Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

InvalidParameterValue for Instance Profile #3051

Closed
jtgorny opened this issue Dec 16, 2022 · 6 comments
Closed

InvalidParameterValue for Instance Profile #3051

jtgorny opened this issue Dec 16, 2022 · 6 comments

Comments

@jtgorny
Copy link

jtgorny commented Dec 16, 2022

Is an existing page relevant?

No response

What karpenter features are relevant?

Karpenter - v0.19.3
Kubernetes (EKS) - v1.22.15

Attempting to specify the defaultInstanceProfile field on the helm chart but nothing I pass seems to be valid. I'm repeatedly seeing:

ERROR    controller.provisioning    launching node, creating cloud provider instance, with fleet error(s), InvalidParameterValue: Value (***) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name; UnfulfillableCapacity: Unable to fulfill capacity due to your request configuration. Please adjust your request and try again.

I've tried many renditions for this field including:

arn:aws:iam::<acct-#>:instance-profile/eks-24c2797f-1266-8092-e5b7-94fdae2d0e6b
instance-profile/eks-24c2797f-1266-8092-e5b7-94fdae2d0e6b
eks-24c2797f-1266-8092-e5b7-94fdae2d0e6b
arn:aws:iam::<acct-#>:role/myupmc_rookie_worker_instance_role
role/myupmc_rookie_worker_instance_role
myupmc_rookie_worker_instance_role

I've even tried overriding this value in the NodeTemplates file and haven't had any luck. I've surveyed docs and the only thing I can come up with is that the role has to follow a specific naming convention (KarpenterNodeRole-${ClusterName})? Is this true? Looking at the examples that doesn't appear to be a hard requirement.

Could somebody please advise?

How should the docs be improved?

Potentially add a section to troubleshooting for this, maybe below here as it seems to be relevant.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@jtgorny
Copy link
Author

jtgorny commented Dec 16, 2022

Seeing here that the naming convention may be a requirement.

KarpenterNodeRole-${ClusterName} & KarpenterNodeInstanceProfile-${ClusterName}

Is it possible to place a feature request for this to not be a requirement and rather truly accept the role passed as configuration? Renaming an IAM role & instance profile isn't possible & requires a resource replacement for people using IaC (we use terraform). We could create a new one for Karpenter but don't see a need for a unique role/profile for Karpenter nodes as we expect them to run alongside our normal fleet.

@FernandoMiguel
Copy link
Contributor

our role has nothing to do with karpenter, and is shared with MNG. so the name is not a critical bit here

@jtgorny
Copy link
Author

jtgorny commented Dec 16, 2022

@FernandoMiguel thanks for the reply. Am I misunderstanding what value to be passing for instance profile? Are none of these values valid?

arn:aws:iam::<acct-#>:instance-profile/eks-24c2797f-1266-8092-e5b7-94fdae2d0e6b
instance-profile/eks-24c2797f-1266-8092-e5b7-94fdae2d0e6b
eks-24c2797f-1266-8092-e5b7-94fdae2d0e6b
arn:aws:iam::<acct-#>:role/myupmc_rookie_worker_instance_role
role/myupmc_rookie_worker_instance_role
myupmc_rookie_worker_instance_role

@FernandoMiguel
Copy link
Contributor

we issue an instance role with

resource "aws_iam_instance_profile" "karpenter" {
  name_prefix = substr("KarpenterNodeInstanceProfile-${var.eks_cluster_id}-", 0, 102) # expected length of name_prefix to be in the range (1 - 102).
  role        = var.aws_iam_role_ng
}
output "aws_iam_instance_profile_karpenter" { value = aws_iam_instance_profile.karpenter }

then pass aws_iam_instance_profile.karpenter.name to the provisioner

data "kubectl_file_documents" "karpenter_default_provisioner" {
  content = templatefile("${path.module}/provisioners/default_provisioner.yaml", {
    azs                             = jsonencode(var.aws_availability_zones)
    capacity-type                   = jsonencode(var.capacity-type)
    arch                            = jsonencode(var.arch)
    tags                            = jsonencode(local.tags)
    private_subnets                 = join(", ", var.private_subnets) ## https://github.com/aws/karpenter/issues/1327
    security_groups                 = join(", ", var.security_groups)
    provisioner_name                = local.provisioner_name
    provisioner_bigger_hw_pool_name = local.provisioner_bigger_hw_pool_name
    limits_resources_cpu            = var.limits_resources_cpu
    amiFamily                       = var.amiFamily ## Currently, Karpenter supports amiFamily values AL2, Bottlerocket, and Ubuntu. GPUs are only supported with AL2 and Bottlerocket.
    instanceProfile                 = aws_iam_instance_profile.karpenter.name
    volumeSize                      = var.volumeSize
    ttlSecondsAfterEmpty            = var.ttlSecondsAfterEmpty
    ttlSecondsUntilExpired          = var.ttlSecondsUntilExpired
  })
}

that makes the contents of awsnodetemplates.karpenter.k8s.aws be:
"instanceProfile": "KarpenterNodeInstanceProfile-moved-emu-20221208172709386700000010",

@FernandoMiguel
Copy link
Contributor

so if you login to your aws console, go to roles and open your role, you will see in the far right the instance arn
sadly the WebUI provides no way to list instance iam roles
you have to use the CLI
https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles.html

@spring1843
Copy link
Contributor

Thank you for opening this issue please feel free to reopen the ticket if the issue continues to exist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants