happened?

I've created a iamserviceaccount successfully with:

./eksctl create iamserviceaccount --cluster=$CLUSTER_NAME --name=myname --namespace=default --attach-policy-arn=arn:aws:iam::$AWS_ACCOUNT:policy/eksctl --approve

However, when trying to delete it, eksctl doesn't do anything:

$ ./eksctl delete iamserviceaccount --cluster default-values --name myname  
[ℹ]  using region eu-west-2
[ℹ]  1 iamserviceaccount (default/myname) was included (based on the include/exclude rules)
[ℹ]  no tasks

What you expected to happen?

I would expect eksctl to delete the stack and Kubernetes service account.

How to reproduce it?

Steps are included in the bug description.

Anything else we need to know? What OS are you using, are you using a downloaded binary or did you compile eksctl, what type of AWS credentials are you using (i.e. default/named profile, MFA) - please don't include actual credentials though!

Versions Please paste in the output of these commands:

$ eksctl version
$ kubectl version
$ ./eksctl version
[ℹ]  version.Info{BuiltAt:"1571399361", GitCommit:"0.2.0-445-g1a38ee06-dirty", GitTag:""}

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.10-eks-5ac0f1", GitCommit:"5ac0f1d9ab2c254ea2b0ce3534fd72932094c6e1", GitTreeState:"clean", BuildDate:"2019-08-20T22:39:46Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"linux/amd64"}

Logs

2019-10-21T15:33:01+01:00 [ℹ]  using region eu-west-2
2019-10-21T15:33:02+01:00 [▶]  role ARN for the current session is "arn:aws:sts::xxx:assumed-role/AdministratorAccess/damien@weave.works"
2019-10-21T15:33:02+01:00 [▶]  cluster = {
  Arn: "arn:aws:eks:eu-west-2:xxx:cluster/default-values",
  CertificateAuthority: {
    Data: "xxx"
  },
  CreatedAt: 2019-10-17 09:54:56 +0000 UTC,
  Endpoint: "https://xxx.sk1.eu-west-2.eks.amazonaws.com",
  Identity: {
    Oidc: {
      Issuer: "https://oidc.eks.eu-west-2.amazonaws.com/id/xxx"
    }
  },
  Logging: {
    ClusterLogging: [{
        Enabled: false,
        Types: [
          "api",
          "audit",
          "authenticator",
          "controllerManager",
          "scheduler"
        ]
      }]
  },
  Name: "default-values",
  PlatformVersion: "eks.4",
  ResourcesVpcConfig: {
    EndpointPrivateAccess: false,
    EndpointPublicAccess: true,
    SecurityGroupIds: ["sg-00cec3f4ba1bb3eda"],
    SubnetIds: [
      "subnet-0bfe2ad53cd6e0a5f",
      "subnet-032068e0e9c1fcb88",
      "subnet-0eba0787f1cdbc63d",
      "subnet-03400a524ae03ab17",
      "subnet-03ac8ea6b102a29c7",
      "subnet-030c787a98955b095"
    ],
    VpcId: "vpc-0e7e0776b8d2e118c"
  },
  RoleArn: "arn:aws:iam::xxx:role/eksctl-default-values-cluster-ServiceRole-1O7R4BM3TD0X8",
  Status: "ACTIVE",
  Version: "1.13"
}
2019-10-21T15:33:03+01:00 [ℹ]  1 iamserviceaccount (default/myname) was included (based on the include/exclude rules)
2019-10-21T15:33:03+01:00 [▶]  iamserviceaccounts = [{
  Capabilities: ["CAPABILITY_IAM"],
  CreationTime: 2019-10-21 14:08:39.092 +0000 UTC,
  Description: "IAM role for serviceaccount \"default/eksctlcontroller\" [created and managed by eksctl]",
  DisableRollback: false,
  DriftInformation: {
    StackDriftStatus: "NOT_CHECKED"
  },
  EnableTerminationProtection: false,
  Outputs: [{
      OutputKey: "Role1",
      OutputValue: "arn:aws:iam::xxx:role/eksctl-default-values-addon-iamserviceaccoun-Role1-UEIQC09L953F"
    }],
  RollbackConfiguration: {

