-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy EKS on fargate #4888
Comments
Did you check there is no PodSecurityPolicy forbidding this? |
Hi, kubectl describe psp eks.privileged Settings: |
My psp uid: d7fc543e-288b-11ea-a11c-0a72aad1a7be
---> allowPrivilegeEscalation: true, so for this point it looks fine Seems to be blocked on other level, the pod execution policy? |
I think we are htting some EKS on fargate restriction here There are currently a few limitations that you should be aware of: https://aws.amazon.com/blogs/aws/amazon-eks-on-aws-fargate-now-generally-available/ You cannot run Daemonsets, Privileged pods, or pods that use HostNetwork or HostPort. Can we run the controller with the option AllowPrivilegeEscalation set to false? Can sombody advise on this? |
I have changed the allowescalation to false in the 0.21.0 till 0.28.0 getting Permission denied error. Error: Error: exit status 1 can anyone help me out here? |
same issue.... |
I solved this issue by setting the following values in the helm chart controller:
extraArgs:
http-port: 8080
https-port: 8443
containerPort:
http: 8080
https: 8443
service:
ports:
http: 80
https: 443
targetPorts:
http: 8080
https: 8443
image:
allowPrivilegeEscalation: false |
I ran into this today, was thinking I have to deploy an EC2 nodegroup in my cluster to test instead of using fargate. "Warning FailedScheduling fargate-scheduler Pod not supported on Fargate: invalid SecurityContext fields: AllowPrivilegeEscalation" |
Guys, the biggest problem is the fact that nginx ingress controller uses classic load balancer, that is not supported on EKS Fargate. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Is the takeaway from this that |
According to #4888 (comment) it seems to be workable. (And those would be nice changes to make default in the chart, to remove the need to run privileged by default) You'd also have to use the NLB with it (or better-yet, the newly-supported NLB-IP mode) since CLB isn't supported for Fargate, but nginx-ingress works with NLB already. To be clear, I haven't tried nginx-ingress on Fargate or with NLB-IP myself, it's part of my plan for my next AWS k8s rollout. We do run nginx-ingress with NLB today, but not on Fargate. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
As well as setting I kind-of feel this should be the default setup for this Ingress Controller, since AFAIK it only needs the high privileges for the port-binding, and that seems like a high-risk security profile to take when there's a simple way to not need it. Edit: #3668 explains that this is needed for the non-http feature. |
After many trials and errors, I had finally made it work with aws eks fargate. Here are some changes:
Notes:
run
|
(sorry for commenting on a closed issue...) With the YAML above (diff vs. the upstream AWS YAML below) , I'm getting this when trying to deploy my
anyone got any ideas how to resolve that? I feel like maybe I missed something when deploying. Diff: --- ingress-nginx-aws-unmodified.yaml-donotuse 2021-09-10 11:38:09.160826297 +0100
+++ ingress-nginx-aws.yaml 2021-09-10 11:38:09.332826596 +0100
@@ -263,7 +263,8 @@
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
- service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip"
+ service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
labels:
helm.sh/chart: ingress-nginx-4.0.1
app.kubernetes.io/name: ingress-nginx
@@ -280,12 +281,12 @@
- name: http
port: 80
protocol: TCP
- targetPort: http
+ targetPort: 8080
appProtocol: http
- name: https
port: 443
protocol: TCP
- targetPort: https
+ targetPort: 8443
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
@@ -336,9 +337,11 @@
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- - --validating-webhook=:8443
+ - --validating-webhook=:8444
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
+ - --http-port=8080
+ - --https-port=8443
securityContext:
capabilities:
drop:
@@ -346,7 +349,7 @@
add:
- NET_BIND_SERVICE
runAsUser: 101
- allowPrivilegeEscalation: true
+ allowPrivilegeEscalation: false
env:
- name: POD_NAME
valueFrom: |
My guess is that the validating webhook is hitting your https hosting port, which your diff moved to 8443, instead of the actual validating webhook endpoint, which is now listening on port 8444. In ingress-nginx/templates/controller-deployment.yaml (where the It should look like this:
to match the command-line changes in your diff. I suspect you have the defaults:
Once you have that change, you don't need the I'd also suggest using a different https port, so you don't need to change the webhook port at all, to simplify things. So all-up, the diff should be something like this (hand-rolled, so it probably won't apply literally, if I miscounted) --- ingress-nginx-aws-unmodified.yaml-donotuse 2021-09-10 11:38:09.160826297 +0100
+++ ingress-nginx-aws.yaml 2021-09-10 11:38:09.332826596 +0100
@@ -263,7 +263,8 @@
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
- service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip"
+ service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
labels:
helm.sh/chart: ingress-nginx-4.0.1
app.kubernetes.io/name: ingress-nginx
@@ -336,9 +337,11 @@
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
+ - --http-port=8080
+ - --https-port=8081
securityContext:
capabilities:
drop:
@@ -346,7 +349,7 @@
add:
- NET_BIND_SERVICE
runAsUser: 101
- allowPrivilegeEscalation: true
+ allowPrivilegeEscalation: false
env:
- name: POD_NAME
valueFrom:
@@ -380,10 +383,10 @@
failureThreshold: 3
ports:
- name: http
- containerPort: 80
+ containerPort: 8080
protocol: TCP
- name: https
- containerPort: 443
+ containerPort: 8081
protocol: TCP
- name: webhook
containerPort: 8443 If you're doing this with the current Helm chart, then the equivalent values.yaml for these changes should be something like: controller:
extraArgs:
http-port: 8080
https-port: 8081
containerPort:
http: 8080
https: 8081
image:
allowPrivilegeEscalation: false |
You got it, thanks so much @TBBle ❤️ I didn't understand that those names were actually defined in this file. |
@InfectedOne That said, I haven't tried the YAML files posted above, I use Helm to manage deployments, and actually don't have a current Fargate/NGINX Ingress deployment to test against. So my posts here are mostly guesswork against the docs. |
@TBBle, I have used the same tamil which @sAnti09 has posted in the chat. Deploying that I have successfully deployed the controller but there isn't any load balancer provisioned. I tried the same with lb type as nlb it was successful. I'm sorry that can't post any files as it goes against my org. I have raised a case with AWS support where the have mentioned that nlb-ip targets aren't supports for nginx ingress controller as of nos. But according to this post it has to work right. So please help me |
@TBBle , the docs which you shared refers to aws load balancer controller where I'm using nginx ingress controller. Does this difference create any issue? |
The AWS Load Balancer Controller creates Load Balancers, it's separate from the NGINX Ingress Controller which uses Load Balancers. You need to have deployed the AWS Load Balancer Controller before you can use NLB-IP on your cluster for anything, otherwise you're limited to the NLB instance mode supported by the (legacy) built-in AWS Load Balancer support in k8s or the AWS Cloud Controller (depending on which version of k8s you're running). My guess is that the AWS support response is that they don't support NGINX Ingress with NLB-IP targets, because the AWS Load Balancer Controller is not yet deployed by default, but that doesn't mean it doesn't work, just that they don't manage it for you. You don't need nlb-ip mode to run the NGINX Ingress pods on Fargate, though. NLB Instance mode will work. But @sAnti09's YAML is for nlb-ip mode, so it depends on the AWS Load Balancer Controller. |
Understood @TBBle. Will try out your suggestion and revert the output. Thanks |
@TBBle, @iainlane, @InfectedOne, anyone, are you aware of any branch/release of this ingress-nginx helm chart repo which implements the suggested workarounds for installing the chart on Fargate/EKS? Just wanted to ask before I try hacking this together myself. Thanks. EDIT: I see that I don't need the branch - what is needed to fix this is to simply provide this yaml as a values file at the |
For the Helm chart, as far as I know all the changes needed are possible through passing in values when deploying, I believe, so there isn't any need for a separate chart repo. I haven't tested it, and don't currently have a working deployment of Ingress NGINX on EKS Fargate at-hand, but the values overrides at the end of this comment should be a good starting place. As well as those settings, you'll also need to use the appropriate annotations to run using NLB rather than ELB, so all-up it ends up looking something like controller:
extraArgs:
http-port: 8080
https-port: 8081
containerPort:
http: 8080
https: 8081
image:
allowPrivilegeEscalation: false
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip" Edit: Fixed the aws-load-balancer-type to be
for current versions of the AWS Load Balancer controller (2.2 onwards), but new versions will recognise the |
This guy suggests doing effectively the same
Not at all sure how much of this is necessary. Seems like the folks here are saying just the ports (privileged-->unprivileged) and |
