Open MayureshGharat opened 1 year ago
setting the K8 version to 1.21, explicitly does not face this issue:
const cluster = new eks.Cluster(name, {
version: "1.21",
name: clusterName,
vpcId: workloadsVpc.id,
privateSubnetIds: workloadsVpc.privateSubnetIds,
publicSubnetIds: workloadsVpc.publicSubnetIds,
desiredCapacity: 3,
maxSize: 4,
instanceType: "t3.medium",
providerCredentialOpts: { profileName: process.env.AWS_PROFILE },
createOidcProvider: true,
});
@MayureshGharat Thanks for reporting this issue in detail! Would you also be able to let me know what version of Kubernetes your cluster is on (since kubectl is not outputting that in your report).
Could you also let me know what your path is in terms of using this Pulumi program. Was this something that had been previously working, then stopped working? Or is your setup completely new and you're trying to spin up a new EKS cluster.
@MayureshGharat Thanks for reporting this issue in detail! Would you also be able to let me know what version of Kubernetes your cluster is on (since kubectl is not outputting that in your report).
Could you also let me know what your path is in terms of using this Pulumi program. Was this something that had been previously working, then stopped working? Or is your setup completely new and you're trying to spin up a new EKS cluster.
@rquitales it was deploying 1.25 on AWS EKS by default.
I'm still looking through this issue, but wanted to provide some updates as well.
I was not able to recreate the error you faced with the code you've provided unfortunately. I've used your Pulumi code, and provided package.json to try and recreate the environment you have. I've also tried using the older version of the plugins/SDKs and simulated an update to no avail.
Here's my analysis of what appears to be happening from the logs you provided:
So for some reason, your Pulumi program appears to still be using an older Provider to spin up the cluster. resource mapping not found for name: "eniconfigs.crd.k8s.amazonaws.com"
is given because on clusters with Kubernetes v1.22 and above, CRDs are now part of the apiextensions.k8s.io/v1
api version instead of apiextensions.k8s.io/v1beta1
which we used in the older pulumi-eks versions. When you run your program, it tries to apply the eniconfig CRD with version apiextensions.k8s.io/v1beta1
, and this will fail to apply on Kubernetes v1.22 and higher. This ultimately results in failing to apply the actual eniconfig custom resources as well.
Setting the version explicitly to 1.21
works for you since Kubernetes v1.21 supports CRDs with api version of apiextensions.k8s.io/v1beta1
. We'll need to see why your environment seems to still be using the older provider.
@MayureshGharat Could you help provide a bit more information about your environment:
pulumi about
within your Pulumi code working directory. This way, we can get the versions of the plugins used.ls ~/.pulumi/plugins
.cat node_modules/@pulumi/eks/cni/aws-k8s-cni.yaml
Hi @rquitales thanks a lot for looking into this. Please find the requested details below:
CLI
Version 3.50.0
Go Version go1.19.4
Go Compiler gc
Plugins
NAME VERSION
nodejs unknown
Host
OS darwin
Version 13.2
Arch arm64
This project is written in nodejs: executable='/Users/mayureshgharat/.nvm/versions/node/v16.14.2/bin/node' version='v16.14.2'
Pulumi locates its logs in /var/folders/t6/zryv0n4s6wd5w39k8kqt8f880000gn/T/ by default
warning: Failed to get information about the Pulumi program's dependencies: could not find either /Users/mayureshgharat/usecache/Pulumi_latest/pulumi/infra/eks/yarn.lock or /Users/mayureshgharat/usecache/Pulumi_latest/pulumi/infra/eks/package-lock.json
warning: Could not access the backend: unable to check if bucket s3://cache-pulumi-ce18dab is accessible: blob (code=Unknown): MissingRegion: could not find region configuration
warning: A new version of Pulumi is available. To upgrade from version '3.50.0' to '3.60.1', run
$ brew upgrade pulumi
or visit https://pulumi.com/docs/reference/install/ for manual instructions and release notes.
resource-aws-v4.38.0 resource-aws-v5.10.0.lock resource-aws-v5.2.0 resource-aws-v5.9.1.lock resource-docker-v3.4.1 resource-kafka-v3.3.0.lock resource-kubernetes-v3.19.4
resource-aws-v4.38.0.lock resource-aws-v5.16.2 resource-aws-v5.2.0.lock resource-awsx-v1.0.2 resource-docker-v3.4.1.lock resource-kubernetes-v3.16.0 resource-kubernetes-v3.19.4.lock
resource-aws-v4.38.1 resource-aws-v5.16.2.lock resource-aws-v5.20.0 resource-awsx-v1.0.2.lock resource-docker-v3.5.0 resource-kubernetes-v3.16.0.lock resource-kubernetes-v3.21.2
resource-aws-v4.38.1.lock resource-aws-v5.17.0 resource-aws-v5.20.0.lock resource-docker-v3.1.0 resource-docker-v3.5.0.lock resource-kubernetes-v3.17.0 resource-kubernetes-v3.21.2.lock
resource-aws-v5.1.0 resource-aws-v5.17.0.lock resource-aws-v5.33.0 resource-docker-v3.1.0.lock resource-docker-v3.6.1 resource-kubernetes-v3.17.0.lock resource-kubernetes-v3.24.2
resource-aws-v5.1.0.lock resource-aws-v5.18.0 resource-aws-v5.33.0.lock resource-docker-v3.2.0 resource-docker-v3.6.1.lock resource-kubernetes-v3.18.1 resource-kubernetes-v3.24.2.lock
resource-aws-v5.1.2 resource-aws-v5.18.0.lock resource-aws-v5.9.0 resource-docker-v3.2.0.lock resource-eks-v0.37.1 resource-kubernetes-v3.18.1.lock
resource-aws-v5.1.2.lock resource-aws-v5.19.0 resource-aws-v5.9.0.lock resource-docker-v3.4.0 resource-eks-v0.37.1.lock resource-kubernetes-v3.18.2
resource-aws-v5.10.0 resource-aws-v5.19.0.lock resource-aws-v5.9.1 resource-docker-v3.4.0.lock resource-kafka-v3.3.0 resource-kubernetes-v3.18.2.lock
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aws-node
rules:
- apiGroups:
- crd.k8s.amazonaws.com
