Containers-roadmap: [EKS] Offline private subnet support in EKS Fargate profile
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
What do you want us to build?
Offline subnet support when using Fargate profiles in EKS
Which service(s) is this request for?
EKS FARGATE
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We are trying to use EKS Fargate profile in an offline private subnet. We have setup endpoints for ECR, Cloudwatch etc. But whenever the private subnet is made offline and we try to launch few PODs they do not get scheduled on fargate VMs. When the NAT is added and there is internet access in private subnet, everything works fine.
Are you currently working around this issue?
How are you currently solving this problem?
Additional context
Anything else we should know?
Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
atulpatilvaultbank
All 4 comments
Please add this as soon as possible. Pods stay stuck in a pending state until a NAT GW is deployed. Security policies restrict internet access do not allow for NAT GW creation in linked accounts, egress proxies are used and there is currently no way to configure a proxy in EKS on Fargate. A mass migration of on-prem K8 is planned and this is a delaying factor.
nccummings
on 9 Jan 2020
Hi @atulpatilvaultbank thanks for the report. We are aware of this limitation and working on it. There are changes required in the aws-iam-authenticator and kubelet in order for this to work correctly.
mikestef9
on 10 Jan 2020
@atulpatilvaultbank, @nccummings I was able to get Fargate pods working in EKS inside of a private "air gapped" VPC.
Can you also add a VPC endpoint for the STS service and retry?
buzzsurfr
on 23 Apr 2020
We've made all the necessary changes for this configuration to work with Fargate pods, and added documentation on this topic.
https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html
https://docs.aws.amazon.com/eks/latest/userguide/create-public-private-vpc.html
https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html
mikestef9
on 17 Jun 2020
Related issues
sarath9985
路
3Comments
inductor
路
3Comments
clareliguori
路
3Comments
AndrewMcFarren
路
3Comments
talawahtech
路
3Comments
Most helpful comment
We've made all the necessary changes for this configuration to work with Fargate pods, and added documentation on this topic.
https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html
https://docs.aws.amazon.com/eks/latest/userguide/create-public-private-vpc.html
https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html