diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml index 9fda23e1a696..dea255d48563 100644 --- a/.github/actions/e2e/create-cluster/action.yaml +++ b/.github/actions/e2e/create-cluster/action.yaml @@ -186,7 +186,8 @@ runs: --cluster "${{ inputs.cluster_name }}" \ --arn "arn:aws:iam::${{ inputs.account_id }}:role/KarpenterNodeRole-${{ inputs.cluster_name }}" \ --group system:bootstrappers \ - --group system:nodes + --group system:nodes \ + --group eks:kube-proxy-windows - name: cloudformation describe stack events shell: bash if: failure() diff --git a/website/content/en/docs/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh b/website/content/en/docs/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh index e23e29ac0cc8..7f6428e39056 100755 --- a/website/content/en/docs/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh +++ b/website/content/en/docs/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh @@ -33,6 +33,9 @@ iamIdentityMappings: groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows managedNodeGroups: - instanceType: m5.large diff --git a/website/content/en/docs/getting-started/migrating-from-cas/_index.md b/website/content/en/docs/getting-started/migrating-from-cas/_index.md index 2b9d8bfd814a..cae4d63f93cc 100644 --- a/website/content/en/docs/getting-started/migrating-from-cas/_index.md +++ b/website/content/en/docs/getting-started/migrating-from-cas/_index.md @@ -77,6 +77,9 @@ Replace the `${AWS_PARTITION}` variable with the account partition, `${AWS_ACCOU - groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows rolearn: arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME} username: system:node:{{EC2PrivateDNSName}} ``` diff --git a/website/content/en/docs/troubleshooting.md b/website/content/en/docs/troubleshooting.md index ae3b1f47bf88..cbb5b07d1574 100644 --- a/website/content/en/docs/troubleshooting.md +++ b/website/content/en/docs/troubleshooting.md @@ -351,6 +351,24 @@ Windows requires the host OS version to match the container OS version. 1. Define your pod's `nodeSelector` to ensure that your containers are scheduled on a compatible OS host version. To learn more, see [Windows container version compatibility](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). +### Windows pods unable to resolve DNS +Causes for DNS resolution failure may vary, but in the case where DNS resolution is working for Linux pods but not for Windows pods, +then the following solution(s) may resolve your issue. + +#### Solution(s) +1. Verify that the instance role of the Windows node includes the RBAC permission group `eks:kube-proxy-windows` as shown below. + This group is required for Windows nodes because in Windows, `kube-proxy` runs as a process on the node, and as such, the node requires the necessary RBAC cluster permissions to allow access to the resources required by `kube-proxy`. + For more information, see https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html. +```yaml +... + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes + - eks:kube-proxy-windows # This is required for Windows DNS resolution to work +... +``` + ## Deprovisioning ### Nodes not deprovisioned diff --git a/website/content/en/preview/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh b/website/content/en/preview/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh index e23e29ac0cc8..7f6428e39056 100755 --- a/website/content/en/preview/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh +++ b/website/content/en/preview/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh @@ -33,6 +33,9 @@ iamIdentityMappings: groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows managedNodeGroups: - instanceType: m5.large diff --git a/website/content/en/preview/getting-started/migrating-from-cas/_index.md b/website/content/en/preview/getting-started/migrating-from-cas/_index.md index 3f8d5957c0d6..cfd3b82fec51 100644 --- a/website/content/en/preview/getting-started/migrating-from-cas/_index.md +++ b/website/content/en/preview/getting-started/migrating-from-cas/_index.md @@ -77,6 +77,9 @@ Replace the `${AWS_PARTITION}` variable with the account partition, `${AWS_ACCOU - groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows rolearn: arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME} username: system:node:{{EC2PrivateDNSName}} ``` diff --git a/website/content/en/preview/troubleshooting.md b/website/content/en/preview/troubleshooting.md index ae3b1f47bf88..cbb5b07d1574 100644 --- a/website/content/en/preview/troubleshooting.md +++ b/website/content/en/preview/troubleshooting.md @@ -351,6 +351,24 @@ Windows requires the host OS version to match the container OS version. 1. Define your pod's `nodeSelector` to ensure that your containers are scheduled on a compatible OS host version. To learn more, see [Windows container version compatibility](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). +### Windows pods unable to resolve DNS +Causes for DNS resolution failure may vary, but in the case where DNS resolution is working for Linux pods but not for Windows pods, +then the following solution(s) may resolve your issue. + +#### Solution(s) +1. Verify that the instance role of the Windows node includes the RBAC permission group `eks:kube-proxy-windows` as shown below. + This group is required for Windows nodes because in Windows, `kube-proxy` runs as a process on the node, and as such, the node requires the necessary RBAC cluster permissions to allow access to the resources required by `kube-proxy`. + For more information, see https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html. +```yaml +... + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes + - eks:kube-proxy-windows # This is required for Windows DNS resolution to work +... +``` + ## Deprovisioning ### Nodes not deprovisioned diff --git a/website/content/en/v0.29/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh b/website/content/en/v0.29/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh index 07f4d08fbfd2..e0d9667dc328 100755 --- a/website/content/en/v0.29/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh +++ b/website/content/en/v0.29/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh @@ -33,6 +33,9 @@ iamIdentityMappings: groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows managedNodeGroups: - instanceType: m5.large diff --git a/website/content/en/v0.29/getting-started/migrating-from-cas/_index.md b/website/content/en/v0.29/getting-started/migrating-from-cas/_index.md index 82cd16377ee1..0d9f9f039ed6 100644 --- a/website/content/en/v0.29/getting-started/migrating-from-cas/_index.md +++ b/website/content/en/v0.29/getting-started/migrating-from-cas/_index.md @@ -80,6 +80,9 @@ Replace the `${AWS_PARTITION}` variable with the account partition, `${AWS_ACCOU - groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows rolearn: arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME} username: system:node:{{EC2PrivateDNSName}} ``` diff --git a/website/content/en/v0.29/troubleshooting.md b/website/content/en/v0.29/troubleshooting.md index 1bfc0b1a543c..7ac4a35aa523 100644 --- a/website/content/en/v0.29/troubleshooting.md +++ b/website/content/en/v0.29/troubleshooting.md @@ -351,6 +351,24 @@ Windows requires the host OS version to match the container OS version. 1. Define your pod's `nodeSelector` to ensure that your containers are scheduled on a compatible OS host version. To learn more, see [Windows container version compatibility](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). +### Windows pods unable to resolve DNS +Causes for DNS resolution failure may vary, but in the case where DNS resolution is working for Linux pods but not for Windows pods, +then the following solution(s) may resolve your issue. + +#### Solution(s) +1. Verify that the instance role of the Windows node includes the RBAC permission group `eks:kube-proxy-windows` as shown below. + This group is required for Windows nodes because in Windows, `kube-proxy` runs as a process on the node, and as such, the node requires the necessary RBAC cluster permissions to allow access to the resources required by `kube-proxy`. + For more information, see https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html. +```yaml +... + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes + - eks:kube-proxy-windows # This is required for Windows DNS resolution to work +... +``` + ## Deprovisioning ### Nodes not deprovisioned diff --git a/website/content/en/v0.30/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh b/website/content/en/v0.30/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh index 07f4d08fbfd2..e0d9667dc328 100755 --- a/website/content/en/v0.30/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh +++ b/website/content/en/v0.30/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh @@ -33,6 +33,9 @@ iamIdentityMappings: groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows managedNodeGroups: - instanceType: m5.large diff --git a/website/content/en/v0.30/getting-started/migrating-from-cas/_index.md b/website/content/en/v0.30/getting-started/migrating-from-cas/_index.md index a4a62b18112a..82114efbfead 100644 --- a/website/content/en/v0.30/getting-started/migrating-from-cas/_index.md +++ b/website/content/en/v0.30/getting-started/migrating-from-cas/_index.md @@ -80,6 +80,9 @@ Replace the `${AWS_PARTITION}` variable with the account partition, `${AWS_ACCOU - groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows rolearn: arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME} username: system:node:{{EC2PrivateDNSName}} ``` diff --git a/website/content/en/v0.30/troubleshooting.md b/website/content/en/v0.30/troubleshooting.md index 28952034ec9d..a87ba78b23e5 100644 --- a/website/content/en/v0.30/troubleshooting.md +++ b/website/content/en/v0.30/troubleshooting.md @@ -351,6 +351,24 @@ Windows requires the host OS version to match the container OS version. 1. Define your pod's `nodeSelector` to ensure that your containers are scheduled on a compatible OS host version. To learn more, see [Windows container version compatibility](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). +### Windows pods unable to resolve DNS +Causes for DNS resolution failure may vary, but in the case where DNS resolution is working for Linux pods but not for Windows pods, +then the following solution(s) may resolve your issue. + +#### Solution(s) +1. Verify that the instance role of the Windows node includes the RBAC permission group `eks:kube-proxy-windows` as shown below. + This group is required for Windows nodes because in Windows, `kube-proxy` runs as a process on the node, and as such, the node requires the necessary RBAC cluster permissions to allow access to the resources required by `kube-proxy`. + For more information, see https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html. +```yaml +... + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes + - eks:kube-proxy-windows # This is required for Windows DNS resolution to work +... +``` + ## Deprovisioning ### Nodes not deprovisioned diff --git a/website/content/en/v0.31/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh b/website/content/en/v0.31/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh index 07f4d08fbfd2..e0d9667dc328 100755 --- a/website/content/en/v0.31/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh +++ b/website/content/en/v0.31/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh @@ -33,6 +33,9 @@ iamIdentityMappings: groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows managedNodeGroups: - instanceType: m5.large diff --git a/website/content/en/v0.31/getting-started/migrating-from-cas/_index.md b/website/content/en/v0.31/getting-started/migrating-from-cas/_index.md index 956b6e2e7810..6916f1c0f619 100644 --- a/website/content/en/v0.31/getting-started/migrating-from-cas/_index.md +++ b/website/content/en/v0.31/getting-started/migrating-from-cas/_index.md @@ -80,6 +80,9 @@ Replace the `${AWS_PARTITION}` variable with the account partition, `${AWS_ACCOU - groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows rolearn: arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME} username: system:node:{{EC2PrivateDNSName}} ``` diff --git a/website/content/en/v0.31/troubleshooting.md b/website/content/en/v0.31/troubleshooting.md index 28952034ec9d..a87ba78b23e5 100644 --- a/website/content/en/v0.31/troubleshooting.md +++ b/website/content/en/v0.31/troubleshooting.md @@ -351,6 +351,24 @@ Windows requires the host OS version to match the container OS version. 1. Define your pod's `nodeSelector` to ensure that your containers are scheduled on a compatible OS host version. To learn more, see [Windows container version compatibility](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). +### Windows pods unable to resolve DNS +Causes for DNS resolution failure may vary, but in the case where DNS resolution is working for Linux pods but not for Windows pods, +then the following solution(s) may resolve your issue. + +#### Solution(s) +1. Verify that the instance role of the Windows node includes the RBAC permission group `eks:kube-proxy-windows` as shown below. + This group is required for Windows nodes because in Windows, `kube-proxy` runs as a process on the node, and as such, the node requires the necessary RBAC cluster permissions to allow access to the resources required by `kube-proxy`. + For more information, see https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html. +```yaml +... + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes + - eks:kube-proxy-windows # This is required for Windows DNS resolution to work +... +``` + ## Deprovisioning ### Nodes not deprovisioned diff --git a/website/content/en/v0.32/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh b/website/content/en/v0.32/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh index e23e29ac0cc8..7f6428e39056 100755 --- a/website/content/en/v0.32/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh +++ b/website/content/en/v0.32/getting-started/getting-started-with-karpenter/scripts/step02-create-cluster.sh @@ -33,6 +33,9 @@ iamIdentityMappings: groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows managedNodeGroups: - instanceType: m5.large diff --git a/website/content/en/v0.32/getting-started/migrating-from-cas/_index.md b/website/content/en/v0.32/getting-started/migrating-from-cas/_index.md index 2b9d8bfd814a..cae4d63f93cc 100644 --- a/website/content/en/v0.32/getting-started/migrating-from-cas/_index.md +++ b/website/content/en/v0.32/getting-started/migrating-from-cas/_index.md @@ -77,6 +77,9 @@ Replace the `${AWS_PARTITION}` variable with the account partition, `${AWS_ACCOU - groups: - system:bootstrappers - system:nodes + ## If you intend to run Windows workloads, the kube-proxy group should be specified. + # For more information, see https://github.com/aws/karpenter/issues/5099. + # - eks:kube-proxy-windows rolearn: arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME} username: system:node:{{EC2PrivateDNSName}} ``` diff --git a/website/content/en/v0.32/troubleshooting.md b/website/content/en/v0.32/troubleshooting.md index ae3b1f47bf88..b380423054a0 100644 --- a/website/content/en/v0.32/troubleshooting.md +++ b/website/content/en/v0.32/troubleshooting.md @@ -351,6 +351,24 @@ Windows requires the host OS version to match the container OS version. 1. Define your pod's `nodeSelector` to ensure that your containers are scheduled on a compatible OS host version. To learn more, see [Windows container version compatibility](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). +### Windows pods unable to resolve DNS +Causes for DNS resolution failure may vary, but in the case where DNS resolution is working for Linux pods but not for Windows pods, +then the following solution(s) may resolve your issue. + +#### Solution(s) +1. Verify that the instance role of the Windows node includes the RBAC permission group `eks:kube-proxy-windows` as shown below. + This group is required for Windows nodes because in Windows, `kube-proxy` runs as a process on the node, and as such, the node requires the necessary RBAC cluster permissions to allow access to the resources required by `kube-proxy`. + For more information, see https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html. +```yaml +... + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes + - eks:kube-proxy-windows # This is required for Windows DNS resolution to work +... +``` + ## Deprovisioning ### Nodes not deprovisioned