Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add windows kube-proxy role to aws-auth map #242

Merged
merged 1 commit into from
Oct 15, 2021
Merged

add windows kube-proxy role to aws-auth map #242

merged 1 commit into from
Oct 15, 2021

Conversation

abhipth
Copy link
Contributor

@abhipth abhipth commented Oct 15, 2021

Issue #, if available:
Windows ASG are created with the node Instance role without having the eks:kube-proxy-windows because of which connectivity to any service would fail. The aws-auth map should also have role eks:kube-proxy-windows. See

Description of changes:
If Windows AMI is present add the additional eks:kube-proxy-windows to the Node Instnace role. It work for Linux because kube-proxy runs as DaemonSet, whereas kube-proxy runs as a service on Windows OS, hence the additional permissions.

Future Improvements
Since the Windows and Linux ASG are created with the same role, the Linux node will get additional RBAC permissions that's required by the Windows Node. In future we can create separate role for Windows and Linux and add only required policy.

Testing Results
Linux only ASG

apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws:iam::REDACTED:role/eks-2021101511-oceankd3s3i3-node-group-role
      username: system:node:{{EC2PrivateDNSName}}
      groups:
      - system:bootstrappers
      - system:nodes

Linux and Windows ASG

apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws:iam::REDACTED:role/eks-2021101512-kirklandncoj-node-group-role
      username: system:node:{{EC2PrivateDNSName}}
      groups:
      - system:bootstrappers
      - system:nodes
      - eks:kube-proxy-windows

Checking Service connectivity from Windows Node

Test-NetConnection -ComputerName 172.20.0.1 -Port 443                                                                                                                                               
                                                                                                                                                                                                            
                                                                                                                                                                                                            
ComputerName     : 172.20.0.1                                                                                                                                                                               
RemoteAddress    : 172.20.0.1                                                                                                                                                                               
RemotePort       : 443                                                                                                                                                                                      
InterfaceAlias   : vEthernet (cid-b21fc88e1a488818aa6bf69f283c7cd5f294587553eacb66d2f53b2522b37172)                                                                                                         
SourceAddress    : 10.0.124.227                                                                                                                                                                             
TcpTestSucceeded : True

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@gyuho gyuho merged commit b028010 into aws:main Oct 15, 2021
@abhipth abhipth deleted the windows-authmap-fix branch October 15, 2021 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abhipth @gyuho