Closed avaussant closed 3 years ago
@avaussant Thanks for the report! I'm going to take a look at this as soon as possible. I believe we're currently looking at loading a service key directly from the secret. I think yielding to another AWS auth mechanism won't be a problem, but I'll investigate further and let you know.
@avaussant Thanks for the report! I'm going to take a look at this as soon as possible. I believe we're currently looking at loading a service key directly from the secret. I think yielding to another AWS auth mechanism won't be a problem, but I'll investigate further and let you know.
Thanks for the answer, i appreciate 👍
@avaussant I've just added a PR for changes related to authentication here: https://github.com/kubecost/cluster-turndown/pull/29
Also, I've cut a new image snapshot here: gcr.io/kubecost1/cluster-turndown:1.3-SNAPSHOT
If you want to try and update the yaml descriptor and see if this moves you forward any, please feel free :)
One quick note that you should also be able to remove the secret volumeMount and volume from the yaml as well. Alternatively, you can just add a secret with an empty file. Failing to load or parse the service-key.json will still continue with a "chained auth" (which I believe works with the dedicated policy).
Let me know if you have any more problems with this. Thanks again for the feedback!
@mbolt35 Thanks a lot I will test the snapshot today and give you an update 👍👍👍👍👍👍
after my test, there is an error @mbolt35
the sa used
after my test, there is an error @mbolt35 I0619 11:16:17.383715 1 main.go:118] Running Kubecost Turndown on: ip-XX-XX-XX-XX.ec2.internal I0619 11:16:17.404401 1 clusterprovider.go:95] Found ProviderID starting with "aws", using AWS Provider I0619 11:16:17.409508 1 awsclusterprovider.go:1035] [Warning] Failed to load valid access key from secret. Err=Failed to locate service account file: /var/keys/service-key.json I0619 11:16:17.414705 1 provider.go:63] Found ProviderID starting with "aws", using AWS Provider I0619 11:16:17.414721 1 validator.go:41] Validating Provider... I0619 11:16:23.669140 1 validator.go:27] [Error]: Failed to load node groups: NoCredentialProviders: no valid providers in chain caused by: EnvAccessKeyNotFound: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not found in environment SharedCredsLoad: failed to load shared credentials file caused by: FailedRead: unable to open file caused by: open /root/.aws/credentials: no such file or directory EC2RoleRequestError: no EC2 instance role found caused by: RequestError: send request failed caused by: Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": context deadline exceeded (Client.Timeout exceeded while awaiting headers) I0619 11:16:23.669157 1 validator.go:31] Retrying (4 remaining) in 10 seconds... I0619 11:16:36.837234 1 validator.go:27] [Error]: Failed to load node groups: NoCredentialProviders: no valid providers in chain caused by: EnvAccessKeyNotFound: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not found in environment SharedCredsLoad: failed to load shared credentials file caused by: FailedRead: unable to open file caused by: open /root/.aws/credentials: no such file or directory EC2RoleRequestError: no EC2 instance role found caused by: RequestError: send request failed caused by: Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": context deadline exceeded (Client.Timeout exceeded while awaiting headers) I0619 11:16:36.837249 1 validator.go:31] Retrying (3 remaining) in 10 seconds... I0619 11:16:49.953491 1 validator.go:27] [Error]: Failed to load node groups: NoCredentialProviders: no valid providers in chain
My deployment apiVersion: apps/v1 kind: Deployment metadata: name: cluster-turndown namespace: turndown spec: strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate selector: matchLabels: app: cluster-turndown template: metadata: namespace: turndown labels: app: cluster-turndown spec: containers:
and the service account
apiVersion: v1 kind: ServiceAccount metadata: annotations: eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXXXXXXXXX:role/eksctl-ava-test-sample-project-addon-iamserv-Role1-1XGZ3NLDQHXJM creationTimestamp: "2020-06-19T09:45:20Z" labels: aws-usage: cluster-ops name: cluster-turndown namespace: turndown resourceVersion: "165919" selfLink: /api/v1/namespaces/turndown/serviceaccounts/cluster-turndown uid: e8c3ba97-4329-407b-addd-92b19da7f4b8 secrets:
i have respected the policy use per this service account (the policy provided on the README.md)
We don't use the metadata path directly but the sdk for each custom apps: it's Forbidden for us
I will retry with a standard cluster without customization for the nodegroup
with a basic eks cluster
Hey @avaussant just wanted to let you know I'm going to look into this ASAP. Apologies for the delay!
@avaussant On another ticket, we realized that the permissions we have documented for AWS require some additional EKS permissions if you're using EKS. Specifically, the following:
{
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:CreateNodegroup",
"eks:UpdateClusterConfig",
"eks:UpdateNodegroupConfig",
"eks:DeleteNodegroup",
"eks:ListTagsForResource",
"eks:TagResource",
"eks:UntagResource"
],
"Resource": "*"
}
These would be in addition to the AutoScalingFullAccess
permissions from our documentation. Just to provide further information why this is necessary: We use the EKS API for most of the implementation; however, the EKS API does not allow us to resize a node group to size: 0. In order to properly resize a node group to 0, we locate the backing AutoScalingGroup and resize that to 0 (the EKS nodegroup will eventually synchronize). So unfortunately you need the AutoScalingFullAccess permission defined in our documentation as well as the above permissions.
Does this help move the needle at all?
Hey @avaussant just wanted to let you know I'm going to look into this ASAP. Apologies for the delay!
No worries i need to switch on redis topics for 2 weeks take the time ;)
Should be resolved in latest release (v1.2.2)
Would like to know if there is update with the OIDC authentication? Thank you.
@angelwcrypto it's actively under development and currently expected in our next release!
@AdamStack18 can you please link a tracking bug?
Would like to know if there is update with the OIDC authentication? Thank you.
@angelwcrypto is this a question about OIDC authentication support in cluster-turndown? Or in Kubecost more generally?
@michaelmdresser It is OIDC authentication support in cluster-turndown, thanks
I have created another issue as the AWS access id and access key seemed not working properly as well. https://github.com/kubecost/cluster-turndown/issues/51
@kaelanspatel, Getting this on your radar related to your OIDC work in the upcoming release (v1.95). https://github.com/kubecost/cost-analyzer-helm-chart/issues/1371
hi team i m interested per your stuff but on my side we don't use harcoded credentials or technical accounts with creds. We prefer to use service account linked with an dedicated policy on AWS.
I have tried to use cluster-turndown but without credentials it is refusing to execute the scale down After a quick review on the go code, i see the AWS creds required.
Have you a solution to skip this issue for this use case with AWS Provider ?
Thanks a lot in advance Alexandre