Terraform-aws-eks: worker nodes not joining cluster after applying config-map-aws-auth.yaml
I have issues
I'm submitting a...
- [X] bug report
- [ ] feature request
- [ ] support request
- [X] kudos, thank you, warm fuzzy
What is the current behavior
nodes create, confimap created, kubeconfig created. after changing to new context using new kubeconfig, tried applying the configmap for aws-auth. this is applied, but worker nodes fail to join cluster.
(⎈ testeks2:)➜ testeks ✗ kubectl get configmaps -n kube-system
NAME DATA AGE
aws-auth 3 1m
coredns 1 15m
extension-apiserver-authentication 5 15m
kube-proxy 1 15m
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxx:role/testeks220190313015023961900000005
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
mapAccounts: |
If this is a bug, how to reproduce? Please include a code sample if relevant.
provider "aws" {
region = "us-east-1"
version = "~> 2.0"
}
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "2.2.1"
# the 3 required variables here
cluster_name = "testeks2"
subnets = ["subnet-x", "subnet-xx", "subnet-xxx"]
vpc_id = "vpc-xxxxx"
# not required
cluster_version = "1.11"
config_output_path = "./"
kubeconfig_name = "testeks2"
manage_aws_auth = "false"
tags = {
environment = "dev"
cluster = "testeks2"
}
worker_groups = [
{
asg_desired_capacity = 3
asg_max_size = 50
instance_type = "t2.micro"
autoscaling_enabled = "true"
}
]
}
What's the expected behavior?
worker nodes should join cluster.
Are you able to fix this problem and submit a PR? Link here if you have already.
Environment details
- Affected module version:
- OS:
- Terraform version:
terraform 0.11.11
provider ~>2.0
module
source terraform-aws-modules/eks/aws version 2.2.21
Any other relevant info
i like ben & jerrys phish food ice cream
pkelleratwork
All 8 comments
Can you try with instances larger than t2.micro? I'm not sure these are big enough. If that's not it then you should SSH to a node and read the logs.
max-rocket-internet
on 13 Mar 2019
Actually, t2.micro has 1GB of RAM, it should be enough to start the node but not much more. Check that the nodes are in subnets that can reach the internet.
max-rocket-internet
on 13 Mar 2019
@max-rocket-internet ok - will do that now. thanks!
pkelleratwork
on 13 Mar 2019
@max-rocket-internet HOT DAMN!!! that was the problem! i used my private_subnets instead of the public_subnets. Thanks a million!!
pkelleratwork
on 13 Mar 2019
Just curious as to why worker nodes,are to be in public subnets and not in private subnets as that makes them vulnerable right, even with all the nacls,security groups?
Samaws1
on 24 Apr 2019
Yep. Keep them in private subnets and use a NAT gateway
RothAndrew
on 24 Apr 2019
Quick question: using the terraform template, I see the worker now is a windows one. are there Linux based ones?
github4es
on 23 Aug 2019
Hi @github4es ,
The module should be default to Amazon Linux 2 and this is what I am seeing with EKS 1.12. Please raise this as a new issue if you are experiencing this behaviour with the following details:
- module version
- EKS version
- region
- AMI ID that is being automatically selected.
You can temporarily force the AMI ID (found via aws CLI or the console) with the ami_id key in worker_groups, workers_group_defaults, worker_groups_launch_template or worker_groups_launch_template_mixed variables depending on what you're using.
dpiddockcmp
on 23 Aug 2019
Related issues
tnimni
·
3Comments
swapzero
·
4Comments
bshelton229
·
4Comments
kobemtl
·
4Comments
joshkurz
·
4Comments
Most helpful comment
Just curious as to why worker nodes,are to be in public subnets and not in private subnets as that makes them vulnerable right, even with all the nacls,security groups?