Eksctl: Creating/Deleting custom iamserviceaccount creates/deletes aws-node service account as well

Created on 18 Dec 2020  路  2Comments  路  Source: weaveworks/eksctl

What happened?
Custom IAM service account is created. Upon it's creation kube-system/aws-node is created as well.
Upon it's deletion, the kube-system/aws-node IAM service account is also deleted.

What you expected to happen?
Only custom service account to be created/deleted.

How to reproduce it?

eksctl create iamserviceaccount \
    --name foo \
    --namespace XXXX \
    --cluster ZZZZ \
    --attach-policy-arn arn:aws:iam::aws:policy/XXXX \
    --approve \
    --override-existing-serviceaccounts

[鈩筣  eksctl version 0.34.0
[鈩筣  using region RRRR
[鈩筣  9 existing iamserviceaccount(s) (XXXX/YYYY,XXXX/YYYY,XXXX/YYYY,XXXX/YYYY,YYYY/YYYY,YYYY/YYYY,YYYY/YYYY,...) will be excluded
[鈩筣  2 iamserviceaccounts (XXXX/foo, kube-system/aws-node) were included (based on the include/exclude rules)
[!]  metadata of serviceaccounts that exist in Kubernetes will be updated, as --override-existing-serviceaccounts was set
[鈩筣  2 parallel tasks: { 2 sequential sub-tasks: { create IAM role for serviceaccount "XXXX/foo", create serviceaccount "XXXX/foo" }, 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-node", create serviceaccount "kube-system/aws-node" } }
[鈩筣  building iamserviceaccount stack "eksctl-YYYY-primary-addon-iamserviceaccount-XXXX-foo"
[鈩筣  building iamserviceaccount stack "eksctl-YYYY-primary-addon-iamserviceaccount-kube-system-aws-node"
[鈩筣  deploying stack "eksctl-YYYY-primary-addon-iamserviceaccount-XXXX-foo"
[鈩筣  deploying stack "eksctl-YYYY-primary-addon-iamserviceaccount-kube-system-aws-node"
[鈩筣  created serviceaccount "kube-system/aws-node"
[鈩筣  created serviceaccount "XXXX/foo"

eksctl delete iamserviceaccount \
   --name foo \
   --cluster ZZZZ \
   --namespace XXXX

[鈩筣  eksctl version 0.34.0
[鈩筣  using region RRRR
[鈩筣  2 iamserviceaccounts (XXXX/foo, kube-system/aws-node) were included (based on the include/exclude rules)
[鈩筣  2 parallel tasks: { 2 sequential sub-tasks: { delete IAM role for serviceaccount "kube-system/aws-node" [async], delete serviceaccount "kube-system/aws-node" }, 2 sequential sub-tasks: { delete IAM role for serviceaccount "XXXX/foo" [async], delete serviceaccount "XXXX/foo" } }
[鈩筣  will delete stack "eksctl-YYYY-primary-addon-iamserviceaccount-kube-system-aws-node"
[鈩筣  will delete stack "eksctl-YYYY-primary-addon-iamserviceaccount-XXXX-foo"
[鈩筣  deleted serviceaccount "XXXX/foo"
[鈩筣  deleted serviceaccount "kube-system/aws-node"

Anything else we need to know?
OS: macOS
Installed via homebrew.
I am using named profile that references source profile in order to assume role in different AWS account.

Versions
Please paste in the output of these commands:

$ eksctl version - 0.34.0
$ kubectl version - v1.20.0
kinbug
Source
picture dragonraid

Most helpful comment

Fixed by https://github.com/weaveworks/eksctl/pull/2917, will be in next release

picture michaelbeaumont on 18 Dec 2020
👍2

All 2 comments

Duplicate of https://github.com/weaveworks/eksctl/issues/2916

michaelbeaumont picture michaelbeaumont on 18 Dec 2020

Fixed by https://github.com/weaveworks/eksctl/pull/2917, will be in next release

michaelbeaumont picture michaelbeaumont on 18 Dec 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Raduan77 picture Raduan77  路  3Comments
KevinMonk picture KevinMonk  路  3Comments
errordeveloper picture errordeveloper  路  3Comments
arun-gupta picture arun-gupta  路  3Comments
xakraz picture xakraz  路  4Comments