IRSA - continue adding route53 permisions to masters #10529

rifelpet · 2021-01-05T02:29:41Z

These are needed by protokube to create the kops-controller DNS record to allow nodes to bootstrap. Ideally we could figure out a way for protokube to not rely on the ec2 instance's instance profile and role but until then we can revert to our original behavior here.

See these logs: https://storage.googleapis.com/kubernetes-jenkins/logs/e2e-kops-grid-scenario-public-jwks/1345956556562239488/artifacts/ip-172-20-48-1.sa-east-1.compute.internal/protokube.log

I0104 05:03:51.264472    6482 dnscache.go:74] querying all DNS zones (no cached results)
I0104 05:03:51.264570    6482 route53.go:53] AWS request: route53 ListHostedZones
W0104 05:03:51.389485    6482 dnscontroller.go:124] Unexpected error in DNS controller, will retry: error querying for zones: error querying for DNS zones: AccessDenied: User: arn:aws:sts::768319786644:assumed-role/masters.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io/i-05b1db10d1a5b8637 is not authorized to perform: route53:ListHostedZones

and the nodeup logs on nodes that couldn't join the cluster:

Jan 04 04:55:53.500187 ip-172-20-38-84 nodeup[2070]: W0104 04:55:53.500117    2070 executor.go:131] error running task "BootstrapClient/BootstrapClient" (9m52s remaining to succeed): Post "https://kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io:3988/bootstrap": dial tcp: lookup kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io on 127.0.0.53:53: no such host

k8s-ci-robot · 2021-01-05T02:30:00Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [rifelpet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

These are needed by protokube to create the kops-controller DNS record to allow nodes to bootstrap. See these logs: https://storage.googleapis.com/kubernetes-jenkins/logs/e2e-kops-grid-scenario-public-jwks/1345956556562239488/artifacts/ip-172-20-48-1.sa-east-1.compute.internal/protokube.log ``` I0104 05:03:51.264472 6482 dnscache.go:74] querying all DNS zones (no cached results) I0104 05:03:51.264570 6482 route53.go:53] AWS request: route53 ListHostedZones W0104 05:03:51.389485 6482 dnscontroller.go:124] Unexpected error in DNS controller, will retry: error querying for zones: error querying for DNS zones: AccessDenied: User: arn:aws:sts::768319786644:assumed-role/masters.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io/i-05b1db10d1a5b8637 is not authorized to perform: route53:ListHostedZones ``` and the nodeup logs on nodes that couldn't join the cluster: ``` Jan 04 04:55:53.500187 ip-172-20-38-84 nodeup[2070]: W0104 04:55:53.500117 2070 executor.go:131] error running task "BootstrapClient/BootstrapClient" (9m52s remaining to succeed): Post "https://kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io:3988/bootstrap": dial tcp: lookup kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io on 127.0.0.53:53: no such host ```

olemarkus · 2021-01-05T07:47:37Z

If we have to support CSR bootstrap mechanism for bottlerocket, this could be used here as well.

/lgtm

rifelpet · 2021-01-06T05:20:56Z

@justinsb the route53 record is still failing to be created: https://prow.k8s.io/view/gcs/kubernetes-jenkins/logs/e2e-kops-grid-scenario-public-jwks/1346681344700190720

We dont collect the dns-controller logs in the job artifacts but my new theory is that kubetest only allows the prow job's public IP to access apiserver but it needs to be 0.0.0.0/0 so that IAM can reach the JWKS endpoints.

Should not be needed; dns-controller should run on the control-plane node so there should not be a bootstrapping problem with the nodes. Reverts kubernetes#10529

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 5, 2021

k8s-ci-robot requested review from joshbranham and mikesplain January 5, 2021 02:30

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 5, 2021

rifelpet force-pushed the irsa-r53 branch from ff67706 to a15957d Compare January 5, 2021 03:04

k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 5, 2021

k8s-ci-robot assigned olemarkus Jan 5, 2021

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 5, 2021

k8s-ci-robot merged commit 18932d1 into kubernetes:master Jan 5, 2021

k8s-ci-robot added this to the v1.20 milestone Jan 5, 2021

justinsb mentioned this pull request Mar 20, 2021

Don't add control-plane DNS permissions with UseServiceAccountIAM #11086

Merged

rifelpet deleted the irsa-r53 branch May 5, 2021 13:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IRSA - continue adding route53 permisions to masters #10529

IRSA - continue adding route53 permisions to masters #10529

rifelpet commented Jan 5, 2021 •

edited

Loading

k8s-ci-robot commented Jan 5, 2021

olemarkus commented Jan 5, 2021

rifelpet commented Jan 6, 2021

IRSA - continue adding route53 permisions to masters #10529

IRSA - continue adding route53 permisions to masters #10529

Conversation

rifelpet commented Jan 5, 2021 • edited Loading

k8s-ci-robot commented Jan 5, 2021

olemarkus commented Jan 5, 2021

rifelpet commented Jan 6, 2021

rifelpet commented Jan 5, 2021 •

edited

Loading