  },
  StackId: "arn:aws:cloudformation:eu-west-2:xxx:stack/eksctl-default-values-addon-iamserviceaccount-default-eksctlcontroller/47aac6b0-f40c-11e9-b241-0aea06869730",
  StackName: "eksctl-default-values-addon-iamserviceaccount-default-eksctlcontroller",
  StackStatus: "CREATE_COMPLETE",
  Tags: [{
      Key: "alpha.eksctl.io/cluster-name",
      Value: "default-values"
    },{
      Key: "eksctl.cluster.k8s.io/v1alpha1/cluster-name",
      Value: "default-values"
    },{
      Key: "alpha.eksctl.io/iamserviceaccount-name",
      Value: "default/eksctlcontroller"
    }]
}]
2019-10-21T15:33:03+01:00 [▶]  cfg.json = \
{
    "kind": "ClusterConfig",
    "apiVersion": "eksctl.io/v1alpha5",
    "metadata": {
        "name": "default-values",
        "region": "eu-west-2",
        "version": "1.13"
    },
    "iam": {
        "withOIDC": true,
        "serviceAccounts": [
            {
                "metadata": {
                    "name": "myname",
                    "namespace": "default",
                    "creationTimestamp": null
                },
                "attachPolicyARNs": [
                    ""
                ]
            }
        ]
    },
    "vpc": {
        "cidr": "192.168.0.0/16",
        "autoAllocateIPv6": false,
        "nat": {
            "gateway": "Single"
        }
    },
    "cloudWatch": {
        "clusterLogging": {}
    },
    "status": {
        "endpoint": "https://xxx.sk1.eu-west-2.eks.amazonaws.com",
        "certificateAuthorityData": "xxx",
        "arn": "arn:aws:eks:eu-west-2:xxx:cluster/default-values"
    }
}

2019-10-21T15:33:03+01:00 [ℹ]  no tasks
2019-10-21T15:33:03+01:00 [▶]  no actual tasks
dlespiau commented 5 years ago

I think this may be due to filtering based on the config value IAM values but here I'm not using a config file, just the command line.

whereisaaron commented 5 years ago

Related issue is every iamserviceaccount is a whole separate CF stack: https://github.com/weaveworks/eksctl/issues/1467

I think eksctl create/delete iamserviceaccount should be refactored to add/remove JSON entries from one stack template. Same for config file.

cPu1 commented 4 years ago

This is no longer reproducible. One thing to note is that when using CLI options, the --namespace option defaults to default, so if the service account was created in a different namespace, the filter would fail to match and, as a result, the deletion would not proceed.

KODURU400 commented 2 years ago

This is no longer reproducible. One thing to note is that when using CLI options, the --namespace option defaults to default, so if the service account was created in a different namespace, the filter would fail to match and, as a result, the deletion would not proceed.

It worked. Thank You

punitporwal07 commented 1 year ago

after giving --namespace I am able to delete the iamserviceaccount ex - 

$ eksctl delete iamserviceaccount --cluster MyCluster --name adot-collector --namespace=fargate-container-insights
2023-01-28 18:28:19 [ℹ]  1 iamserviceaccount (fargate-container-insights/adot-collector) was included (based on the include/exclude rules)
2023-01-28 18:28:20 [ℹ]  1 task: { 
    2 sequential sub-tasks: { 
        delete IAM role for serviceaccount "fargate-container-insights/adot-collector" [async],
        delete serviceaccount "fargate-container-insights/adot-collector",
    } }2023-01-28 18:28:20 [ℹ]  will delete stack "eksctl-MyCluster-addon-iamserviceaccount-fargate-container-insights-adot-collector"