Terraform-aws-eks: private vpc nodes not visible
I have issues
When deploy an eks cluster using the existing public vpc everything works fine. But when I try to use the private vpc everything gets deployed but when I try to get nodes of eks cluster is get no resources found error, when i get pods of the cluster i found that the kube-dns pods are in the pending state.
Is there some kind of permission issue or configuration issue?
I'm submitting a...
- [ ] bug report
- [ ] feature request
- [x] support request
- [ ] kudos, thank you, warm fuzzy
What is the current behaviour?
If this is a bug, how to reproduce? Please include a code sample if relevant.
Deploy the eks cluster on the private vpc.
What's the expected behaviour?
I should be able to get the nodes deployed on private subnet
Are you able to fix this problem and submit a PR? Link here if you have already.
No idea.
Environment details
- Affected module version: V5.0.1
- OS:
- Terraform version: 0.12.7
Any other relevant info
aliartiza75
All 8 comments
@max-rocket-internet kindly have a look at this issue
aliartiza75
on 23 Sep 2019
this is the log from one of the node in private subnet:
Sep 23 10:30:06 ip-172-31-124-177 kubelet: F0923 10:30:06.736075 14523 server.go:261] failed to run Kubelet: could not init cloud provider "aws": error finding instance : "error listing AWS instances: \"RequestError: send request failed\\ncaused by: Post https://ec2.us-X-X.amazonaws.com/: dial tcp XX.XX.XX.XX:443: i/o timeout\""
Without knowing how you're configuring your VPC or calling this module, I'm going to go with the usual suspects:
- instances in your private subnet do not have general internet access, so cannot reach the EKS public endpoint (enabled by default in the module)
- you have not enabled the EKS private endpoint (disabled by default for historical reasons)
Fix: either add a NAT gateway/instance and allow the nodes to access the internet or enable the private endpoint via the cluster_endpoint_private_access module input variable.
dpiddockcmp
on 23 Sep 2019
@dpiddockcmp bringing the knowledge as always.
This issue comes up A LOT:
https://github.com/terraform-aws-modules/terraform-aws-eks/issues/488
https://github.com/terraform-aws-modules/terraform-aws-eks/issues/413
https://github.com/terraform-aws-modules/terraform-aws-eks/issues/358
https://github.com/terraform-aws-modules/terraform-aws-eks/issues/310
https://github.com/terraform-aws-modules/terraform-aws-eks/issues/304
https://github.com/terraform-aws-modules/terraform-aws-eks/issues/522
Might be worth writing a sort of FAQ to point users at?
max-rocket-internet
on 23 Sep 2019
dial tcp XX.XX.XX.XX:443: i/o timeout
The node cannot connect to the AWS API. Check internet or VPC settings.
max-rocket-internet
on 23 Sep 2019
thank you @max-rocket-internet and @dpiddockcmp for quick response, vpc is configured properly. When nodes are deployed on the public subnet they are accessible but on the private subnet, nodes are not accessible.
@max-rocket-internet yes it would be good that a FAQ is written for this issue
aliartiza75
on 24 Sep 2019
We're just guessing in the dark here. Please include your VPC and EKS module configs.
Another guess: do you have VPC DNS enabled? This is required for the private endpoint to work. Set enable_dns_hostnames = true on your aws_vpc resource. The terraform-aws-module/vpc/aws community module has a variable of the same name.
dpiddockcmp
on 24 Sep 2019
@dpiddockcmp the VPC is managed by someone else so I can't provide information about the VPC and thank you for the FAQ.
Closing this issue.
aliartiza75
on 27 Sep 2019
Related issues
max-rocket-internet
路
3Comments
kobemtl
路
4Comments
tonyxiao
路
3Comments
mattlawnz
路
3Comments
joshkurz
路
4Comments
Most helpful comment
Without knowing how you're configuring your VPC or calling this module, I'm going to go with the usual suspects:
Fix: either add a NAT gateway/instance and allow the nodes to access the internet or enable the private endpoint via the
cluster_endpoint_private_accessmodule input variable.