That link is setting up a different system, putting an ALB in front of NGINX Ingress (apparently the author has some business requirement to route all incoming traffic through a single ALB), rather than an NLB as I've been assuming here. So rather than an NLB routing the TCP traffic to NGINX Ingress to handle the HTTP, that setup has ALB handling HTTP and then proxying onwards to NGINX Ingress. In the linked setup, NGINX Ingress is being used like any other Ingress-exposed Service, and doesn't even need to be It seems overly-complicated, but it's possible that guide was written before NLB-IP was viable for EKS Fargate, and ALB was the only option? This ticket is definitely that old, but my involvement was only after NLB-IP was available, so I've never looked at using ALB in front of NGINX Ingress. The rest of the settings being used are up to you, they're not related to Fargate at all, just general Ingress NGINX config. I definitely would not deploy it into |
@TBBle sorry for commenting on a closed issue, but I need help that may be related to this issue. I've worked around this issue by reinstalling the helm chart with the below values, but the resulting I first increased Right now, I'm seeing the below errors in the nginx-ingress-ingress-nginx-controller pod/container logs that there is an error binding 0.0.0.0:8443 bc address in use, but I'm at a loss what in the sea of configuration I need to adapt/correct.
Here is my helm-chart values file (helm/nginx-values.yaml):
which I am installing into my fresh cluster using:
Any ideas why the nginx-ingress-ingress-nginx-controller pod/container is not able to bind to zero, i.e. EDIT: I'm able to execute
EDIT: I ended up creating a new issue for what I describe above: #7913 |
The problem is that 8443 is already bound for the webhook. That's why I used 8081 in my suggestion, not 8443. The examples using 8443 here had to also move the webhook, which introduces more complexity to the changes, and can lead to weird issues if you get it wrong. |
Thanks so much @TBBle - clearly cockpit error on my part, not understanding the innards of the ingress-nginx application and not being able to inspect the running container sufficiently - so I finally have installed ingress-nginx on eks-fargate with your suggestion (and a few other values):
Was slow getting back here bc I had to learn how to troubleshoot broken helm installations. Thanks again. |
No worries. And thank you for sharing a final, working setup. That's very valuable to have in a single place. |
Well, @TBBle the setup is "working" in the sense that the helm install process will succeed, the ingress controller pods will schedule and be run, but the ingress controller service will be stuck indefinitely in "Pending" EXTERNAL-IP, apparently "Ensuring Load Balancer" never completes:
This is the same behavior I had seen in an identical EKS cluster that I configured separately in another environment/workspace to use ec2 exclusively for its node impl (instead of Fargate) but everything else the same in the terraform project provisioning it.. until I added But I've got the same cluster-specific tags on my fargate-based EKS cluster as well, and the above behavior is still happening. You can see in the above ingress controller service description what annotations I'm using. Perhaps there's another annotation I need here? Any ideas? |
Just to be certain, you do have the AWS Load Balancer Controller installed and functional on this cluster, right? That's the prerequisite for using Note that per secure by default, you may also need to add an annotation |
@timblaktu Did you ever solve this? I have the same issue where the service load balancer is never created or becomes ready. The only thing I can think of is that the start-up time of the Fargate pod for the controller is impacting the ability for the load balancer to be created/resolved. I also have the same set up on another cluster, and I got it working eventually, but I have no idea how I did it. |
You might be able to be better-helped if you share the description of the Ingress Nginx controller service, as @timblaktu did earlier. Looking back that that message, I realise that I was probably right about it being missing AWS Load Balancer Controller, because there was an |
Actually it turned out that in my case the half deployed AWS Load Balancer Controller - and this was the problem. I thought it has been deployed but it was missing a ServiceAccount from another process. This works as expected on Fargate for me when using this #4888 (comment) (and a properly deployed AWS Load Balancer Controller) |
I'm deploying the ingress-nginx towards an EKS cluster on fargate (new ) uisng the standard deployment yaml file, but there is issue with the securitycontext
Warning FailedScheduling fargate-scheduler Pod not supported on Fargate: invalid SecurityContext fields: AllowPrivilegeEscalation
AllowPrivilegeEscalation doesn't seems to be allowed.
The text was updated successfully, but these errors were encountered: