search

eksctl-io / eksctl

The official CLI for Amazon EKS
https://eksctl.io
Other
4.92k stars 1.41k forks source link

Actions/Condition can contain only one colon #2794

Closed hryamzik closed 3 years ago

hryamzik commented 3 years ago

What happened? A description of actual behavior (with error messages).

I get the following error creating cluster with eksctl create cluster -f my-cluster.yaml:

[ℹ]  deploying stack "eksctl-my-lovely-k8s-cluster-addon-iamserviceaccount-kube-system-alb-ingress-controller"
[✖]  unexpected status "ROLLBACK_COMPLETE" while waiting for CloudFormation stack "eksctl-my-lovely-k8s-cluster-addon-iamserviceaccount-kube-system-alb-ingress-controller"
[ℹ]  fetching stack events in attempt to troubleshoot the root cause of the failure
[!]  AWS::IAM::Role/Role1: DELETE_IN_PROGRESS
[!]  AWS::IAM::Policy/Policy1: DELETE_IN_PROGRESS
[✖]  AWS::IAM::Policy/Policy1: CREATE_FAILED – "Actions/Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: *******; Proxy: null)"
[!]  1 error(s) occurred and cluster hasn't been created properly, you may wish to check CloudFormation console
[ℹ]  to cleanup resources, run 'eksctl delete cluster --region=us-west-2 --name=my-lovely-k8s-cluster'
[✖]  waiting for CloudFormation stack "eksctl-my-lovely-k8s-cluster-addon-iamserviceaccount-kube-system-alb-ingress-controller": ResourceNotReady: failed waiting for successful resource state
Error: failed to create cluster "my-lovely-k8s-cluster"

Here's the configuration:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: my-lovely-k8s-cluster
  region: us-west-2

iam:
  withOIDC: true
  serviceAccounts:

  - metadata:
      name: external-dns
      namespace: kube-system
    attachPolicy:
      Version: "2012-10-17"
      Statement:
      - Effect: Allow
        Action:
        - "route53:ChangeResourceRecordSets"
        Resource: 'arn:aws:route53:::hostedzone/*'
      - Effect: Allow
        Action:
        - "route53:ListHostedZones"
        - "route53:ListResourceRecordSets"
        Resource: '*'

  - metadata:
      name: alb-ingress-controller
      namespace: kube-system
      labels:
        app.kubernetes.io/name: alb-ingress-controller
    attachPolicy:
      Version: "2012-10-17"
      Statement:
      - Effect: Allow
        Action:
          - "acm:DescribeCertificate"
          - "acm:ListCertificates"
          - "acm:GetCertificate"
        Resource: '*'
      - Effect: Allow
        Action:
          - "ec2:AuthorizeSecurityGroupIngress"
          - "ec2:CreateSecurityGroup"
          - "ec2:CreateTags"
          - "ec2:DeleteTags"
          - "ec2:DeleteSecurityGroup"
          - "ec2:DescribeAccountAttributes"
          - "ec2:DescribeAddresses"
          - "ec2:DescribeInstances"
          - "ec2:DescribeInstanceStatus"
          - "ec2:DescribeInternetGateways"
          - "ec2:DescribeNetworkInterfaces"
          - "ec2:DescribeSecurityGroups"
          - "ec2:DescribeSubnets"
          - "ec2:DescribeTags"
          - "ec2:DescribeVpcs"
          - "ec2:ModifyInstanceAttribute"
          - "ec2:ModifyNetworkInterfaceAttribute"
          - "ec2:RevokeSecurityGroupIngress"
        Resource: '*'
      - Effect: Allow
        Action:
          - "elasticloadbalancing:AddListenerCertificates"
          - "elasticloadbalancing:AddTags"
          - "elasticloadbalancing:CreateListener"
          - "elasticloadbalancing:CreateLoadBalancer"
          - "elasticloadbalancing:CreateRule"
          - "elasticloadbalancing:CreateTargetGroup"
          - "elasticloadbalancing:DeleteListener"
          - "elasticloadbalancing:DeleteLoadBalancer"
          - "elasticloadbalancing:DeleteRule"
          - "elasticloadbalancing:DeleteTargetGroup"
          - "elasticloadbalancing:DeregisterTargets"
          - "elasticloadbalancing:DescribeListenerCertificates"
          - "elasticloadbalancing:DescribeListeners"
          - "elasticloadbalancing:DescribeLoadBalancers"
          - "elasticloadbalancing:DescribeLoadBalancerAttributes"
          - "elasticloadbalancing:DescribeRules"
          - "elasticloadbalancing:DescribeSSLPolicies"
          - "elasticloadbalancing:DescribeTags"
          - "elasticloadbalancing:DescribeTargetGroups"
          - "elasticloadbalancing:DescribeTargetGroupAttributes"
          - "elasticloadbalancing:DescribeTargetHealth"
          - "elasticloadbalancing:ModifyListener"
          - "elasticloadbalancing:ModifyLoadBalancerAttributes"
          - "elasticloadbalancing:ModifyRule"
          - "elasticloadbalancing:ModifyTargetGroup"
          - "elasticloadbalancing:ModifyTargetGroupAttributes"
          - "elasticloadbalancing:RegisterTargets"
          - "elasticloadbalancing:RemoveListenerCertificates"
          - "elasticloadbalancing:RemoveTags"
          - "elasticloadbalancing:SetIpAddressType"
          - "elasticloadbalancing:SetSecurityGroups"
          - "elasticloadbalancing:SetSubnets"
          - "elasticloadbalancing:SetWebAcl"
        Resource: '*'
      - Effect: Allow
        Action:
          - "iam:CreateServiceLinkedRole"
          - "iam:GetServerCertificate"
          - "iam:ListServerCertificates"
        Resource: '*'
      - Effect: Allow
        Action:
          - "cognito-idp:DescribeUserPoolClient"
        Resource: '*'
      - Effect: Allow
        Action:
          = "waf-regional:GetWebACLForResource"
          = "waf-regional:GetWebACL"
          = "waf-regional:AssociateWebACL"
          = "waf-regional:DisassociateWebACL"
        Resource: '*'
      - Effect: Allow
        Action:
          - "tag:GetResources"
          - "tag:TagResources"
        Resource: '*'
      - Effect: Allow
        Action:
          - "waf:GetWebACL"
        Resource: '*'
      - Effect: Allow
        Action:
          - "wafv2:GetWebACL"
          - "wafv2:GetWebACLForResource"
          - "wafv2:AssociateWebACL"
          - "wafv2:DisassociateWebACL"
        Resource: '*'
      - Effect: Allow
        Action:
          - "shield:DescribeProtection"
          - "shield:GetSubscriptionState"
          - "shield:DeleteProtection"
          - "shield:CreateProtection"
          - "shield:DescribeSubscription"
          - "shield:ListProtections"
        Resource: '*'

<...>

ALB ingress policy is copied from here

What you expected to happen?

Successful cluster creation with policies required for alb and external DNS.

How to reproduce it?

Create cluster with command and configuration mentioned above

Versions Please paste in the output of these commands:

$ eksctl version
0.30.0
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8", GitCommit:"9f2892aab98fe339f3bd70e3c470144299398ace", GitTreeState:"clean", BuildDate:"2020-08-13T16:12:48Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"darwin/amd64"}
hryamzik commented 3 years ago

Nvm, figured that out

hryamzik commented 3 years ago

Just kidding, there was an issue in my yaml here:

      - Effect: Allow
        Action:
          = "waf-regional:GetWebACLForResource"
          = "waf-regional:GetWebACL"
          = "waf-regional:AssociateWebACL"
          = "waf-regional:DisassociateWebACL"