Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(eks): support EKS service link role #7637

Merged
merged 5 commits into from
May 1, 2020
Merged

chore(eks): support EKS service link role #7637

merged 5 commits into from
May 1, 2020

Conversation

pahud
Copy link
Contributor

@pahud pahud commented Apr 28, 2020
edited
Loading

Commit Message

core(eks): support EKS service link role

Prior to April 16, 2020, AmazonEKSServicePolicy was required for EKS cluster IAM role. With the new AWSServiceRoleForAmazonEKS service-linked role, that policy is no longer required.

This PR removes the AmazonEKSServicePolicy from the cluster role.

Closes #7634

End Commit Message

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@mergify
Copy link
Contributor

mergify bot commented Apr 28, 2020

Title does not follow the guidelines of Conventional Commits. Please adjust title before merge.

@pahud pahud changed the title core(eks): support EKS service link role chore(eks): support EKS service link role Apr 28, 2020
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 673ef87
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@eladb
Copy link
Contributor

eladb commented Apr 30, 2020

@pahud this seems like it's mainly about removing AmazonEKSServicePolicy. Should we scope the PR down to this change first?

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 01607b6
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 329299e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@pahud pahud marked this pull request as ready for review April 30, 2020 16:54
@eladb
Copy link
Contributor

eladb commented May 1, 2020

@pahud Can you include some details in the commit message about how this change resolves the issue?

@pahud
Copy link
Contributor Author

pahud commented May 1, 2020

@pahud Can you include some details in the commit message about how this change resolves the issue?

OK. Done.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 6ff144f
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented May 1, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: d58fa1d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented May 1, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 1ecfca2 into aws:master May 1, 2020
@stefanolczak
Copy link

After this change it's impossible to update EKS clusters ( from AWS console or CDK ) deployed before 16th of April because the update requires the AmazonEKSServicePolicy in cluster IAM role. AWS returns an error:

Role with arn: arn:aws:iam::XXXXX:role/staging-eks-cluster-StagingEksClusterRole7CDF300A-1D3OQMFWTZVW8, could not be assumed because it does not exist or the trusted entity is not correct

To make it work the policy has to be added manually to the IAM role or the cluster has to be deployed from scratch. Unfortunately it causes a drift in cloudformation templates generated by CDK.

@eladb eladb mentioned this pull request Jun 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

Assignees

@eladb eladb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[aws-eks] Use only Service Linked Role for EKS clusters
4 participants
@pahud @aws-cdk-automation @eladb @stefanolczak