resources:
- eniconfigs
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- pods
- namespaces
verbs: ["list", "watch", "get"]
- apiGroups: [""]
resources:
- nodes
verbs:
- list
- watch
- get
- update
- apiGroups:
- extensions
resources:
- "*"
verbs:
- list
- watch
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: aws-node
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: aws-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aws-node
subjects:
- kind: ServiceAccount
name: aws-node
namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: aws-node
namespace: kube-system
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
app.kubernetes.io/version: "v1.11.0"
spec:
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
type: RollingUpdate
selector:
matchLabels:
k8s-app: aws-node
template:
metadata:
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
spec:
priorityClassName: "system-node-critical"
serviceAccountName: aws-node
hostNetwork: true
initContainers:
- name: aws-vpc-cni-init
image: "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0"
env: []
securityContext:
privileged: true
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
terminationGracePeriodSeconds: 10
tolerations:
- operator: Exists
securityContext: {}
containers:
- name: aws-node
image: "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.11.0"
ports:
- containerPort: 61678
name: metrics
livenessProbe:
exec:
command:
- /app/grpc-health-probe
- -addr=:50051
- -connect-timeout=5s
- -rpc-timeout=5s
initialDelaySeconds: 60
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /app/grpc-health-probe
- -addr=:50051
- -connect-timeout=5s
- -rpc-timeout=5s
initialDelaySeconds: 1
timeoutSeconds: 10
env:
- name: ADDITIONAL_ENI_TAGS
value: "{}"
- name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER
value: "false"
- name: AWS_VPC_K8S_CNI_RANDOMIZESNAT
value: "prng"
- name: DISABLE_INTROSPECTION
value: "false"
- name: DISABLE_METRICS
value: "false"
- name: DISABLE_NETWORK_RESOURCE_PROVISIONING
value: "false"
- name: WARM_PREFIX_TARGET
value: "1"
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
requests:
cpu: 10m
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /host/var/log/aws-routed-eni
name: log-dir
- mountPath: /var/run/dockershim.sock
name: dockershim
- mountPath: /var/run/aws-node
name: run-dir
- mountPath: /run/xtables.lock
name: xtables-lock
volumes:
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
- name: dockershim
hostPath:
path: /var/run/dockershim.sock
- name: log-dir
hostPath:
path: /var/log/aws-routed-eni
type: DirectoryOrCreate
- name: run-dir
hostPath:
path: /var/run/aws-node
type: DirectoryOrCreate
- name: xtables-lock
hostPath:
path: /run/xtables.lock
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: eniconfigs.crd.k8s.amazonaws.com
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
spec:
scope: Cluster
group: crd.k8s.amazonaws.com
preserveUnknownFields: false
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
names:
plural: eniconfigs
singular: eniconfig
kind: ENIConfig
@rquitales Could you please take another look based on the latest info?
I am also facing the same issue.
In my case, it occurred when upgrading from pulumi-eks 2.30.0 to 2.40.0. (EKS v1.29)
The changes in 2.40.0 include this pull request: https://github.com/pulumi/pulumi-eks/pull/1136 This change modifies the exec args for the eks kubeconfig.
If you have an eks created with versions below 2.30.0 and then run pulumi up after upgrading to pulumi-eks 2.40.0, the issue is reproduced.
Although I am not sure of the exact root cause, it seems that the update to the eks provider due to changes in the eks kubeconfig causes eks resources that were using the old eks Kubernetes version to be recognized as outdated. Consequently, it tries to change resources like aws-node and addons to deprecated Kubernetes API resources.
Here’s how I worked around this issue while upgrading pulumi-eks:
By doing this, the provider changes are eliminated, and the Kubernetes version is correctly recognized, preventing the issue from occurring. As long as provider changes are avoided, the current Kubernetes version is correctly recognized during addon installation/removal, and everything functions properly.
I suspect that this issue is related to the provider change, but I am still unsure of the exact cause. For now, I am using this workaround.
What happened?
I am using Pulumi to deploy EKS cluster in AWS.
When I run Pulumi up, I see the following error:
├─ eks:index:VpcCni cache-work-eks-prod-vpc-cni **creating failed** 1 error
cat tmp-40147bhaoYlrisNwt.tmp
Expected Behavior
Pulumi should successfully setup the cluster.
Steps to reproduce
My dependencies look like these:
package.json:
My AWS-CLI version:
My kubectl version:
code:
Output of
pulumi about
pulumi about CLI Version 3.50.0 Go Version go1.19.4 Go Compiler gc
Host OS darwin Version 13.2 Arch arm64
Pulumi locates its logs in /var/folders/t6/zryv0n4s6wd5w39k8kqt8f880000gn/T/ by default warning: Failed to read project: no Pulumi.yaml project file found (searching upwards from /Users/mayureshgharat/usecache/Pulumi_latest/pulumi). If you have not created a project yet, use
pulumi new
to do so: no project file found warning: Could not access the backend: unable to check if bucket s3://cache-pulumi-ce18dab is accessible: blob (code=Unknown): MissingRegion: could not find region configuration warning: A new version of Pulumi is available. To upgrade from version '3.50.0' to '3.60.0', run $ brew upgrade pulumi or visit https://pulumi.com/docs/reference/install/ for manual instructions and release notes.Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).